If you ever forget FreeIPA Admin password, you can always reset it as root user. This guide will help you to reset a FreeIPA admin password on Linux using the root shell or a user account with sudo privileges.
Note that to reset FreeIPA admin password, you need to have a Directory Manager password, if not, you’ll have to reset Directory Manager password before FreeIPA admin password.
Step 1: Reset Directory Manager Password ( If lost)
If you know the Directory Manager password, you can skip this step. Login as the root user or user with sudo privilege to your FreeIPA server and shutdown FreeIPA server. If the server is running and you make a change to the main configuration file
dse.ldif, your changes will be lost.
sudo /sbin/stop-dirsrv <INSTANCE-NAME>
You can get your instance name from
sudo /sbin/stop-dirsrv DOMAIN-COM
Once the service is stopped, generate a new hashed Directory Manage password.
sudo /usr/bin/pwdhash StrongPassword
StrongPassword with your actual strong password. On generation, you should get output like this:
Edit your 389 Directory configuration file to set the new hashed password
sudo vim /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
EXAMPLE-COM with your correct Instance name value. Search for the line starting with
nsslapd-rootpw, then replace its value with your generated password value.
When done, restart 389 directory service
Then test your new password
ldapsearch -x -D "cn=directory manager" -w newpassword -s base -b "" "objectclass=*"
Step 2: Reset FreeIPA admin password on Linux
Now that you have the Directory Manager password, you should be ready to reset FreeIPA admin password.
Start by exporting LDAP TLS certificate path
Then reset the admin password
ldappasswd -ZZ -D 'cn=Directory Manager' -W -S \ uid=admin,cn=users,cn=accounts,dc=example,dc=com \ -H ldap://ldap.example.com
- example and com with your domain components
- ldap.example.com with your resolvable FreeIPA Server hostname
You’ll be asked to provide a new password & Directory Manager Password
New password: Re-enter new password: Enter LDAP Password:
Your new FreeIPA admin password should be set, test by requesting a new Kerberos ticket:
# kinit admin Password for [email protected]:
Provide the newly set password and press <Enter>. When done, list available tickets to confirm it is working
# klist Ticket cache: KEYRING:persistent:0:0 Default principal: [email protected] Valid starting Expires Service principal 10/17/2018 09:22:56 10/18/2018 09:22:50 krbtgt/EXAM[email protected]
If you access the FreeIPA login page, the new password should be accepted for authentication.
Thanks for using our guide to reset FreeIPA admin password. Check installation of FreeIPA Server guides: