Friday, October 5, 2012

Reset FreeIPA admin password...

Well, the other day it happened that I forgot password for admin user on FreeIPA2 installation. But, since I had root on that same machine, I didn't panicked. Instead, I fired up Google to see how to reset it. This actually wasn't so easy. For example, if you use search keywords 'freeipa admin reset', you'll get posts about replicas, KDC, and who knows what not. In the end, I managed to dig this post. So, I run the given command:
[root@ipa1 ~]# LDAPTLS_CACERT=/etc/ipa/ca.crt ldappasswd \
           -ZZ -D 'cn=directory manager' -W \
           -S uid=admin,cn=users,cn=accounts,dc=domain,dc=com

New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password reuse not permitted
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MIQAAAADgQEI
ppolicy: error=8 (New password is in list of old passwords)
But something wasn't right. It asked me to enter LDAP password, that's directory manager's password, but when I entered what I thought should be the password, it complained of password reuse. On the other hand, if I entered some random string, then it clearly said that credentials are invalid:
[root@ipa1 ~]# LDAPTLS_CACERT=/etc/ipa/ca.crt ldappasswd \
            -ZZ -D 'cn=directory manager' -W \
            -S uid=admin,cn=users,cn=accounts,dc=domain,dc=com

New password:
Re-enter new password:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
So, I decided to reset directory manager's password too. This was easier to find, and it is explained here. Well, you have to be careful when following that text since it is written for two different versions of directory server and you have to follow the one that's right for you. After you reset directory manager's password go back and reset FreeIPA's admin password. When it asks 'Enter LDAP Password:' type in directory manager's password you've just changed.

1 comment:

chandan kumar said...

So when I changed the directory server password as per http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword

and then I execute LDAPTLS_CACERT=/etc/ipa/ca.crt ldappasswd -ZZ -D 'cn=directory manager' -W uid=admin,cn=users,cn=accounts,dc=domain,dc=net

I get
Result: Server is unwilling to perform (53)
Additional info: Password generation not implemented.

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive