Re: [Freeipa-users] DM Password Change & Password Storage

2017-04-19 Thread Martin Bašti 



On 12.04.2017 23:06, Jeremy Utley wrote:
Hello all!  We've got 2 replicated instances of FreeIPA 4.4.0 from the 
EPEL repository running on fully-updated CentOS 7 instances.  We're 
going thru an audit right now, and I have to provide some proof of 
certain things related to IPA to our auditors.  Unfortunately, the 
person who originally set these up evidently did not document the 
Directory Manager password in our docs, so I was forced to reset this 
password, using the process at:


http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html

This was successful, and I can now bind to the DS with the new 
password.  I'm now trying to follow the steps at:


https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

A few things are rather confusing to me.  I've tried Google searching 
without much luck either.  So hopefully you guys can answer a few 
questions for me.


1) First off, the doc says:

The following procedure is only applicable to FreeIPA 3.2.1 or older. 
Since FreeIPA 3.2.2 (and ticket #3594 
), the procedure is 
automated as a part of preparing a replica info file by using 
ipa-replica-prepare


So do I even need to perform these steps at all, considering I'm well 
beyond 3.2.2.  We don't have any intention of running 
ipa-replica-prepare for the forseeable future (we shouldn't ever need 
to add a third directory server here).


2) The first step (Update LDAP bind password) seems to indicate you're 
adding the new password in clear-text to the password.conf file - this 
seems like a major security issue. Am I misunderstanding what is being 
requested here?  The old password is not in this file (All my current 
files have is lines for "internal" and "replicationdb"


3) The next step regenerates the cacert.p12 file, but seems to do 
nothing with it, just leaves it sitting in /root - what should be done 
with this file afterward?


Thanks for any help you can give!

Jeremy Utley




Hello,

you have to follow only this howto 
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html


The PKI parts are relevant only for old IPA servers, so with newer 
versions there is no need to manually update pki servers.


Martin

--
Martin Bašti
Software Engineer
Red Hat Czech

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] DM Password Change & Password Storage

2017-04-12 Thread Jeremy Utley 
Hello all!  We've got 2 replicated instances of FreeIPA 4.4.0 from the EPEL
repository running on fully-updated CentOS 7 instances.  We're going thru
an audit right now, and I have to provide some proof of certain things
related to IPA to our auditors.  Unfortunately, the person who originally
set these up evidently did not document the Directory Manager password in
our docs, so I was forced to reset this password, using the process at:

http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html

This was successful, and I can now bind to the DS with the new password.
I'm now trying to follow the steps at:

https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

A few things are rather confusing to me.  I've tried Google searching
without much luck either.  So hopefully you guys can answer a few questions
for me.

1) First off, the doc says:

The following procedure is only applicable to FreeIPA 3.2.1 or older. Since
FreeIPA 3.2.2 (and ticket #3594
), the procedure is automated
as a part of preparing a replica info file by using ipa-replica-prepare

So do I even need to perform these steps at all, considering I'm well
beyond 3.2.2.  We don't have any intention of running ipa-replica-prepare
for the forseeable future (we shouldn't ever need to add a third directory
server here).

2) The first step (Update LDAP bind password) seems to indicate you're
adding the new password in clear-text to the password.conf file - this
seems like a major security issue.  Am I misunderstanding what is being
requested here?  The old password is not in this file (All my current files
have is lines for "internal" and "replicationdb"

3) The next step regenerates the cacert.p12 file, but seems to do nothing
with it, just leaves it sitting in /root - what should be done with this
file afterward?

Thanks for any help you can give!

Jeremy Utley
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project