If you ever forget FreeIPA Admin password, you can always reset it as root user. This guide will help you to reset a FreeIPA admin password on Linux using the root shell or a user account with sudo privileges.

Note that to reset FreeIPA admin password, you need to have a Directory Manager password, if not, you’ll have to reset  Directory Manager password before FreeIPA admin password.

Step 1: Reset Directory Manager Password ( If lost)

If you know the Directory Manager password, you can skip this step. Login as the root user or user with sudo privilege to your FreeIPA server and shutdown FreeIPA server. If the server is running and you make a change to the main configuration file dse.ldif, your changes will be lost.

sudo /sbin/stop-dirsrv <INSTANCE-NAME>

You can get your instance name from /etc/dirsrv/slapd. Example

sudo /sbin/stop-dirsrv DOMAIN-COM

Once the service is stopped, generate a new hashed Directory  Manage password.

sudo /usr/bin/pwdhash StrongPassword

Replace StrongPassword with your actual strong password. On generation, you should get output like this:


Edit your 389 Directory configuration file to set the new hashed password

sudo vim /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif

Replace EXAMPLE-COM with your correct Instance name value. Search for the line starting with nsslapd-rootpw, then replace its value with your generated password value.

nsslapd-rootpw: {SSHA512}x6XGO1wpxYFpNFZrirBjLUqXfepGtSKdR/Gv/2Pdx6uc5Apy4zDFNvGHpR8iJO4CLim4m/CIWaqfnfQ2XuUskhCK09w5zsnb

When done, restart 389 directory service

/sbin/start-dirsrv <INSTANCE-NAME>

Then test your new password

ldapsearch -x -D "cn=directory manager" -w newpassword -s base -b "" "objectclass=*"

Step 2: Reset FreeIPA admin password on Linux

Now that you have the Directory Manager password, you should be ready to reset FreeIPA admin password.

Start by exporting LDAP TLS certificate path

export LDAPTLS_CACERT=/etc/ipa/ca.crt

Then reset the admin password

ldappasswd -ZZ -D 'cn=Directory Manager' -W -S \
uid=admin,cn=users,cn=accounts,dc=example,dc=com \
-H ldap://ldap.example.com


  • example and com with your domain components
  • ldap.example.com with your resolvable FreeIPA Server hostname

You’ll be asked to provide a new password & Directory Manager Password

New password:
Re-enter new password:
Enter LDAP Password:

Your new FreeIPA admin password should be set, test by requesting a new Kerberos ticket:

# kinit admin
Password for [email protected]:

Provide the newly set password and press <Enter>. When done, list available tickets to confirm it is working

# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting Expires Service principal
10/17/2018 09:22:56 10/18/2018 09:22:50 krbtgt/[email protected]

If you access the FreeIPA login page, the new password should be accepted for authentication.

freeipa login min

Thanks for using our guide to reset FreeIPA admin password. Check installation of FreeIPA Server guides:

Install FreeIPA Server on Ubuntu

Configure FreeIPA Client on Ubuntu 18.04 / CentOS 7

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


Please enter your comment!
Please enter your name here