Re: [Freeipa-users] Directory Manager Password Change | off topic

2016-12-05 Thread Callum Guy 
Ah yes, I hadn't even noticed as Google cleans that up automatically but I
can confirm (explicit) contact from Kimmi and co.




On Mon, Dec 5, 2016 at 5:24 PM Joseph Flynn  wrote:

Ah, now SophiaB wants in on the action too.  Looks like my lucky day.

Seriously though, I think the community needs to anonymize participants out
of necessity.

On Mon, Dec 5, 2016 at 12:02 PM, Joseph Flynn  wrote:

Me too.  Within minutes of my first posting, I have good old Kimmi offering
me all kinds of favors.  All of our emails are exposed to the group which
I'd like to trust but we obviously can't.  All it takes is for a spammer to
join the group and they will eventually collect a group of active emails
with a very targeted demographic.

On Mon, Dec 5, 2016 at 11:45 AM, Stefan Uygur 
wrote:

Guys,

Since I replied to the list I keep receiving spam emails, what is happening?



*From:* Stefan Uygur
*Sent:* 05 December 2016 16:40
*To:* 'Callum Guy'; Florence Blanc-Renaud; freeipa-users@redhat.com
*Subject:* RE: [Freeipa-users] Directory Manager Password Change



Glad you solved your issue.



I’ve been there myself so don’t worry about it at all.



*From:* Callum Guy [mailto:callum@x-on.co.uk ]
*Sent:* 05 December 2016 16:37
*To:* Stefan Uygur; Florence Blanc-Renaud; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Directory Manager Password Change



Hi Stefan,



Thanks for your input, I am able to clarify that I wasn't simply copying
and pasting in - the dollar sign was included in my password rather than
the example. But yes, no denying that my command line skills are to blame.



Further to this problem I am happy to report that the issue is now solved.
My main issue was the dollar sign meaning that I had updated the DM
password incorrectly for FreeIPA. Secondly I appear to have caused an issue
with SSSD and it was a restart of this service which finally resolved the
issue for me. I doubt there is much to be learnt from my issue - definitely
user error.



Thanks so much for your responses, very much appreciated. Apologies for
taking up your time.



Callum







On Mon, Dec 5, 2016 at 2:48 PM Stefan Uygur 
wrote:

Hi,

I think you are copying and pasting the exact same commands from the
article, which is of course a wrong approach. Never copy/paste from web to
execute on your server. That $ signs indicates you can give any name you’d
like.



Follow this article here:

https://access.redhat.com/solutions/308623



Stefan





*From:* freeipa-users-boun...@redhat.com [mailto:
freeipa-users-boun...@redhat.com] *On Behalf Of *Callum Guy
*Sent:* 05 December 2016 13:38
*To:* Florence Blanc-Renaud; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] Directory Manager Password Change



Hi Flo,



I have indeed executed every step in order, including the one you have
indicated.



The password I has used included a dollar sign and this meant that echo -n
$DM_PASSWORD > /root/dm_password didn't work as I had expected meaning
everything after the dollar was interpreted as a variable and was missing
in the file. I have corrected this and performed the full process again,
starting with the 389 reset however it is still not working correctly.



I remain in the same state as before where the admin password has not been
changed - this confuses me as my understanding is that admin only exists as
the FreeIPA web admin user whose password I can change separately. Am i
misunderstanding, is there another admin user within FreeIPA which is
directly linked to the directory manager?



Having run out of ideas I have just executed ipa-server-upgrade however
this hasn't helped. My situation remains as follows:



*Works:* ldapsearch -x -D "cn=directory manager" -w  *NEW_DM_PW  *-s base
-b "" "objectclass=*"

*Fails:  *ldapsearch -h localhost -ZZ -p 389 -x -D
"uid=admin,ou=people,o=ipaca" -w *NEW_DM_PW *-b "" -s base



Are you able to offer any other ideas?



Other information:

I can confirm that cacert.p12 has been updated by the actions performed.

File /etc/pki/pki-tomcat/password.conf now contains a new line internaldb=
*NEW_DM_PW *(as per instruction 1 on FreeIPA link)



Best Regards,



Callum





On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud  wrote:

On 12/05/2016 01:05 PM, Callum Guy wrote:
> Hi All,
>
> I have been testing FreeIPA and now plan to migrate to production use -
> thanks for creating such a great application!
>
> During the test phase we have been using simple passwords for the admin
> and directory manager users however we need these changed before moving
> into production. I believe we can change the admin password using the
> web interface however as I understand it amending the directory manager
> password is not so straightforward.
>
> I have found this
> link https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
however
> I am unsure if this is the correct procedure for our installation -
> certainly i am having no luck so far.
>
> We have the following setup:
>
> FreeI

Re: [Freeipa-users] Directory Manager Password Change | off topic

2016-12-05 Thread Joseph Flynn 
Ah, now SophiaB wants in on the action too.  Looks like my lucky day.

Seriously though, I think the community needs to anonymize participants out
of necessity.

On Mon, Dec 5, 2016 at 12:02 PM, Joseph Flynn  wrote:

> Me too.  Within minutes of my first posting, I have good old Kimmi
> offering me all kinds of favors.  All of our emails are exposed to the
> group which I'd like to trust but we obviously can't.  All it takes is for
> a spammer to join the group and they will eventually collect a group of
> active emails with a very targeted demographic.
>
> On Mon, Dec 5, 2016 at 11:45 AM, Stefan Uygur  > wrote:
>
>> Guys,
>>
>> Since I replied to the list I keep receiving spam emails, what is
>> happening?
>>
>>
>>
>> *From:* Stefan Uygur
>> *Sent:* 05 December 2016 16:40
>> *To:* 'Callum Guy'; Florence Blanc-Renaud; freeipa-users@redhat.com
>> *Subject:* RE: [Freeipa-users] Directory Manager Password Change
>>
>>
>>
>> Glad you solved your issue.
>>
>>
>>
>> I’ve been there myself so don’t worry about it at all.
>>
>>
>>
>> *From:* Callum Guy [mailto:callum@x-on.co.uk ]
>>
>> *Sent:* 05 December 2016 16:37
>> *To:* Stefan Uygur; Florence Blanc-Renaud; freeipa-users@redhat.com
>> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>>
>>
>>
>> Hi Stefan,
>>
>>
>>
>> Thanks for your input, I am able to clarify that I wasn't simply copying
>> and pasting in - the dollar sign was included in my password rather than
>> the example. But yes, no denying that my command line skills are to blame.
>>
>>
>>
>> Further to this problem I am happy to report that the issue is now
>> solved. My main issue was the dollar sign meaning that I had updated the DM
>> password incorrectly for FreeIPA. Secondly I appear to have caused an issue
>> with SSSD and it was a restart of this service which finally resolved the
>> issue for me. I doubt there is much to be learnt from my issue - definitely
>> user error.
>>
>>
>>
>> Thanks so much for your responses, very much appreciated. Apologies for
>> taking up your time.
>>
>>
>>
>> Callum
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Dec 5, 2016 at 2:48 PM Stefan Uygur 
>> wrote:
>>
>> Hi,
>>
>> I think you are copying and pasting the exact same commands from the
>> article, which is of course a wrong approach. Never copy/paste from web to
>> execute on your server. That $ signs indicates you can give any name you’d
>> like.
>>
>>
>>
>> Follow this article here:
>>
>> https://access.redhat.com/solutions/308623
>>
>>
>>
>> Stefan
>>
>>
>>
>>
>>
>> *From:* freeipa-users-boun...@redhat.com [mailto:freeipa-users-bounces@
>> redhat.com] *On Behalf Of *Callum Guy
>> *Sent:* 05 December 2016 13:38
>> *To:* Florence Blanc-Renaud; freeipa-users@redhat.com
>> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>>
>>
>>
>> Hi Flo,
>>
>>
>>
>> I have indeed executed every step in order, including the one you have
>> indicated.
>>
>>
>>
>> The password I has used included a dollar sign and this meant that echo
>> -n $DM_PASSWORD > /root/dm_password didn't work as I had expected
>> meaning everything after the dollar was interpreted as a variable and was
>> missing in the file. I have corrected this and performed the full process
>> again, starting with the 389 reset however it is still not working
>> correctly.
>>
>>
>>
>> I remain in the same state as before where the admin password has not
>> been changed - this confuses me as my understanding is that admin only
>> exists as the FreeIPA web admin user whose password I can change
>> separately. Am i misunderstanding, is there another admin user within
>> FreeIPA which is directly linked to the directory manager?
>>
>>
>>
>> Having run out of ideas I have just executed ipa-server-upgrade however
>> this hasn't helped. My situation remains as follows:
>>
>>
>>
>> *Works:* ldapsearch -x -D "cn=directory manager" -w  *NEW_DM_PW  *-s
>> base -b "" "objectclass=*"
>>
>> *Fails:  *ldapsearch -h localhost -ZZ -p 389 -x -D
>> "uid=admin,ou=people,o=ipaca" -w *NEW_DM_PW *-b "" -s base
>>
>>
>>
>> Are you able to offer any other ideas?
>>
>>
>>
>> Other information:
>>
>> I can confirm that cacert.p12 has been updated by the actions performed.
>>
>> File /etc/pki/pki-tomcat/password.conf now contains a new line
>> internaldb=*NEW_DM_PW *(as per instruction 1 on FreeIPA link)
>>
>>
>>
>> Best Regards,
>>
>>
>>
>> Callum
>>
>>
>>
>>
>>
>> On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud 
>> wrote:
>>
>> On 12/05/2016 01:05 PM, Callum Guy wrote:
>> > Hi All,
>> >
>> > I have been testing FreeIPA and now plan to migrate to production use -
>> > thanks for creating such a great application!
>> >
>> > During the test phase we have been using simple passwords for the admin
>> > and directory manager users however we need these changed before moving
>> > into production. I believe we can change the admin password using the
>> > web interface however as I understand it amending the directory manager
>> > password is not so straightforward.
>>

Re: [Freeipa-users] Directory Manager Password Change | off topic

2016-12-05 Thread Joseph Flynn 
Me too.  Within minutes of my first posting, I have good old Kimmi offering
me all kinds of favors.  All of our emails are exposed to the group which
I'd like to trust but we obviously can't.  All it takes is for a spammer to
join the group and they will eventually collect a group of active emails
with a very targeted demographic.

On Mon, Dec 5, 2016 at 11:45 AM, Stefan Uygur 
wrote:

> Guys,
>
> Since I replied to the list I keep receiving spam emails, what is
> happening?
>
>
>
> *From:* Stefan Uygur
> *Sent:* 05 December 2016 16:40
> *To:* 'Callum Guy'; Florence Blanc-Renaud; freeipa-users@redhat.com
> *Subject:* RE: [Freeipa-users] Directory Manager Password Change
>
>
>
> Glad you solved your issue.
>
>
>
> I’ve been there myself so don’t worry about it at all.
>
>
>
> *From:* Callum Guy [mailto:callum@x-on.co.uk ]
> *Sent:* 05 December 2016 16:37
> *To:* Stefan Uygur; Florence Blanc-Renaud; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>
>
>
> Hi Stefan,
>
>
>
> Thanks for your input, I am able to clarify that I wasn't simply copying
> and pasting in - the dollar sign was included in my password rather than
> the example. But yes, no denying that my command line skills are to blame.
>
>
>
> Further to this problem I am happy to report that the issue is now solved.
> My main issue was the dollar sign meaning that I had updated the DM
> password incorrectly for FreeIPA. Secondly I appear to have caused an issue
> with SSSD and it was a restart of this service which finally resolved the
> issue for me. I doubt there is much to be learnt from my issue - definitely
> user error.
>
>
>
> Thanks so much for your responses, very much appreciated. Apologies for
> taking up your time.
>
>
>
> Callum
>
>
>
>
>
>
>
> On Mon, Dec 5, 2016 at 2:48 PM Stefan Uygur 
> wrote:
>
> Hi,
>
> I think you are copying and pasting the exact same commands from the
> article, which is of course a wrong approach. Never copy/paste from web to
> execute on your server. That $ signs indicates you can give any name you’d
> like.
>
>
>
> Follow this article here:
>
> https://access.redhat.com/solutions/308623
>
>
>
> Stefan
>
>
>
>
>
> *From:* freeipa-users-boun...@redhat.com [mailto:freeipa-users-bounces@
> redhat.com] *On Behalf Of *Callum Guy
> *Sent:* 05 December 2016 13:38
> *To:* Florence Blanc-Renaud; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>
>
>
> Hi Flo,
>
>
>
> I have indeed executed every step in order, including the one you have
> indicated.
>
>
>
> The password I has used included a dollar sign and this meant that echo
> -n $DM_PASSWORD > /root/dm_password didn't work as I had expected meaning
> everything after the dollar was interpreted as a variable and was missing
> in the file. I have corrected this and performed the full process again,
> starting with the 389 reset however it is still not working correctly.
>
>
>
> I remain in the same state as before where the admin password has not been
> changed - this confuses me as my understanding is that admin only exists as
> the FreeIPA web admin user whose password I can change separately. Am i
> misunderstanding, is there another admin user within FreeIPA which is
> directly linked to the directory manager?
>
>
>
> Having run out of ideas I have just executed ipa-server-upgrade however
> this hasn't helped. My situation remains as follows:
>
>
>
> *Works:* ldapsearch -x -D "cn=directory manager" -w  *NEW_DM_PW  *-s base
> -b "" "objectclass=*"
>
> *Fails:  *ldapsearch -h localhost -ZZ -p 389 -x -D
> "uid=admin,ou=people,o=ipaca" -w *NEW_DM_PW *-b "" -s base
>
>
>
> Are you able to offer any other ideas?
>
>
>
> Other information:
>
> I can confirm that cacert.p12 has been updated by the actions performed.
>
> File /etc/pki/pki-tomcat/password.conf now contains a new line internaldb=
> *NEW_DM_PW *(as per instruction 1 on FreeIPA link)
>
>
>
> Best Regards,
>
>
>
> Callum
>
>
>
>
>
> On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud 
> wrote:
>
> On 12/05/2016 01:05 PM, Callum Guy wrote:
> > Hi All,
> >
> > I have been testing FreeIPA and now plan to migrate to production use -
> > thanks for creating such a great application!
> >
> > During the test phase we have been using simple passwords for the admin
> > and directory manager users however we need these changed before moving
> > into production. I believe we can change the admin password using the
> > web interface however as I understand it amending the directory manager
> > password is not so straightforward.
> >
> > I have found this
> > link https://www.freeipa.org/page/Howto/Change_Directory_
> Manager_Password however
> > I am unsure if this is the correct procedure for our installation -
> > certainly i am having no luck so far.
> >
> > We have the following setup:
> >
> > FreeIPA 4.2.0 - single master server (no replicas), multiple clients
> > CentOS 7.2
> >
> > I have tried the following steps in order:

Re: [Freeipa-users] Directory Manager Password Change | off topic

2016-12-05 Thread Stefan Uygur 
Guys,
Since I replied to the list I keep receiving spam emails, what is happening?

From: Stefan Uygur
Sent: 05 December 2016 16:40
To: 'Callum Guy'; Florence Blanc-Renaud; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Directory Manager Password Change

Glad you solved your issue.

I’ve been there myself so don’t worry about it at all.

From: Callum Guy [mailto:callum@x-on.co.uk]
Sent: 05 December 2016 16:37
To: Stefan Uygur; Florence Blanc-Renaud; 
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Directory Manager Password Change

Hi Stefan,

Thanks for your input, I am able to clarify that I wasn't simply copying and 
pasting in - the dollar sign was included in my password rather than the 
example. But yes, no denying that my command line skills are to blame.

Further to this problem I am happy to report that the issue is now solved. My 
main issue was the dollar sign meaning that I had updated the DM password 
incorrectly for FreeIPA. Secondly I appear to have caused an issue with SSSD 
and it was a restart of this service which finally resolved the issue for me. I 
doubt there is much to be learnt from my issue - definitely user error.

Thanks so much for your responses, very much appreciated. Apologies for taking 
up your time.

Callum



On Mon, Dec 5, 2016 at 2:48 PM Stefan Uygur 
mailto:suy...@firstderivatives.com>> wrote:
Hi,
I think you are copying and pasting the exact same commands from the article, 
which is of course a wrong approach. Never copy/paste from web to execute on 
your server. That $ signs indicates you can give any name you’d like.

Follow this article here:
https://access.redhat.com/solutions/308623

Stefan


From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com]
 On Behalf Of Callum Guy
Sent: 05 December 2016 13:38
To: Florence Blanc-Renaud; 
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Directory Manager Password Change

Hi Flo,

I have indeed executed every step in order, including the one you have 
indicated.

The password I has used included a dollar sign and this meant that echo -n 
$DM_PASSWORD > /root/dm_password didn't work as I had expected meaning 
everything after the dollar was interpreted as a variable and was missing in 
the file. I have corrected this and performed the full process again, starting 
with the 389 reset however it is still not working correctly.

I remain in the same state as before where the admin password has not been 
changed - this confuses me as my understanding is that admin only exists as the 
FreeIPA web admin user whose password I can change separately. Am i 
misunderstanding, is there another admin user within FreeIPA which is directly 
linked to the directory manager?

Having run out of ideas I have just executed ipa-server-upgrade however this 
hasn't helped. My situation remains as follows:

Works: ldapsearch -x -D "cn=directory manager" -w  NEW_DM_PW  -s base -b "" 
"objectclass=*"
Fails:  ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca" 
-w NEW_DM_PW -b "" -s base

Are you able to offer any other ideas?

Other information:
I can confirm that cacert.p12 has been updated by the actions performed.
File /etc/pki/pki-tomcat/password.conf now contains a new line 
internaldb=NEW_DM_PW (as per instruction 1 on FreeIPA link)

Best Regards,

Callum


On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud 
mailto:f...@redhat.com>> wrote:
On 12/05/2016 01:05 PM, Callum Guy wrote:
> Hi All,
>
> I have been testing FreeIPA and now plan to migrate to production use -
> thanks for creating such a great application!
>
> During the test phase we have been using simple passwords for the admin
> and directory manager users however we need these changed before moving
> into production. I believe we can change the admin password using the
> web interface however as I understand it amending the directory manager
> password is not so straightforward.
>
> I have found this
> link https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password 
> however
> I am unsure if this is the correct procedure for our installation -
> certainly i am having no luck so far.
>
> We have the following setup:
>
> FreeIPA 4.2.0 - single master server (no replicas), multiple clients
> CentOS 7.2
>
> I have tried the following steps in order:
>
> http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
> followed by
> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
>
> After completing that I am no longer able to authenticate user logins.
> The below covers my current situation:
>
> This works:
> ldapsearch -x -D "cn=directory manager" -w NEWPASSWORD -s base -b ""
> "objectclass=*"
>
> This does not work:
> ldapsearch -x -D "cn=directory manager" -w OLDPASSWORD -s base -b ""
> "objectclass=*"
>
> This works:
>