On ti, 04 elo 2020, White, David via FreeIPA-users wrote:
We have a IPA environment that has an existing trust with Active Directory.
I'm trying to troubleshoot some things, and am trying to run a `ldapsearch` against our IPA environment. It keeps asking for an LDAP Bind password.
- I know the Directory Admin password
- I know the local 'admin' password to get into the UI as the "admin" userÂ
- I know my own Active Directory password.
None of these passwords are working.
[root@cha-cop-lab-mgt-ath-001 whitedm]# ldapsearch -ZZ -H ldap://ipa-hostname-001.lab.example.net -b 'cn=compat,dc=fiberlab,dc=example,dc=net' -D 'cn=whitedm' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
I recall setting up the LDAP password on the initial install of the IPA software when these servers were first launched. How can I reset this LDAP password?
What are you trying to achieve here? You are using compat tree which is a read-only dynamic view on some content provided elsewhere.
You are using your own account RDN but ldapsearch wants your DN for bind, not RDN. Your DN depends on what you want to authenticate with --
if this is your AD user, then you need to use a compat tree DN for uid=whitedm@ad.domain,cn=users,cn=compat,dc=....
if this is your IPA user, then you need to use your IPA user DN, e.g. uid=admin,cn=users,cn=accounts,dc=...
if this is Directory Manager, then DN is 'cn=Directory Manager'. It looks like RDN but that's a virtual object which don't exist anywhere and is treated by 389-ds in a special way.