If you ever forget FreeIPA Admin password, you can always reset it as root user. This guide will help you to reset a FreeIPA admin password on Linux using the root shell or a user account with sudo privileges.
Note that to reset FreeIPA admin password, you need to have a Directory Manager password, if not, you’ll have to reset Directory Manager password before FreeIPA admin password.
Step 1: Reset Directory Manager Password ( If lost)
If you know the Directory Manager password, you can skip this step. Login as the root user or user with sudo privilege to your FreeIPA server and shutdown FreeIPA server. If the server is running and you make a change to the main configuration file dse.ldif, your changes will be lost.
sudo /sbin/stop-dirsrv <INSTANCE-NAME>You can get your instance name from /etc/dirsrv/slapd. Example
sudo /sbin/stop-dirsrv DOMAIN-COMOnce the service is stopped, generate a new hashed Directory Manage password.
sudo /usr/bin/pwdhash StrongPasswordReplace StrongPassword with your actual strong password. On generation, you should get output like this:
{SSHA512}x6XGO1wpxYFpNFZrirBjLUqXfepGtSKdR/Gv/2Pdx6uc5Apy4zDFNvGHpR8iJO4CLim4m/CIWaqfnfQ2XuUskhCK09w5zsnbEdit your 389 Directory configuration file to set the new hashed password
sudo vim /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
Replace EXAMPLE-COM with your correct Instance name value. Search for the line starting with nsslapd-rootpw, then replace its value with your generated password value.
nsslapd-rootpw: {SSHA512}x6XGO1wpxYFpNFZrirBjLUqXfepGtSKdR/Gv/2Pdx6uc5Apy4zDFNvGHpR8iJO4CLim4m/CIWaqfnfQ2XuUskhCK09w5zsnbWhen done, restart 389 directory service
sudo /sbin/start-dirsrv <INSTANCE-NAME>Then test your new password
sudo ldapsearch -x -D "cn=directory manager" -w newpassword -s base -b "" "objectclass=*"Step 2: Reset FreeIPA admin password on Linux
Now that you have the Directory Manager password, you should be ready to reset FreeIPA admin password.
Start by exporting LDAP TLS certificate path
export LDAPTLS_CACERT=/etc/ipa/ca.crtThen reset the admin password
sudo ldappasswd -ZZ -D 'cn=Directory Manager' -W -S \
uid=admin,cn=users,cn=accounts,dc=example,dc=com \
-H ldap://ldap.example.comReplace:
- example and com with your domain components
- ldap.example.com with your resolvable FreeIPA Server hostname
You’ll be asked to provide a new password & Directory Manager Password
New password:
Re-enter new password:
Enter LDAP Password:Your new FreeIPA admin password should be set, test by requesting a new Kerberos ticket:
$ kinit admin
Password for [email protected]:Provide the newly set password and press <Enter>. When done, list available tickets to confirm it is working
$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]
Valid starting Expires Service principal
10/17/2018 09:22:56 10/18/2018 09:22:50 krbtgt/[email protected]If you access the FreeIPA login page, the new password should be accepted for authentication.
Thanks for using our guide to reset FreeIPA admin password. Check installation of FreeIPA Server guides:
- Install FreeIPA Server on Ubuntu
- Configure FreeIPA Client on Ubuntu / CentOS 7
- Run FreeIPA Server in Docker / Podman Containers
- How To Configure Jenkins FreeIPA LDAP Authentication
- Configure GitLab FreeIPA LDAP Authentication
