How to reset freeIPA admin password
How to reset freeIPA admin password?
If you forgot the admin password for FreeIPA and want to reset it, then please go through this article. It is fairly a straight forward process, if you remember "Directory Manager" password. If you have forgotten the "Directory Manager" as well then proceed to reset that password first.
The IPA admin password can be updated with the ldappasswd utility. Bind with the 'Directory Manager' account in order to perform this task.
# export LDAPTLS_CACERT=/etc/ipa/ca.crt
# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=example,dc=com -H ldap://ipa.example.com
New password:
Re-enter new password:
Enter LDAP Password:
Please modify dc=example,dc=com to match your domain and ipa.example.com to match an IPA server FQDN.# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=example,dc=com -H ldap://ipa.example.com
New password:
Re-enter new password:
Enter LDAP Password:
Test it by requesting a new Kerberos ticket:
# kinit admin
Password for admin@EXAMPLE.COM:
Password for admin@EXAMPLE.COM:
Provide the newly set password and press Enter. When done, list available tickets using "klist"
[root@freeipa /]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EXAMPLE.COM
Valid starting Expires Service principal
04/06/20 20:40:34 04/07/20 20:40:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM
[root@freeipa /]#
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EXAMPLE.COM
Valid starting Expires Service principal
04/06/20 20:40:34 04/07/20 20:40:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM
[root@freeipa /]#
Now you can login to FreeIPA With New Password.
IF you Have Forgot the Directory Manager password then we'll follow how to reset Directory Manager Password.
1. Login as the root in FreeIPA server and shutdown Directory Server.
/sbin/stop-dirsrv <INSTANCE-NAME>
INSTANCE-NAME can be found at "/etc/dirsrv/". In our case it is "EXAMPLE-COM".
2. Once the directory service is stopped, generate a new hashed password.
/usr/bin/pwdhash newpassword
3. In the configuration directory, open the dse.ldif file. For example:
vi /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
Replace EXAMPLE-COM with your correct Instance name value.
4. Locate the "nsslapd-rootpw" parameter. Delete the old password, and enter in the new hashed password. Save and Exit.
For example:
nsslapd-rootpw: {SSHA}nbR/ZeVTwZLw6aJH6oc40ccDBi0OaeleUoT21w==
5. Start the Directory Server.
/sbin/start-dirsrv <INSTANCE-NAME>
6. When the Directory Server restarts, log into the Console again as Directory Manager, and verify that the password works.
No comments