Red Hat SummitChapter 5. Managing user passwords in IdM
Manage Identity Management (IdM) user passwords including changing your own password, resetting other users' passwords, and configuring password-related features. Control password resets, account lockouts, and authentication tracking.
5.1. Who can change IdM user passwords and how
Regular users can change only their own passwords and must meet the password policies applicable to the groups of which the user is a member. Administrators can reset any user’s password without meeting policies, but these passwords expire on first login unless configured otherwise.
Administrators and users with password change rights can set initial passwords for new users and reset passwords for existing users. These passwords:
- Do not have to meet the IdM password policies.
- Expire after the first successful login. When this happens, IdM prompts the user to change the expired password immediately. To disable this behavior, see Enabling password reset in IdM without prompting the user for a password change at the next login.
Note that the LDAP Directory Manager (DM) user can change user passwords using LDAP tools. A new password can override any IdM password policies. Passwords set by DM do not expire after the first login.
Additional resources
5.2. Changing your user password in the IdM Web UI
Change your own user password in the Identity Management (IdM) Web UI to maintain account security. The new password must meet the password policies for groups you belong to.
Prerequisites
- Your password has not expired.
Procedure
- Log in to the IdM Web UI.
- In the upper right corner, click the name of the user who is logged into the IdM Web UI.
- Select Change password.
- Enter the current password.
- Enter the new password in the New Password field.
- Confirm the new password by entering it in the Verify Password field.
Click Reset Password.
NoteAlternatively, you can go directly to https://<server.idm.example.com>/ipa/ui/reset_password.html, and change your password there.
5.3. Resetting another user’s password in the IdM Web UI
Reset another user’s password in the Identity Management (IdM) Web UI when they need a new password or have been locked out.
Prerequisites
- You are logged in to the IdM Web UI as an administrative user.
Procedure
- Select Identity>Users.
- Click the name of the user to edit.
- Click Actions and select Reset password.
- Enter the new password in the New Password field.
- Confirm the new password by entering it in the Verify Password field.
- Click Reset Password.
5.4. Resetting the Directory Manager user password
Reset the Directory Manager password if it is, for example, lost or compromised. This procedure requires root access to the Identity Management (IdM) servers and must be performed on every server in your topology.
Prerequisites
-
You have
rootaccess to all IdM servers.
Procedure
On an IdM server, generate a new password hash by using the
pwdhashcommand. For example:# pwdhash -D /etc/dirsrv/slapd-IDM-EXAMPLE-COM password {PBKDF2_SHA256}AAAgABU0bKhyjY53NcxY33ueoPjOUWtl4iyYN5uW...By specifying the path to the Directory Server configuration, you automatically use the password storage scheme set in the
nsslapd-rootpwstorageschemeattribute to encrypt the new password.Stop all IdM services installed on the server:
# ipactl stopEdit the
/etc/dirsrv/IDM-EXAMPLE-COM/dse.ldiffile on the server and set thensslapd-rootpwattribute to the value generated by thepwdhashcommand:nsslapd-rootpw: {PBKDF2_SHA256}AAAgABU0bKhyjY53NcxY33ueoPjOUWtl4iyYN5uW...Start all IdM services installed on the server:
# ipactl start- Repeat steps 2-4 on all the remaining IdM replicas in your topology.
5.5. Changing your user password or resetting another user’s password in IdM CLI
Change your own password or reset another user’s password using the Identity Management (IdM) CLI. Administrators can reset passwords for any user while regular users can only change their own.
Prerequisites
- You have obtained a ticket-granting ticket (TGT) for an IdM user.
- If you are resetting another user’s password, you must have obtained a TGT for an administrative user in IdM.
Procedure
Enter the
ipa user-modcommand with the name of the user and the--passwordoption. The command will prompt you for the new password.$ ipa user-mod idm_user --password Password: Enter Password again to verify: -------------------- Modified user "idm_user" -------------------- ...Note that you can also use the
ipa passwd idm_usercommand instead ofipa user-mod.
5.6. Additional commands for changing user passwords
Identity Management (IdM) supports multiple methods for changing user passwords, including PAM services, Kerberos, the IdM API, and LDAP. Each method has different requirements and use cases.
| Command | Description | Limitations |
|---|---|---|
|
|
A user can change their own password using PAM service facilities and the | The system must be enrolled in IdM and SSSD must be configured. |
|
| A user can change their own password directly via the Kerberos protocol | The user must have a valid Kerberos ticket (TGT); does not require system enrollment. |
|
| An administrator or user can change a password through the IdM API |
Requires an active Kerberos ticket and the |
|
| An administrator or user can change a password directly via LDAP | Requires LDAP credentials (Bind DN) and direct network access to the Directory Server. |
5.7. Enabling password reset in IdM without prompting the user for a password change at the next login
Grant specific administrators the ability to reset passwords without forcing users to change them on first login. As an Identity Management (IdM) Directory Manager, you can add administrators to the passSyncManagersDNs attribute, which allows them to perform password resets without triggering the mandatory password change requirement and optionally bypass password policy enforcement.
Bypassing the password policy can be a security threat. Exercise caution when selecting users to whom you grant these additional privileges.
Prerequisites
- You know the Directory Manager password.
Procedure
Enter the
ldapmodifycommand to modify LDAP entries. Specify the name of the IdM server and the 389 port and press Enter:$ ldapmodify -x -D "cn=Directory Manager" -W -h server.idm.example.com -p 389 Enter LDAP Password: <password>- Enter the Directory Manager password.
Enter the distinguished name for the
ipa_pwd_extoppassword synchronization entry and press Enter:dn: cn=ipa_pwd_extop,cn=plugins,cn=configSpecify the
modifytype of change and press Enter:changetype: modifySpecify what type of modification you want LDAP to execute and to which attribute. Press Enter:
add: passSyncManagersDNsSpecify the administrative user accounts in the
passSyncManagersDNsattribute. The attribute is multi-valued. For example, to grant theadminuser the password resetting powers of Directory Manager:passSyncManagersDNs: \ uid=admin,cn=users,cn=accounts,dc=example,dc=comPress Enter twice to stop editing the entry.
The
adminuser, listed underpassSyncManagerDNs, now has the additional privileges. Repeat the steps on every Identity Management (IdM) server in the domain.
5.8. Checking if an IdM user’s account is locked
Determine if a user’s account is locked due to failed login attempts by comparing their failed login count against the maximum allowed number of failures.
Prerequisites
- You have obtained the ticket-granting ticket (TGT) of an administrative user in IdM.
Procedure
Display the status of the user account to see the number of failed logins:
$ ipa user-status example_user ----------------------- Account disabled: False ----------------------- Server: idm.example.com Failed logins: 8 Last successful authentication: N/A Last failed authentication: 20220229080317Z Time now: 2022-02-29T08:04:46Z ---------------------------- Number of entries returned 1 ----------------------------Display the number of allowed login attempts for a particular user:
$ ipa pwpolicy-show --user example_user Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 Grace login limit: -1-
Compare the number of failed logins as displayed in the output of the
ipa user-statuscommand with the Max failures number displayed in the output of theipa pwpolicy-showcommand. If the number of failed logins equals that of maximum allowed login attempts, the user account is locked.
5.9. Unlocking user accounts after password failures in IdM
Unlock a user account that was locked due to too many failed login attempts.
For security reasons, IdM does not display any warning message that the user account has been locked. Instead, the CLI prompt might continue asking the user for a password again and again.
IdM automatically unlocks the user account after a specified amount of time has passed. Alternatively, you can unlock the user account manually with the following procedure.
Prerequisites
- You have obtained the ticket-granting ticket of an IdM administrative user.
Procedure
To unlock a user account, use the
ipa user-unlockcommand.$ ipa user-unlock idm_user ----------------------- Unlocked account "idm_user" -----------------------After this, the user can log in again.
5.10. Enabling the tracking of last successful Kerberos authentication for users in IdM
Enable tracking of last successful Kerberos authentication timestamps for auditing purposes. This feature is disabled by default for performance reasons.
Prerequisites
- You have obtained the ticket-granting ticket (TGT) of an administrative user in IdM.
-
You have
rootaccess to the IdM server on which you are executing the procedure.
Procedure
Display the currently enabled password plug-in features:
# ipa config-show | grep "Password plugin features" Password plugin features: pass:quotes[AllowNThash], pass:quotes[KDC:Disable Last Success]The output shows that the
KDC:Disable Last Successplug-in is enabled. The plug-in hides the last successful Kerberos authentication attempt from being visible in the ipa user-status output.Add the
--ipaconfigstring=featureparameter for every feature to theipa config-modcommand that is currently enabled, except forKDC:Disable Last Success:# ipa config-mod --ipaconfigstring='AllowNThash'This command enables only the
AllowNThashplug-in. To enable multiple features, specify the--ipaconfigstring=featureparameter separately for each feature.Restart IdM:
# ipactl restart
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}