-->
  • Recent Articles

    How to reset freeIPA admin password

    How to reset freeIPA admin password?

    FreeIPA Admin reset

    If you forgot the admin password for FreeIPA and want to reset it, then please go through this article. It is fairly a straight forward process, if you remember "Directory Manager" password. If you have forgotten the "Directory Manager" as well then proceed to reset that password first.

    The IPA admin password can be updated with the ldappasswd utility. Bind with the 'Directory Manager' account in order to perform this task.

    # export LDAPTLS_CACERT=/etc/ipa/ca.crt
    # ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=example,dc=com -H ldap://ipa.example.com
    New password:
    Re-enter new password:
    Enter LDAP Password:

    Please modify dc=example,dc=com to match your domain and ipa.example.com to match an IPA server FQDN.

    Test it by requesting a new Kerberos ticket:

    # kinit admin
    Password for admin@EXAMPLE.COM:

    Provide the newly set password and press Enter. When done, list available tickets  using "klist"

    [root@freeipa /]# klist
    Ticket cache: KEYRING:persistent:0:0
    Default principal: admin@EXAMPLE.COM

    Valid starting     Expires            Service principal
    04/06/20 20:40:34  04/07/20 20:40:34  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    [root@freeipa /]#

    Now you can login to FreeIPA With New Password.

    IF you Have Forgot the Directory Manager password then we'll follow how to reset Directory Manager Password. 


    1. Login as the root in FreeIPA server and shutdown Directory Server.

    /sbin/stop-dirsrv <INSTANCE-NAME>

    INSTANCE-NAME can be found at "/etc/dirsrv/". In our case it is "EXAMPLE-COM".

    2. Once the directory service is stopped, generate a new hashed password.

    /usr/bin/pwdhash newpassword

    3. In the configuration directory, open the dse.ldif file. For example:

    vi /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif

    Replace EXAMPLE-COM with your correct Instance name value.

    4. Locate the "nsslapd-rootpw" parameter. Delete the old password, and enter in the new hashed password. Save and Exit.
    For example:
    nsslapd-rootpw: {SSHA}nbR/ZeVTwZLw6aJH6oc40ccDBi0OaeleUoT21w==

    5. Start the Directory Server.

    /sbin/start-dirsrv <INSTANCE-NAME>

    6. When the Directory Server restarts, log into the Console again as Directory Manager, and verify that the password works.

    Other FreeIPA Stories:


    No comments