I am looking at the 2 entries in dse.ldif - and indeed they are
different. If I replace the one in question with the one from the
working system, it works again.
I did find - replica was created on Dec 11 at noon -- and the dse.ldif
file CHANGED a day later?!? Going to have OSSEC monitor the folders for
changes in files to see what the heck is going on and WHAT changed it
and if it happens again.
thanks for the help
~J
On 12/18/14 10:28 AM, Rich Megginson wrote:
On 12/18/2014 09:49 AM, Janelle wrote:
Good morning/evening All,
So, another strange thing I see with 4.1.2 running on FC21 (server).
On some replicas if I attempt to modify the 389-ds backend, I get
credential errors. Even ldapsearch fails - which as me baffled. I
am trying to tune the servers but this has me confused as to what
might cause something like this and where to start looking for a
solution?
Here is the interesting part - when the server was intially
replicated, I was able to make changes to 389-ds, but after a few
days, credentials now show errors:
ldapsearch -x -LLL -D "cn=directory manager" -b "cn=monitor"
"(objectclass=*)" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
This doesn't make any sense. Directory manager passwords are not
replicated, they are local to each machine. Directory manager
passwords do not expire, and the error message is definitely
"incorrect password" not "password expired". There are no internal
processes that touch directory manager or its password (unless there
is something in ipa but I doubt it). So I have no idea how "all of a
sudden" directory manager password stops working.
You can't recover it, you can only reset it.
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
Thoughts?
~J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project