My bad - I thought the link I shared would indicate that is the process I followed. However, here are more details:

ipa-server-4.5.4-10.el7_5.1.x86_64 on RHEL 7.5

Steps:

1. Backup dse.ldif out of /etc/dirsrv/slapd-DOMAIN...

2. ipactl stop

3. vim dse.ldif and replace rootpw with newly hashed pw from pwdhash command

4. ipactl start

I tried this on the first CA, and was unable to gain access to dirmgr. Tried it on secondary (replicas) and still no luck. So perhaps I am just not understanding that you can change Directory Manager PW by following 389-ds docs?

thank you Kat

On 5/21/18 10:49, Rob Crittenden wrote:

Kat via FreeIPA-users wrote:

...

No suggestions at all?

https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

If would help if you included the version and distro and more details on how you tried to change the password.

rob

...

:-(

On 5/16/18 09:08, Kat wrote:

...

Hi -

Have a replica I did not install CA on. Want to add it. I had lost the Directory Manager password, so I followed procedure to change it by editing dse.ldif and replacing the rootpw, but no matter what I do I keep getting:

[root@ipa-rep2 ~]# ipa-ca-install Directory Manager (existing master) password:

Directory Manager password is invalid

Scratching my head - has the procedure for changing the Dir Mgr password changed? I used:

http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpasswor...

Any ideas? -K

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...

Stopping 389-ds was the first step for sure - I would not fall for that one! :-)

No access to Dir Manager, and perhaps this is where I went wrong - I skipped the ldapsearch and went straight to just trying to add a CA to my replicate with ipa-ca-install on an existing NON-CA replica and it asks for directory Manager Password, and I give the new one an sadly, no joy in mudville.

BUT - maybe that is part of what I am doing wrong to test it?

Kat

On 5/21/18 12:31, Rob Crittenden wrote:

Kat via FreeIPA-users wrote:

...

My bad - I thought the link I shared would indicate that is the process I followed. However, here are more details:

ipa-server-4.5.4-10.el7_5.1.x86_64 on RHEL 7.5

Steps:

1. Backup dse.ldif out of /etc/dirsrv/slapd-DOMAIN...

2. ipactl stop

3. vim dse.ldif and replace rootpw with newly hashed pw from pwdhash

command

4. ipactl start

It is amazing how many people fail to stop 389-ds before applying the change and wonder why it doesn't work. This is why I asked for the exact steps.

...

I tried this on the first CA, and was unable to gain access to dirmgr. Tried it on secondary (replicas) and still no luck. So perhaps I am just not understanding that you can change Directory Manager PW by following 389-ds docs?

It depends on version. With older versions changing the password was more complex.

What do you mean by no access to DM? What did you do to check this?

rob

...

thank you Kat

On 5/21/18 10:49, Rob Crittenden wrote:

...

Kat via FreeIPA-users wrote:

...

No suggestions at all?

https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

If would help if you included the version and distro and more details on how you tried to change the password.

rob

...

:-(

On 5/16/18 09:08, Kat wrote:

...

Hi -

Have a replica I did not install CA on. Want to add it. I had lost the Directory Manager password, so I followed procedure to change it by editing dse.ldif and replacing the rootpw, but no matter what I do I keep getting:

[root@ipa-rep2 ~]# ipa-ca-install Directory Manager (existing master) password:

Directory Manager password is invalid

Scratching my head - has the procedure for changing the Dir Mgr password changed? I used:

http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpasswor...

Any ideas? -K

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...

One should follow directions - then one might find solutions... DOH.

Ok, have not found solution, BUT, the ldapsearch worked with the new PW.  So, had I followed the directions in the URL I provided in the first place I would have seen, indeed the process to change the PW was working. What is NOT working is the process to add a CA to a replica while it is already in the collection of servers.

Now, I will go uninstall this replica completely, and then attempt to install it as a replica WITH a CA from the outset - and see what is up.

I guess the error message I am getting is coming from someplace else in the install process and not the actual Directory Manager access. Time to start from the beginning and review the logs.

I apologize to all for bothering you and thank you for pointing out what I should have done in the first place.  But hey, at least I knew to stop 389-ds before doing any of this. :-)

Kat

On 5/21/18 13:33, Mark Reynolds wrote:

On 05/21/2018 02:02 PM, Kat via FreeIPA-users wrote:

...

Stopping 389-ds was the first step for sure - I would not fall for that one! :-)

No access to Dir Manager,

I don't know what this means either, but please try this:

ldapsearch -D "cn=directory manager" -W -s base -b "" objectclass=top

If this fails please share the access log output (there is 30 second buffering on the log fyi):

/var/log/dirsrv/slapd-YOUR_HOST/access

I'm looking for something like this:

[18/May/2018:12:28:46.334365436 -0400] conn=1 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [18/May/2018:12:28:46.418295813 -0400] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0084017134 dn="cn=directory manager"

So either you have not replaced the password correctly, or the "cn=directory manger" account is not actually "cn=directory manager". The access log will tell us more...

...

and perhaps this is where I went wrong - I skipped the ldapsearch and went straight to just trying to add a CA to my replicate with ipa-ca-install on an existing NON-CA replica and it asks for directory Manager Password, and I give the new one an sadly, no joy in mudville.

BUT - maybe that is part of what I am doing wrong to test it?

Kat

On 5/21/18 12:31, Rob Crittenden wrote:

...

Kat via FreeIPA-users wrote:

...

My bad - I thought the link I shared would indicate that is the process I followed. However, here are more details:

ipa-server-4.5.4-10.el7_5.1.x86_64 on RHEL 7.5

Steps:

1. Backup dse.ldif out of /etc/dirsrv/slapd-DOMAIN...

2. ipactl stop

3. vim dse.ldif and replace rootpw with newly hashed pw from pwdhash

command

4. ipactl start

It is amazing how many people fail to stop 389-ds before applying the change and wonder why it doesn't work. This is why I asked for the exact steps.

...

I tried this on the first CA, and was unable to gain access to dirmgr. Tried it on secondary (replicas) and still no luck. So perhaps I am just not understanding that you can change Directory Manager PW by following 389-ds docs?

It depends on version. With older versions changing the password was more complex.

What do you mean by no access to DM? What did you do to check this?

rob

...

thank you Kat

On 5/21/18 10:49, Rob Crittenden wrote:

...

Kat via FreeIPA-users wrote:

...

No suggestions at all?

https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

If would help if you included the version and distro and more details on how you tried to change the password.

rob

...

:-(

On 5/16/18 09:08, Kat wrote: > Hi - > > Have a replica I did not install CA on. Want to add it. I had > lost the > Directory Manager password, so I followed procedure to change it by > editing dse.ldif and replacing the rootpw, but no matter what I do I > keep getting: > > [root@ipa-rep2 ~]# ipa-ca-install > Directory Manager (existing master) password: > > Directory Manager password is invalid > > Scratching my head - has the procedure for changing the Dir Mgr > password changed? I used: > > http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpasswor... > > > > > Any ideas? > -K > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...