Jeremy Utley
2017-04-12 21:06:55 UTC
Hello all! We've got 2 replicated instances of FreeIPA 4.4.0 from the EPEL
repository running on fully-updated CentOS 7 instances. We're going thru
an audit right now, and I have to provide some proof of certain things
related to IPA to our auditors. Unfortunately, the person who originally
set these up evidently did not document the Directory Manager password in
our docs, so I was forced to reset this password, using the process at:
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
This was successful, and I can now bind to the DS with the new password.
I'm now trying to follow the steps at:
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
A few things are rather confusing to me. I've tried Google searching
without much luck either. So hopefully you guys can answer a few questions
for me.
1) First off, the doc says:
The following procedure is only applicable to FreeIPA 3.2.1 or older. Since
FreeIPA 3.2.2 (and ticket #3594
<https://fedorahosted.org/freeipa/ticket/3594>), the procedure is automated
as a part of preparing a replica info file by using ipa-replica-prepare
So do I even need to perform these steps at all, considering I'm well
beyond 3.2.2. We don't have any intention of running ipa-replica-prepare
for the forseeable future (we shouldn't ever need to add a third directory
server here).
2) The first step (Update LDAP bind password) seems to indicate you're
adding the new password in clear-text to the password.conf file - this
seems like a major security issue. Am I misunderstanding what is being
requested here? The old password is not in this file (All my current files
have is lines for "internal" and "replicationdb"
3) The next step regenerates the cacert.p12 file, but seems to do nothing
with it, just leaves it sitting in /root - what should be done with this
file afterward?
Thanks for any help you can give!
Jeremy Utley
repository running on fully-updated CentOS 7 instances. We're going thru
an audit right now, and I have to provide some proof of certain things
related to IPA to our auditors. Unfortunately, the person who originally
set these up evidently did not document the Directory Manager password in
our docs, so I was forced to reset this password, using the process at:
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
This was successful, and I can now bind to the DS with the new password.
I'm now trying to follow the steps at:
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
A few things are rather confusing to me. I've tried Google searching
without much luck either. So hopefully you guys can answer a few questions
for me.
1) First off, the doc says:
The following procedure is only applicable to FreeIPA 3.2.1 or older. Since
FreeIPA 3.2.2 (and ticket #3594
<https://fedorahosted.org/freeipa/ticket/3594>), the procedure is automated
as a part of preparing a replica info file by using ipa-replica-prepare
So do I even need to perform these steps at all, considering I'm well
beyond 3.2.2. We don't have any intention of running ipa-replica-prepare
for the forseeable future (we shouldn't ever need to add a third directory
server here).
2) The first step (Update LDAP bind password) seems to indicate you're
adding the new password in clear-text to the password.conf file - this
seems like a major security issue. Am I misunderstanding what is being
requested here? The old password is not in this file (All my current files
have is lines for "internal" and "replicationdb"
3) The next step regenerates the cacert.p12 file, but seems to do nothing
with it, just leaves it sitting in /root - what should be done with this
file afterward?
Thanks for any help you can give!
Jeremy Utley