On Mon, 15 Aug 2016, Stefan Uygur wrote:
Hi Alexander,
Thanks for your reply and I do remember very well your feedback of
course in relation to this issue.
The instructions are very simple, no discussion about that and I
followed step by step ad exception of this step: Configure all replicas
to use the new password by editing /etc/pki-ca/password.conf for Dogtag
9 or /etc/pki/pki-tomcat/password.conf for Dogtag 10:
Which is not that clear to be honest as it is referring to replicas and
not the master server itself.
In IPA the term 'replica' applies to all IPA masters. All of them are
replicas of each other on the base level. They may have additional
services running but at the very least they have LDAP, Kerberos KDC, and
HTTPd.
I do not have any replica for this server, I am trying to set the first
one in fact, so I don't think that step need to be re-produced in my
case, unless I am really missing something in that paragraph.
These steps have to be done on all existing IPA masters, whether you
call them replicas or not.
Did you update /root/cacert.p12? If so, did you re-generate the replica
file afterwards? Point is, inside replica file there is a CA certificate
with a private key in PKCS#12 format which is encrypted using DM
password. If you have replica file generated before cacert.p12 was
updated with new DM password, then cacert.p12 inside the replica file
cannot be decrypted using new DM password, thus replica installation
will fail.
Thanks again
-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: 15 August 2016 11:28
To: Stefan Uygur
Cc: mreyno...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa replication issue
On Mon, 15 Aug 2016, Stefan Uygur wrote:
Hi Everyone,
Sorry if I have to bring this topic back again but still no solution so far. I
gave up for a while but I still need to solve this problem.
I followed the link provided by Mark Reynold:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/
10/html/Administration_Guide/dirmnger-pwd.html#dirmnger-pwd-Resetting_P
asswords
I applied the instructions multiple times and also followed these instructions
as well:
http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
With no joy.
Mark suggested:
The problem here is that "cn=directory manager" does not exist in a
database. It only exists in the cn=config entry, so ldappasswd will
not work. But I'm not sure if your problem is the directory manager
account though. You need to look through the Directory Server access
log for "err=49" (/var/log/dirsrv/slapd-INSTANCE/access), and see which
BIND dn is failing. It could be a different user/account.
So I checked the logs as well and this is all I have from logs every time I
attempt to prepare the replica:
[15/Aug/2016:11:03:13 +0100] conn=10 op=13 RESULT err=0 tag=101
nentries=0 etime=0 notes=U
[15/Aug/2016:11:03:15 +0100] conn=11 fd=70 slot=70 connection from
local to /var/run/slapd-INSTANCE-COM.socke t
[15/Aug/2016:11:03:15 +0100] conn=11 op=0 BIND dn="cn=directory
manager" method=128 version=3
[15/Aug/2016:11:03:15 +0100] conn=11 op=0 RESULT err=49 tag=97
nentries=0 etime=0
[15/Aug/2016:11:03:15 +0100] conn=11 op=1 UNBIND
[15/Aug/2016:11:03:15 +0100] conn=11 op=1 fd=70 closed - U1
I don't think it is that difficult to manage/change Directory Manager
password but I cannot get away with it myself so I must be doing
something wrong or the solutions provided (instructions) are not
applicable to the version of IPA (ipa-server-3.0.0-47.el6_7.2.x86_64) I
have.
Please follow instructions in the FreeIPA's howto link above. Really, they tell
you where and how you should change DM password. As I said before, you need to
change more places which recorded the password at the time of install. You
claim that the instruction does not work but it is very clear from the logs
above that you haven't updated all places where DM password was recorded and as
such, you get some code using older version of the DM password. This older
version of DM password comes from one of the fails you actually did not change.
--
/ Alexander Bokovoy
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
