I'm trying to figure out how to reset my freeipa3 admin password. I'm able to see the user when I search the domain:
[root@ipaserver ipa]# LDAPTLS_CACERT=/etc/ipa/ca.crt ldapsearch -h localhost -ZZ -x -b uid=admin,cn=users,cn=compat,dc=central,dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=compat,dc=central,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# admin, users, compat, central.example.com
dn: uid=admin,cn=users,cn=compat,dc=central,dc=example,dc=com
objectClass: posixAccount
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 1909600000
gidNumber: 1909600000
loginShell: /bin/bash
homeDirectory: /home/admin
uid: admin
and I found this only snippet (it seems) on the web for resetting my password.
When I try that however I get the following message:
[root@ipaserver ipa]# LDAPTLS_CACERT=/etc/ipa/ca.crt ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=compat,dc=central,dc=example,dc=com
New password:
Re-enter new password:
Enter LDAP Password:
Result: No such object (32)
Additional info: Failed to update password
Anyone with past experience with resetting the admin freeIPA server that might have some suggestions?
Best Answer
Do not use cn=compat entry for your password changes. cn=compat is read-only compatibility tree which is automatically generated against the primary data tree in cn=accounts. Compat tree entries have no passwords.
Your problem is that you are trying to change password of an entry that is purposedly read-only and that is implemented via a plugin purposedly not providing a password field in the entries.