Discussion:
[Freeipa-users] Directory Manager password is correct but IPA-replica-prepare command fails with Invalid Credentials
Shiela Spaleta
2017-03-24 21:31:11 UTC
Permalink
I can successfully bind as the Directory Manager, but when I use the same
password to create a replica prep file I get an "Invalid Credentials"
error. How is this possible?

I'm running FreeIPA v3.0 on Centos 6 and created replica's successfully in
the past.

I tested the Directory Manager password by using it change the admin user's
password:

ldappasswd -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts
,dc=domain,dc=com

and that was successful (tested by getting a ticket as admin user with new
pwd).

But when I try to create a replica file:

# ipa-replica-prepare ipa2.shiela.com


Preparing replica for ipa2.shiela.com from ipa1.shiela.com
preparation of replica failed: Insufficient access: Invalid credentials
Insufficient access: Invalid credentials
File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
main()

File "/usr/sbin/ipa-replica-prepare", line 391, in main
update_pki_admin_password(dirman_password)

File "/usr/sbin/ipa-replica-prepare", line 247, in
update_pki_admin_password
bind_pw=dirman_password

File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
connect
conn = self.create_connection(*args, **kw)

File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line
846, in create_connection
self.handle_errors(e)

File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line
712, in handle_errors
raise errors.ACIError(info="%s %s" % (info, desc))

If anyone can shed light on this I would be grateful. I've checked
/var/log/dirsrv/PKI-IPA but it has not been any more helpful.

Shiela
Rob Crittenden
2017-03-24 22:21:47 UTC
Permalink
Post by Shiela Spaleta
I can successfully bind as the Directory Manager, but when I use the
same password to create a replica prep file I get an "Invalid
Credentials" error. How is this possible?
I'm running FreeIPA v3.0 on Centos 6 and created replica's successfully
in the past.
I tested the Directory Manager password by using it change the admin
ldappasswd -D 'cn=directory manager' -W -S
uid=admin,cn=users,cn=accounts,dc=domain,dc=com
and that was successful (tested by getting a ticket as admin user with
new pwd).
# ipa-replica-prepare ipa2.shiela.com <http://ipa2.shiela.com/>
Preparing replica for ipa2.shiela.com
<http://ipa2.shiela.com/> from ipa1.shiela.com <http://ipa1.shiela.com/>
preparation of replica failed: Insufficient access: Invalid credentials
Insufficient access: Invalid credentials
File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 391, in main
update_pki_admin_password(dirman_password)
File "/usr/sbin/ipa-replica-prepare", line 247, in
update_pki_admin_password
bind_pw=dirman_password
File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 846, in create_connection
self.handle_errors(e)
File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 712, in handle_errors
raise errors.ACIError(info="%s %s" % (info, desc))
If anyone can shed light on this I would be grateful. I've checked
/var/log/dirsrv/PKI-IPA but it has not been any more helpful.
admin != Directory Manager.

Try running kdestroy, then ipa-replica-prepare. You'll be prompted for
the DM password, that should work.

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Shiela Spaleta
2017-03-25 22:45:05 UTC
Permalink
Thanks for your quick reply. What I mean is I am supplying the DM password
when prompted following ipa-replica-prepare. I only mentioned the admin
user password change to prove that the DM password I have is correct/valid.
Otherwise I could not have run this command (and other ldapsearch commands)
successfully -> ldappasswd -D 'cn=directory manager' -W -S
uid=admin,cn=users,cn=accounts,dc=example,dc=com. I just wanted to show
that I've tested the DM password by binding with it (ldapsearch or
ldappasswd), and it works, but using it with ipa-replica-prepare fails.
Sorry, I should have picked better examples to explain my problem more
clearly.

Sincerely,

*Shiela Spaleta*
*Senior System Administrator*
*Security Compass*

*p: *+1 (888) 777-2211 x171

*m:* +1 (647) 539-6366
Post by Rob Crittenden
Post by Shiela Spaleta
I can successfully bind as the Directory Manager, but when I use the
same password to create a replica prep file I get an "Invalid
Credentials" error. How is this possible?
I'm running FreeIPA v3.0 on Centos 6 and created replica's successfully
in the past.
I tested the Directory Manager password by using it change the admin
ldappasswd -D 'cn=directory manager' -W -S
uid=admin,cn=users,cn=accounts,dc=domain,dc=com
and that was successful (tested by getting a ticket as admin user with
new pwd).
# ipa-replica-prepare ipa2.shiela.com <http://ipa2.shiela.com/>
Preparing replica for ipa2.shiela.com
<http://ipa2.shiela.com/> from ipa1.shiela.com <http://ipa1.shiela.com/>
preparation of replica failed: Insufficient access: Invalid credentials
Insufficient access: Invalid credentials
File "/usr/sbin/ipa-replica-prepare", line 529, in <module>
main()
File "/usr/sbin/ipa-replica-prepare", line 391, in main
update_pki_admin_password(dirman_password)
File "/usr/sbin/ipa-replica-prepare", line 247, in
update_pki_admin_password
bind_pw=dirman_password
File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in
connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 846, in create_connection
self.handle_errors(e)
File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 712, in handle_errors
raise errors.ACIError(info="%s %s" % (info, desc))
If anyone can shed light on this I would be grateful. I've checked
/var/log/dirsrv/PKI-IPA but it has not been any more helpful.
admin != Directory Manager.
Try running kdestroy, then ipa-replica-prepare. You'll be prompted for
the DM password, that should work.
rob
Loading...