I am setting up a new IPA instance to provide DNS and CA services in a team lab. I have to decide what to use for the Directory Manager password — our standard, not very secure root password or something else, which no one will ever remember. Any thoughts? Is it still a major project to change the DM password? How hard is it to recover/reset it these days? (This will be IPA 4.6 on RHEL 7.)

On 4/16/19 10:14 PM, Rob Crittenden wrote: > It isn't a huge deal to change the DM password but in practice you'd > want to do it on all masters (not replicated) so while not the end of > the world it can be at best annoying. We'll only have a single master, so that doesn't sound too bad. > Though with root DM can be reset so with having a crappy root password > in effect it doesn't matter what DM is (e.g. someone could already have > the keys to the Kingdom). Right.  I'm hoping to tighten up the root/admin password situation, but that will have to wait until I can get some consensus from the remainder of my team.  Changing those passwords is a known, straightforward process, though. In contrast, a fair bit of Googling leaves me unsure what the DM password change procedure even is for IPA 4.6. > I'd set both to something(s) you can remember. When you need it the last > thing you'll want to do is run around resetting it. My experience is that the Directory Manager password is used very infrequently, so the odds of remembering it (if it is different than the admin password) are very low.

On 4/17/19 9:45 AM, Rob Crittenden wrote: > https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password That page says:  The following procedure is only applicable to FreeIPA 3.2.1 or older.  Since FreeIPA 3.2.2 (and ticket #3594), the procedure is automated as a  part of preparing a replica info file by using ipa-replica-prepare So it's really not clear what one is supposed to do for 4.6.