One should follow directions - then one might find solutions... DOH.
Ok, have not found solution, BUT, the ldapsearch worked with the new
PW. So, had I followed the directions in the URL I provided in the
first place I would have seen, indeed the process to change the PW was
working. What is NOT working is the process to add a CA to a replica
while it is already in the collection of servers.
Now, I will go uninstall this replica completely, and then attempt to
install it as a replica WITH a CA from the outset - and see what is up.
I guess the error message I am getting is coming from someplace else in
the install process and not the actual Directory Manager access. Time to
start from the beginning and review the logs.
I apologize to all for bothering you and thank you for pointing out what
I should have done in the first place. But hey, at least I knew to stop
389-ds before doing any of this. :-)
Kat
On 5/21/18 13:33, Mark Reynolds wrote:
On 05/21/2018 02:02 PM, Kat via FreeIPA-users wrote:
Stopping 389-ds was the first step for sure - I would not fall for
that one! :-)
No access to Dir Manager,
I don't know what this means either, but please try this:
ldapsearch -D "cn=directory manager" -W -s base -b "" objectclass=top
If this fails please share the access log output (there is 30 second
buffering on the log fyi):
/var/log/dirsrv/slapd-YOUR_HOST/access
I'm looking for something like this:
[18/May/2018:12:28:46.334365436 -0400] conn=1 op=0 BIND dn="cn=Directory
Manager" method=128 version=3
[18/May/2018:12:28:46.418295813 -0400] conn=1 op=0 RESULT err=0 tag=97
nentries=0 etime=0.0084017134 dn="cn=directory manager"
So either you have not replaced the password correctly, or the
"cn=directory manger" account is not actually "cn=directory manager".
The access log will tell us more...
and perhaps this is where I went wrong - I skipped the ldapsearch and
went straight to just trying to add a CA to my replicate with
ipa-ca-install on an existing NON-CA replica and it asks for directory
Manager Password, and I give the new one an sadly, no joy in mudville.
BUT - maybe that is part of what I am doing wrong to test it?
Kat
On 5/21/18 12:31, Rob Crittenden wrote:
Kat via FreeIPA-users wrote:
My bad - I thought the link I shared would indicate that is the process
I followed. However, here are more details:
ipa-server-4.5.4-10.el7_5.1.x86_64 on RHEL 7.5
Steps:
1. Backup dse.ldif out of /etc/dirsrv/slapd-DOMAIN...
2. ipactl stop
3. vim dse.ldif and replace rootpw with newly hashed pw from pwdhash
command
4. ipactl start
It is amazing how many people fail to stop 389-ds before applying the
change and wonder why it doesn't work. This is why I asked for the exact
steps.
I tried this on the first CA, and was unable to gain access to dirmgr.
Tried it on secondary (replicas) and still no luck. So perhaps I am
just
not understanding that you can change Directory Manager PW by following
389-ds docs?
It depends on version. With older versions changing the password was
more complex.
What do you mean by no access to DM? What did you do to check this?
rob
thank you
Kat
On 5/21/18 10:49, Rob Crittenden wrote:
Kat via FreeIPA-users wrote:
No suggestions at all?
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
If would help if you included the version and distro and more
details on
how you tried to change the password.
rob
:-(
On 5/16/18 09:08, Kat wrote:
Hi -
Have a replica I did not install CA on. Want to add it. I had
lost the
Directory Manager password, so I followed procedure to change it by
editing dse.ldif and replacing the rootpw, but no matter what I do I
keep getting:
[root@ipa-rep2 ~]# ipa-ca-install
Directory Manager (existing master) password:
Directory Manager password is invalid
Scratching my head - has the procedure for changing the Dir Mgr
password changed? I used:
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
Any ideas?
-K
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BUEPY6TBYRLMDYCT7BA65OLFOUQCRJ5R/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FYGIVS2CS3SDYOQNL2BCVDEWJWQCATLE/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HSEN43BFTKBTOEFR72SVFV5P5FMDXG6A/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EHQ4AKM2ZP5LAFJAIZRSKHPDDS4KIBPS/
