Description of problem:
ipa-replica-prepare "profits" to set admin password same as "cn=directory manager" password. While this was required in RHEL6, it's not more the case in RHEL7 where the passwords can differ. And it could be also a problem if the password policy has been set with particular settings applied to the admin password. As "cn=directory manager" password does not need to comply with password policy and admin password must comply, we could have failures because of this attempt to change password.
More precisely, I am talking about this part of the code of ipa-replica-prepare:
=============================
if os.path.isfile(options.ca_file):
# Since it is possible that the Directory Manager password
# has changed since ipa-server-install, we need to regenerate
# the CA PKCS#12 file and update the pki admin user password
self.regenerate_ca_file(options.ca_file)
self.update_pki_admin_password()
self.copy_info_file(options.ca_file, "cacert.p12")
===============================
update_pki_admin_password:
====================================================
def update_pki_admin_password(self):
dn = DN('uid=admin', 'ou=people', 'o=ipaca')
api.Backend.ldap2.modify_password(dn, self.dirman_password)
====================================================
Particularly, we have a customer with this failure in ipa-replica-prepare:
self.update_pki_admin_password()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepar
e.py", line 586, in update_pki_admin_password
api.Backend.ldap2.modify_password(dn, self.dirman_password)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 390, in modify_password
self.conn.passwd_s(str(dn), old_pass, new_pass)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
975, in error_handler
raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError:
Constraint
violation: Password reuse not permitted
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Constraint violation: Password reuse not permitted
Because its global password policy has a:
History size: 24
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: ipa security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2020:3936
Description of problem: ipa-replica-prepare "profits" to set admin password same as "cn=directory manager" password. While this was required in RHEL6, it's not more the case in RHEL7 where the passwords can differ. And it could be also a problem if the password policy has been set with particular settings applied to the admin password. As "cn=directory manager" password does not need to comply with password policy and admin password must comply, we could have failures because of this attempt to change password. More precisely, I am talking about this part of the code of ipa-replica-prepare: ============================= if os.path.isfile(options.ca_file): # Since it is possible that the Directory Manager password # has changed since ipa-server-install, we need to regenerate # the CA PKCS#12 file and update the pki admin user password self.regenerate_ca_file(options.ca_file) self.update_pki_admin_password() self.copy_info_file(options.ca_file, "cacert.p12") =============================== update_pki_admin_password: ==================================================== def update_pki_admin_password(self): dn = DN('uid=admin', 'ou=people', 'o=ipaca') api.Backend.ldap2.modify_password(dn, self.dirman_password) ==================================================== Particularly, we have a customer with this failure in ipa-replica-prepare: self.update_pki_admin_password() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepar e.py", line 586, in update_pki_admin_password api.Backend.ldap2.modify_password(dn, self.dirman_password) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 390, in modify_password self.conn.passwd_s(str(dn), old_pass, new_pass) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 975, in error_handler raise errors.DatabaseError(desc=desc, info=info) ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: DatabaseError: Constraint violation: Password reuse not permitted ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Constraint violation: Password reuse not permitted Because its global password policy has a: History size: 24 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: