On 05/21/2018 02:02 PM, Kat via FreeIPA-users wrote: > Stopping 389-ds was the first step for sure - I would not fall for > that one! :-) > > No access to Dir Manager, I don't know what this means either, but please try this:
ldapsearch -D "cn=directory manager" -W -s base -b "" objectclass=top If this fails please share the access log output (there is 30 second buffering on the log fyi): /var/log/dirsrv/slapd-YOUR_HOST/access I'm looking for something like this: [18/May/2018:12:28:46.334365436 -0400] conn=1 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [18/May/2018:12:28:46.418295813 -0400] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0084017134 dn="cn=directory manager" So either you have not replaced the password correctly, or the "cn=directory manger" account is not actually "cn=directory manager". The access log will tell us more... > and perhaps this is where I went wrong - I skipped the ldapsearch and > went straight to just trying to add a CA to my replicate with > ipa-ca-install on an existing NON-CA replica and it asks for directory > Manager Password, and I give the new one an sadly, no joy in mudville. > > BUT - maybe that is part of what I am doing wrong to test it? > > Kat > > > On 5/21/18 12:31, Rob Crittenden wrote: >> Kat via FreeIPA-users wrote: >>> My bad - I thought the link I shared would indicate that is the process >>> I followed. However, here are more details: >>> >>> ipa-server-4.5.4-10.el7_5.1.x86_64 on RHEL 7.5 >>> >>> Steps: >>> >>> 1. Backup dse.ldif out of /etc/dirsrv/slapd-DOMAIN... >>> >>> 2. ipactl stop >>> >>> 3. vim dse.ldif and replace rootpw with newly hashed pw from pwdhash >>> command >>> >>> 4. ipactl start >> It is amazing how many people fail to stop 389-ds before applying the >> change and wonder why it doesn't work. This is why I asked for the exact >> steps. >> >>> I tried this on the first CA, and was unable to gain access to dirmgr. >>> Tried it on secondary (replicas) and still no luck. So perhaps I am >>> just >>> not understanding that you can change Directory Manager PW by following >>> 389-ds docs? >> It depends on version. With older versions changing the password was >> more complex. >> >> What do you mean by no access to DM? What did you do to check this? >> >> rob >> >>> thank you >>> Kat >>> >>> >>> On 5/21/18 10:49, Rob Crittenden wrote: >>>> Kat via FreeIPA-users wrote: >>>>> No suggestions at all? >>>> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password >>>> >>>> If would help if you included the version and distro and more >>>> details on >>>> how you tried to change the password. >>>> >>>> rob >>>> >>>>> :-( >>>>> >>>>> >>>>> On 5/16/18 09:08, Kat wrote: >>>>>> Hi - >>>>>> >>>>>> Have a replica I did not install CA on. Want to add it. I had >>>>>> lost the >>>>>> Directory Manager password, so I followed procedure to change it by >>>>>> editing dse.ldif and replacing the rootpw, but no matter what I do I >>>>>> keep getting: >>>>>> >>>>>> [root@ipa-rep2 ~]# ipa-ca-install >>>>>> Directory Manager (existing master) password: >>>>>> >>>>>> Directory Manager password is invalid >>>>>> >>>>>> Scratching my head - has the procedure for changing the Dir Mgr >>>>>> password changed? I used: >>>>>> >>>>>> http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Any ideas? >>>>>> -K >>>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to >>>>> freeipa-users-le...@lists.fedorahosted.org >>>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BUEPY6TBYRLMDYCT7BA65OLFOUQCRJ5R/ >>>>> >>>>> >>>>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FYGIVS2CS3SDYOQNL2BCVDEWJWQCATLE/ >>> >>> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HSEN43BFTKBTOEFR72SVFV5P5FMDXG6A/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/D54ET5A4G752B2CG3I5GEZM7SEYBQ363/
