[Freeipa-users] dirsrv password incorrect on replicas?
Ludwig Krispenz
lkrispen at redhat.com
Fri Dec 19 08:14:23 UTC 2014
On 12/18/2014 08:16 PM, Rich Megginson wrote:
> On 12/18/2014 11:59 AM, Janelle wrote:
>> I am looking at the 2 entries in dse.ldif - and indeed they are
>> different. If I replace the one in question with the one from the
>> working system, it works again.
>
> I'm assuming by "entry" you are referring to nsslapd-rootpw in cn=config.
>
>>
>> I did find - replica was created on Dec 11 at noon -- and the
>> dse.ldif file CHANGED a day later?!?
>
> The dse.ldif file changes all the time - unique id generator state,
> csn generator state, replication state, etc. etc.
>
> BUT - nsslapd-rootpw SHOULD NOT CHANGE
no, except someone follows the steps to change it.
Janelle, could it be that someone else was working on that server, not
knowing the root pw and changing it in dse.ldif ?
>
>> Going to have OSSEC monitor the folders for changes in files to see
>> what the heck is going on and WHAT changed it and if it happens again.
>>
>> thanks for the help
>> ~J
>>
>>
>> On 12/18/14 10:28 AM, Rich Megginson wrote:
>>> On 12/18/2014 09:49 AM, Janelle wrote:
>>>> Good morning/evening All,
>>>>
>>>> So, another strange thing I see with 4.1.2 running on FC21
>>>> (server). On some replicas if I attempt to modify the 389-ds
>>>> backend, I get credential errors. Even ldapsearch fails - which as
>>>> me baffled. I am trying to tune the servers but this has me
>>>> confused as to what might cause something like this and where to
>>>> start looking for a solution?
>>>>
>>>> Here is the interesting part - when the server was intially
>>>> replicated, I was able to make changes to 389-ds, but after a few
>>>> days, credentials now show errors:
>>>>
>>>> ldapsearch -x -LLL -D "cn=directory manager" -b "cn=monitor"
>>>> "(objectclass=*)" -W
>>>> Enter LDAP Password:
>>>> ldap_bind: Invalid credentials (49)
>>>
>>> This doesn't make any sense. Directory manager passwords are not
>>> replicated, they are local to each machine. Directory manager
>>> passwords do not expire, and the error message is definitely
>>> "incorrect password" not "password expired". There are no internal
>>> processes that touch directory manager or its password (unless there
>>> is something in ipa but I doubt it). So I have no idea how "all of a
>>> sudden" directory manager password stops working.
>>>
>>> You can't recover it, you can only reset it.
>>> http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
>>>
>>>>
>>>> Thoughts?
>>>> ~J
>>>>
>>>
>>
>
More information about the Freeipa-users
mailing list