My problem is what the subject says. Most of the searches I've found are what to do when you don't know the Directory Manager password. However I can confirm it is correct with ldapsearch, yet ipa-ca-install says it is wrong. I'd appreciate any hints as to where to look next.
[root@ipa3 chris]# export DMP=<pasword>
[root@ipa3 chris]# ldapsearch -x -D "cn=directory manager" -w $DMP -s base -b "" "objectclass=*" | head # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL #
# dn:
[root@ipa3 chris]# ipa-ca-install --password=$DMP Directory Manager password is invalid
Hi, the directory manager password provided to ipa-ca-install is validated by doing a simple bind to the LDAP URI defined in /etc/ipa/default.conf. It should contain something similar to ldap_uri = ldapi://%2Frun%2Fslapd-DOMAIN-COM.socket
and you can try manually with (replace DOMAIN-COM with your own domain) ldapsearch -D "cn=directory manager" -w $DMP -H ldapi://%2Frun%2Fslapd-DOMAIN-COM.socket -s base -b ""
I would check if the ldapi socket is enabled (nsslapd-ldapilisten: on is defined in /etc/dirsrv/slapd-DOMAIN-COM/dse.ldif), and if the ldap_uri is properly defined in /etc/ipa/default.conf. The ipa-ca-install also provides a --debug option that would allow to gather more information.
flo
On Sat, Jan 1, 2022 at 6:51 PM Chris Candreva via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
My problem is what the subject says. Most of the searches I've found are what to do when you don't know the Directory Manager password. However I can confirm it is correct with ldapsearch, yet ipa-ca-install says it is wrong. I'd appreciate any hints as to where to look next.
[root@ipa3 chris]# export DMP=<pasword>
[root@ipa3 chris]# ldapsearch -x -D "cn=directory manager" -w $DMP -s base -b "" "objectclass=*" | head # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL #
# dn:
[root@ipa3 chris]# ipa-ca-install --password=$DMP Directory Manager password is invalid
--
======================================================================== Chris Candreva -- chris@westnet.com -- http://www.westnet.com/~chris _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org
-
Chris Candreva -
Florence Blanc-Renaud