How to reset IPA Directory Manager password in RHEL 7,8,9

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • IdM IPA v4 & above

Issue

  • How to reset IPA Directory Manager password?
  • How to change the IPA Directory Manager password of Master Server?

Resolution

Follow Below instructions-

  1. Stop the IPA Server. If the Directory Server is not stopped when the configuration files are edited, the changes are not applied.

    # ipactl stop
    
  2. Generate a new hashed password using pwdhash and a SSHA512 scheme.

    # /usr/bin/pwdhash -s SSHA512 <Type New Password Here>
    {SSHA512}W2ZOKfSQJiDgO1NPmcqVn3GJcfCcfhEB5LTQsdKIfAhBr4WDWSJkjVnb9WiswPPMDDjyXb+ozlX0f+5Zb6BiIUvKg9o30Z68  <<--- New Hash Generated 
    
  3. In the configuration directory, open the dse.ldif file. For example:

    # vim /etc/dirsrv/slapd-REALM/dse.ldif
    
  4. Locate the nsslapd-rootpw parameter and delete the old hash .

    nsslapd-rootpw: {SSHA512}lOsw3lPFUvIoApYJZ1uW0jwhzmbpNkuvof7WvYZrfa2J/c2W1FbDl
     G9EoxPYfNviGYuEc+aXfpNBf/3d1AxTw48XJ+PNOT9v
    

    NOTE
    There will be a 2nd hashed line under the nsslapd-rootpw attribute. This is due to the character line limit in the dse.ldif

  5. Enter in the new hashed password from step 2. For example:

    nsslapd-rootpw: {SSHA512}W2ZOKfSQJiDgO1NPmcqVn3GJcfCcfhEB5LTQsdKIfAhBr4WDWSJkjVnb9WiswPPMDDjyXb+ozlX0f+5Zb6BiIUvKg9o30Z68
    
  6. Save the changes & Start the IPA Server.

    # ipactl start
    
  7. Verify the new hashed password was saved properly.

    # grep rootpw -A1 /etc/dirsrv/slapd-METHOD-LOCAL/dse.ldif
    nsslapd-rootpw: {SSHA512}W2ZOKfSQJiDgO1NPmcqVn3GJcfCcfhEB5LTQsdKIfAhBr4WDW
    SJkjVnb9WiswPPMDDjyXb+ozlX0f+5Zb6BiIUvKg9o30Z68
    

Notes

Important Note with ipa-server-3.0.0-42 and below

When Installing IPA, Directory Manager's password is used at multiple places.

  • Directory Manager of slapd-REALM (slapd-Domain-NAME) which contain your data of users, groups, dns records, sudo.
  • Directory Manager of IPA-PKI instance which contain data of your certificates.
  • Admin user of IPA-PKI instance i.e. uid=admin,ou=people,o=ipaca
  • CA agent PKCS#12 file in /root

Changing the password of Directory Manager will fail ipa-replica-install because same password is used to bind admin user & open CA agent PKCS#12 file.

When installing IPA server, It is clearly written that same password will be used to create PKCS file. It also mentions that this password is required to create replica.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

For more details, check below Kbase

Important Note with ipa-server-3.3.3-28.el7,

Just run below command Directory Manager password, This will update password of admin user of PKI-IPA & extract new CA PKCS12 file which can be extracted with new DM password only.

# ipa-replica-prepare ipareplica.example.com

Additional Information

Directory Manager password is not replicated ,so it has to be updated across all IPA servers where Directory Manager password needs to be reset.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments