[Freeipa-users] Re: Directory manager password best practices
Ian Pilcher wrote: > On 4/17/19 9:45 AM, Rob Crittenden wrote: >> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password > > That page says: > > The following procedure is only applicable to FreeIPA 3.2.1 or older. > Since FreeIPA 3.2.2 (and ticket #3594), the procedure is automated as a > part of preparing a replica info file by using ipa-replica-prepare > > So it's really not clear what one is supposed to do for 4.6. > Sorry, I guess it's not clear that in subsequent versions you just need to follow https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html I'll see about clarifying that. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Directory manager password best practices
On 4/17/19 9:45 AM, Rob Crittenden wrote: https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password That page says: The following procedure is only applicable to FreeIPA 3.2.1 or older. Since FreeIPA 3.2.2 (and ticket #3594), the procedure is automated as a part of preparing a replica info file by using ipa-replica-prepare So it's really not clear what one is supposed to do for 4.6. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Directory manager password best practices
Ian Pilcher via FreeIPA-users wrote: > On 4/16/19 10:14 PM, Rob Crittenden wrote: >> It isn't a huge deal to change the DM password but in practice you'd >> want to do it on all masters (not replicated) so while not the end of >> the world it can be at best annoying. > > We'll only have a single master, so that doesn't sound too bad. > >> Though with root DM can be reset so with having a crappy root password >> in effect it doesn't matter what DM is (e.g. someone could already have >> the keys to the Kingdom). > > Right. I'm hoping to tighten up the root/admin password situation, but > that will have to wait until I can get some consensus from the remainder > of my team. Changing those passwords is a known, straightforward > process, though. > > In contrast, a fair bit of Googling leaves me unsure what the DM > password change procedure even is for IPA 4.6. > >> I'd set both to something(s) you can remember. When you need it the last >> thing you'll want to do is run around resetting it. > > My experience is that the Directory Manager password is used very > infrequently, so the odds of remembering it (if it is different than the > admin password) are very low. > https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Directory manager password best practices
On 4/16/19 10:14 PM, Rob Crittenden wrote: It isn't a huge deal to change the DM password but in practice you'd want to do it on all masters (not replicated) so while not the end of the world it can be at best annoying. We'll only have a single master, so that doesn't sound too bad. Though with root DM can be reset so with having a crappy root password in effect it doesn't matter what DM is (e.g. someone could already have the keys to the Kingdom). Right. I'm hoping to tighten up the root/admin password situation, but that will have to wait until I can get some consensus from the remainder of my team. Changing those passwords is a known, straightforward process, though. In contrast, a fair bit of Googling leaves me unsure what the DM password change procedure even is for IPA 4.6. I'd set both to something(s) you can remember. When you need it the last thing you'll want to do is run around resetting it. My experience is that the Directory Manager password is used very infrequently, so the odds of remembering it (if it is different than the admin password) are very low. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Directory manager password best practices
Ian Pilcher via FreeIPA-users wrote: > I am setting up a new IPA instance to provide DNS and CA services in a > team lab. I have to decide what to use for the Directory Manager > password — our standard, not very secure root password or something > else, which no one will ever remember. > > Any thoughts? Is it still a major project to change the DM password? How > hard is it to recover/reset it these days? > > (This will be IPA 4.6 on RHEL 7.) It isn't a huge deal to change the DM password but in practice you'd want to do it on all masters (not replicated) so while not the end of the world it can be at best annoying. Though with root DM can be reset so with having a crappy root password in effect it doesn't matter what DM is (e.g. someone could already have the keys to the Kingdom). I'd set both to something(s) you can remember. When you need it the last thing you'll want to do is run around resetting it. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org