Red Hat SummitChapter 6. Managing user passwords in IdM
6.1. Who can change IdM user passwords and how
Regular users without the permission to change other users' passwords can change only their own personal password. The new password must meet the IdM password policies applicable to the groups of which the user is a member. For details on configuring password policies, see Defining IdM password policies.
Administrators and users with password change rights can set initial passwords for new users and reset passwords for existing users. These passwords:
- Do not have to meet the IdM password policies.
- Expire after the first successful login. When this happens, IdM prompts the user to change the expired password immediately. To disable this behavior, see Enabling password reset in IdM without prompting the user for a password change at the next login.
Note that the LDAP Directory Manager (DM) user can change user passwords using LDAP tools. A new password can override any IdM password policies. Passwords set by DM do not expire after the first login.
6.2. Changing your user password in the IdM Web UI
As an Identity Management (IdM) user, you can change your user password in the IdM Web UI.
Prerequisites
- Your password has not expired.
Procedure
- Log in to the IdM Web UI.
- In the upper right corner, click the name of the user who is logged into the IdM Web UI.
- Select Change password.
- Enter the current password.
- Enter the new password in the New Password field.
- Confirm the new password by entering it in the Verify Password field.
- Click Reset Password.
Alternatively, you can go directly to https://<server.idm.example.com>/ipa/ui/reset_password.html, and change your password there.
6.3. Resetting another user’s password in the IdM Web UI
As an administrative user of Identity Management (IdM), you can change passwords for other users in the IdM Web UI.
Prerequisites
- You are logged in to the IdM Web UI as an administrative user.
Procedure
- Select Identity>Users.
- Click the name of the user to edit.
- Click Actions and select Reset password.
- Enter the new password in the New Password field.
- Confirm the new password by entering it in the Verify Password field.
- Click Reset Password.
6.4. Resetting the Directory Manager user password
If you lose the Identity Management (IdM) Directory Manager password, you can reset it.
Prerequisites
-
You have
rootaccess to an IdM server.
Procedure
Generate a new password hash by using the
pwdhashcommand. For example:# pwdhash -D /etc/dirsrv/slapd-IDM-EXAMPLE-COM password {PBKDF2_SHA256}AAAgABU0bKhyjY53NcxY33ueoPjOUWtl4iyYN5uW...By specifying the path to the Directory Server configuration, you automatically use the password storage scheme set in the
nsslapd-rootpwstorageschemeattribute to encrypt the new password.On every IdM server in your topology, execute the following steps:
Stop all IdM services installed on the server:
# ipactl stopEdit the
/etc/dirsrv/IDM-EXAMPLE-COM/dse.ldiffile and set thensslapd-rootpwattribute to the value generated by thepwdhashcommand:nsslapd-rootpw: {PBKDF2_SHA256}AAAgABU0bKhyjY53NcxY33ueoPjOUWtl4iyYN5uW...- Start all IdM services installed on the server:
# ipactl start
6.5. Changing your user password or resetting another user’s password in IdM CLI
You can change your user password using the Identity Management (IdM) command-line interface (CLI). If you are an administrative user, you can use the CLI to reset another user’s password.
Prerequisites
- You have obtained a ticket-granting ticket (TGT) for an IdM user.
- If you are resetting another user’s password, you must have obtained a TGT for an administrative user in IdM.
Procedure
Enter the
ipa user-modcommand with the name of the user and the--passwordoption. The command will prompt you for the new password.$ ipa user-mod idm_user --password Password: Enter Password again to verify: -------------------- Modified user "idm_user" -------------------- ...
Note that you can also use the ipa passwd idm_user command instead of ipa user-mod.
6.6. Additional commands for changing user passwords
You can also change the password for an IdM user using the following commands:
| Command | Description | Limitations |
|---|---|---|
|
|
A user can change their own password using PAM service facilities and the | The system must be enrolled in IdM and SSSD must be configured. |
|
| A user can change their own password directly via the Kerberos protocol | The user must have a valid Kerberos ticket (TGT); does not require system enrollment. |
|
| An administrator or user can change a password through the IdM API |
Requires an active Kerberos ticket and the |
|
| An administrator or user can change a password directly via LDAP | Requires LDAP credentials (Bind DN) and direct network access to the Directory Server. |
6.7. Enabling password reset in IdM without prompting the user for a password change at the next login
By default, when an administrator resets another user’s password, the password expires after the first successful login.
As IdM Directory Manager, you can specify the following privileges for individual IdM administrators:
- They can perform password change operations without requiring users to change their passwords subsequently on their first login.
- They can bypass the password policy so that no strength or history enforcement is applied.
Bypassing the password policy can be a security threat. Exercise caution when selecting users to whom you grant these additional privileges.
Prerequisites
- You know the Directory Manager password.
Procedure
On every Identity Management (IdM) server in the domain, make the following changes:
Enter the
ldapmodifycommand to modify LDAP entries. Specify the name of the IdM server and the 389 port and press Enter:$ ldapmodify -x -D "cn=Directory Manager" -W -h server.idm.example.com -p 389 Enter LDAP Password:- Enter the Directory Manager password.
Enter the distinguished name for the
ipa_pwd_extoppassword synchronization entry and press Enter:dn: cn=ipa_pwd_extop,cn=plugins,cn=configSpecify the
modifytype of change and press Enter:changetype: modifySpecify what type of modification you want LDAP to execute and to which attribute. Press Enter:
add: passSyncManagersDNsSpecify the administrative user accounts in the
passSyncManagersDNsattribute. The attribute is multi-valued. For example, to grant theadminuser the password resetting powers of Directory Manager:passSyncManagersDNs: \ uid=admin,cn=users,cn=accounts,dc=example,dc=com- Press Enter twice to stop editing the entry.
The admin user, listed under passSyncManagerDNs, now has the additional privileges.
6.8. Checking if an IdM user’s account is locked
As an Identity Management (IdM) administrator, you can check if an IdM user’s account is locked. For that, you must compare a user’s maximum allowed number of failed login attempts with the number of the user’s actual failed logins.
Prerequisites
- You have obtained the ticket-granting ticket (TGT) of an administrative user in IdM.
Procedure
Display the status of the user account to see the number of failed logins:
$ ipa user-status example_user ----------------------- Account disabled: False ----------------------- Server: idm.example.com Failed logins: 8 Last successful authentication: N/A Last failed authentication: 20220229080317Z Time now: 2022-02-29T08:04:46Z ---------------------------- Number of entries returned 1 ----------------------------Display the number of allowed login attempts for a particular user:
$ ipa pwpolicy-show --user example_user Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 Grace login limit: -1-
Compare the number of failed logins as displayed in the output of the
ipa user-statuscommand with the Max failures number displayed in the output of theipa pwpolicy-showcommand. If the number of failed logins equals that of maximum allowed login attempts, the user account is locked.
6.9. Unlocking user accounts after password failures in IdM
If a user attempts to log in using an incorrect password a certain number of times, Identity Management (IdM) locks the user account, which prevents the user from logging in. For security reasons, IdM does not display any warning message that the user account has been locked. Instead, the CLI prompt might continue asking the user for a password again and again.
IdM automatically unlocks the user account after a specified amount of time has passed. Alternatively, you can unlock the user account manually with the following procedure.
Prerequisites
- You have obtained the ticket-granting ticket of an IdM administrative user.
Procedure
To unlock a user account, use the
ipa user-unlockcommand.$ ipa user-unlock idm_user ----------------------- Unlocked account "idm_user" -----------------------After this, the user can log in again.
6.10. Enabling the tracking of last successful Kerberos authentication for users in IdM
For performance reasons, Identity Management (IdM) running in Red Hat Enterprise Linux 8 does not store the time stamp of the last successful Kerberos authentication of a user. As a consequence, certain commands, such as ipa user-status, do not display the time stamp.
Prerequisites
- You have obtained the ticket-granting ticket (TGT) of an administrative user in IdM.
-
You have
rootaccess to the IdM server on which you are executing the procedure.
Procedure
Display the currently enabled password plug-in features:
# ipa config-show | grep "Password plugin features" Password plugin features: AllowNThash, KDC:Disable Last SuccessThe output shows that the
KDC:Disable Last Successplug-in is enabled. The plug-in hides the last successful Kerberos authentication attempt from being visible in the ipa user-status output.Add the
--ipaconfigstring=featureparameter for every feature to theipa config-modcommand that is currently enabled, except forKDC:Disable Last Success:# ipa config-mod --ipaconfigstring='AllowNThash'This command enables only the
AllowNThashplug-in. To enable multiple features, specify the--ipaconfigstring=featureparameter separately for each feature.Restart IdM:
# ipactl restart
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}