Stopping 389-ds was the first step for sure - I would not fall for
that one! :-)
No access to Dir Manager,
I don't know what this means either, but please try
this:
ldapsearch -D "cn=directory manager" -W -s base -b "" objectclass=top
If this fails please share the access log output (there is 30 second
buffering on the log fyi):
/var/log/dirsrv/slapd-YOUR_HOST/access
I'm looking for something like this:
[18/May/2018:12:28:46.334365436 -0400] conn=1 op=0 BIND dn="cn=Directory
Manager" method=128 version=3
[18/May/2018:12:28:46.418295813 -0400] conn=1 op=0 RESULT err=0 tag=97
nentries=0 etime=0.0084017134 dn="cn=directory manager"
So either you have not replaced the password correctly, or the
"cn=directory manger" account is not actually "cn=directory
manager".
The access log will tell us more...
and perhaps this is where I went wrong - I skipped the ldapsearch
and
went straight to just trying to add a CA to my replicate with
ipa-ca-install on an existing NON-CA replica and it asks for directory
Manager Password, and I give the new one an sadly, no joy in mudville.
BUT - maybe that is part of what I am doing wrong to test it?
Kat
On 5/21/18 12:31, Rob Crittenden wrote:
> Kat via FreeIPA-users wrote:
>> My bad - I thought the link I shared would indicate that is the process
>> I followed. However, here are more details:
>>
>> ipa-server-4.5.4-10.el7_5.1.x86_64 on RHEL 7.5
>>
>> Steps:
>>
>> 1. Backup dse.ldif out of /etc/dirsrv/slapd-DOMAIN...
>>
>> 2. ipactl stop
>>
>> 3. vim dse.ldif and replace rootpw with newly hashed pw from pwdhash
>> command
>>
>> 4. ipactl start
> It is amazing how many people fail to stop 389-ds before applying the
> change and wonder why it doesn't work. This is why I asked for the exact
> steps.
>
>> I tried this on the first CA, and was unable to gain access to dirmgr.
>> Tried it on secondary (replicas) and still no luck. So perhaps I am
>> just
>> not understanding that you can change Directory Manager PW by following
>> 389-ds docs?
> It depends on version. With older versions changing the password was
> more complex.
>
> What do you mean by no access to DM? What did you do to check this?
>
> rob
>
>> thank you
>> Kat
>>
>>
>> On 5/21/18 10:49, Rob Crittenden wrote:
>>> Kat via FreeIPA-users wrote:
>>>> No suggestions at all?
>>>
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
>>>
>>> If would help if you included the version and distro and more
>>> details on
>>> how you tried to change the password.
>>>
>>> rob
>>>
>>>> :-(
>>>>
>>>>
>>>> On 5/16/18 09:08, Kat wrote:
>>>>> Hi -
>>>>>
>>>>> Have a replica I did not install CA on. Want to add it. I had
>>>>> lost the
>>>>> Directory Manager password, so I followed procedure to change it by
>>>>> editing dse.ldif and replacing the rootpw, but no matter what I do I
>>>>> keep getting:
>>>>>
>>>>> [root@ipa-rep2 ~]# ipa-ca-install
>>>>> Directory Manager (existing master) password:
>>>>>
>>>>> Directory Manager password is invalid
>>>>>
>>>>> Scratching my head - has the procedure for changing the Dir Mgr
>>>>> password changed? I used:
>>>>>
>>>>>
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpass...
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Any ideas?
>>>>> -K
>>>>>
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>>>> List Guidelines:
>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>>>>
>>>>
>>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>>
>>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...