On 12.04.2017 23:06, Jeremy Utley wrote:
Hello all! We've got 2 replicated instances of FreeIPA 4.4.0 from the
EPEL repository running on fully-updated CentOS 7 instances. We're
going thru an audit right now, and I have to provide some proof of
certain things related to IPA to our auditors. Unfortunately, the
person who originally set these up evidently did not document the
Directory Manager password in our docs, so I was forced to reset this
password, using the process at:
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
This was successful, and I can now bind to the DS with the new
password. I'm now trying to follow the steps at:
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
A few things are rather confusing to me. I've tried Google searching
without much luck either. So hopefully you guys can answer a few
questions for me.
1) First off, the doc says:
The following procedure is only applicable to FreeIPA 3.2.1 or older.
Since FreeIPA 3.2.2 (and ticket #3594
<https://fedorahosted.org/freeipa/ticket/3594>), the procedure is
automated as a part of preparing a replica info file by using
ipa-replica-prepare
So do I even need to perform these steps at all, considering I'm well
beyond 3.2.2. We don't have any intention of running
ipa-replica-prepare for the forseeable future (we shouldn't ever need
to add a third directory server here).
2) The first step (Update LDAP bind password) seems to indicate you're
adding the new password in clear-text to the password.conf file - this
seems like a major security issue. Am I misunderstanding what is being
requested here? The old password is not in this file (All my current
files have is lines for "internal" and "replicationdb"
3) The next step regenerates the cacert.p12 file, but seems to do
nothing with it, just leaves it sitting in /root - what should be done
with this file afterward?
Thanks for any help you can give!
Jeremy Utley
Hello,
you have to follow only this howto
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
The PKI parts are relevant only for old IPA servers, so with newer
versions there is no need to manually update pki servers.
Martin
--
Martin Bašti
Software Engineer
Red Hat Czech
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
