Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 5. Managing user passwords in IdM

5.1. Who can change IdM user passwords and how
Copiar o link

Regular users without the permission to change other users' passwords can change only their own personal password. The new password must meet the IdM password policies applicable to the groups of which the user is a member. For details on configuring password policies, see Defining IdM password policies.

Administrators and users with password change rights can set initial passwords for new users and reset passwords for existing users. These passwords:

Note that the LDAP Directory Manager (DM) user can change user passwords using LDAP tools. A new password can override any IdM password policies. Passwords set by DM do not expire after the first login.

5.2. Changing your user password in the IdM Web UI
Copiar o link

As an Identity Management (IdM) user, you can change your user password in the IdM Web UI.

Prerequisites

  • Your password has not expired.

Procedure

  1. Log in to the IdM Web UI.
  2. In the upper right corner, click the name of the user who is logged into the IdM Web UI.
  3. Select Change password.
  4. Enter the current password.
  5. Enter the new password in the New Password field.
  6. Confirm the new password by entering it in the Verify Password field.
  7. Click Reset Password.
Note

Alternatively, you can go directly to https://<server.idm.example.com>/ipa/ui/reset_password.html, and change your password there.

5.3. Resetting another user’s password in the IdM Web UI
Copiar o link

As an administrative user of Identity Management (IdM), you can change passwords for other users in the IdM Web UI.

Prerequisites

  • You are logged in to the IdM Web UI as an administrative user.

Procedure

  1. Select Identity>Users.
  2. Click the name of the user to edit.
  3. Click Actions and select Reset password.
  4. Enter the new password in the New Password field.
  5. Confirm the new password by entering it in the Verify Password field.
  6. Click Reset Password.

5.4. Resetting the Directory Manager user password
Copiar o link

If you lose the Identity Management (IdM) Directory Manager password, you can reset it.

Prerequisites

  • You have root access to an IdM server.

Procedure

  1. Generate a new password hash by using the pwdhash command. For example: 

    # pwdhash -D /etc/dirsrv/slapd-IDM-EXAMPLE-COM password
{PBKDF2_SHA256}AAAgABU0bKhyjY53NcxY33ueoPjOUWtl4iyYN5uW...
    Copy to Clipboard Toggle word wrap

    By specifying the path to the Directory Server configuration, you automatically use the password storage scheme set in the nsslapd-rootpwstoragescheme attribute to encrypt the new password.

  2. On every IdM server in your topology, execute the following steps:

    1. Stop all IdM services installed on the server: 

      # ipactl stop
      Copy to Clipboard Toggle word wrap

    2. Edit the /etc/dirsrv/IDM-EXAMPLE-COM/dse.ldif file and set the nsslapd-rootpw attribute to the value generated by the pwdhash command: 

      nsslapd-rootpw: {PBKDF2_SHA256}AAAgABU0bKhyjY53NcxY33ueoPjOUWtl4iyYN5uW...
      Copy to Clipboard Toggle word wrap
    3. Start all IdM services installed on the server: 
    # ipactl start
    Copy to Clipboard Toggle word wrap

5.5. Changing your user password or resetting another user’s password in IdM CLI
Copiar o link

You can change your user password using the Identity Management (IdM) command-line interface (CLI). If you are an administrative user, you can use the CLI to reset another user’s password.

Prerequisites

  • You have obtained a ticket-granting ticket (TGT) for an IdM user.
  • If you are resetting another user’s password, you must have obtained a TGT for an administrative user in IdM.

Procedure

  • Enter the ipa user-mod command with the name of the user and the --password option. The command will prompt you for the new password. 

    $ ipa user-mod idm_user --password
Password:
Enter Password again to verify:
--------------------
Modified user "idm_user"
--------------------
...
    Copy to Clipboard Toggle word wrap

    Note that you can also use the ipa passwd idm_user command instead of ipa user-mod.

By default, when an administrator resets another user’s password, the password expires after the first successful login.

As IdM Directory Manager, you can specify the following privileges for individual IdM administrators:

  • They can perform password change operations without requiring users to change their passwords subsequently on their first login.
  • They can bypass the password policy so that no strength or history enforcement is applied.
Warning

Bypassing the password policy can be a security threat. Exercise caution when selecting users to whom you grant these additional privileges.

Prerequisites

  • You know the Directory Manager password.

Procedure

  1. Enter the ldapmodify command to modify LDAP entries. Specify the name of the IdM server and the 389 port and press Enter: 

    $ ldapmodify -x -D "cn=Directory Manager" -W -h server.idm.example.com -p 389
Enter LDAP Password: <password>
    Copy to Clipboard Toggle word wrap
  2. Enter the Directory Manager password.

  3. Enter the distinguished name for the ipa_pwd_extop password synchronization entry and press Enter: 

    dn: cn=ipa_pwd_extop,cn=plugins,cn=config
    Copy to Clipboard Toggle word wrap

  4. Specify the modify type of change and press Enter: 

    changetype: modify
    Copy to Clipboard Toggle word wrap

  5. Specify what type of modification you want LDAP to execute and to which attribute. Press Enter: 

    add: passSyncManagersDNs
    Copy to Clipboard Toggle word wrap

  6. Specify the administrative user accounts in the passSyncManagersDNs attribute. The attribute is multi-valued. For example, to grant the admin user the password resetting powers of Directory Manager: 

    passSyncManagersDNs: \
uid=admin,cn=users,cn=accounts,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

  7. Press Enter twice to stop editing the entry.

    The admin user, listed under passSyncManagerDNs, now has the additional privileges. Repeat the steps on every Identity Management (IdM) server in the domain.

5.7. Checking if an IdM user’s account is locked
Copiar o link

As an Identity Management (IdM) administrator, you can check if an IdM user’s account is locked. For that, you must compare a user’s maximum allowed number of failed login attempts with the number of the user’s actual failed logins.

Prerequisites

  • You have obtained the ticket-granting ticket (TGT) of an administrative user in IdM.

Procedure

  1. Display the status of the user account to see the number of failed logins: 

    $ ipa user-status example_user
-----------------------
Account disabled: False
-----------------------
  Server: idm.example.com
  Failed logins: 8
  Last successful authentication: N/A
  Last failed authentication: 20220229080317Z
  Time now: 2022-02-29T08:04:46Z
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

  2. Display the number of allowed login attempts for a particular user: 

    $ ipa pwpolicy-show --user example_user
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600
  Grace login limit: -1
    Copy to Clipboard Toggle word wrap
  3. Compare the number of failed logins as displayed in the output of the ipa user-status command with the Max failures number displayed in the output of the ipa pwpolicy-show command. If the number of failed logins equals that of maximum allowed login attempts, the user account is locked.

5.8. Unlocking user accounts after password failures in IdM
Copiar o link

If a user attempts to log in using an incorrect password a certain number of times, Identity Management (IdM) locks the user account, which prevents the user from logging in. For security reasons, IdM does not display any warning message that the user account has been locked. Instead, the CLI prompt might continue asking the user for a password again and again.

IdM automatically unlocks the user account after a specified amount of time has passed. Alternatively, you can unlock the user account manually with the following procedure.

Prerequisites

  • You have obtained the ticket-granting ticket of an IdM administrative user.

Procedure

  • To unlock a user account, use the ipa user-unlock command. 

    $ ipa user-unlock idm_user
-----------------------
Unlocked account "idm_user"
-----------------------
    Copy to Clipboard Toggle word wrap

    After this, the user can log in again.

For performance reasons, Identity Management (IdM) running in Red Hat Enterprise Linux 8 does not store the time stamp of the last successful Kerberos authentication of a user. As a consequence, certain commands, such as ipa user-status, do not display the time stamp.

Prerequisites

  • You have obtained the ticket-granting ticket (TGT) of an administrative user in IdM.
  • You have root access to the IdM server on which you are executing the procedure.

Procedure

  1. Display the currently enabled password plug-in features: 

    # ipa config-show | grep "Password plugin features"
  Password plugin features: pass:quotes[AllowNThash], pass:quotes[KDC:Disable Last Success]
    Copy to Clipboard Toggle word wrap

    The output shows that the KDC:Disable Last Success plug-in is enabled. The plug-in hides the last successful Kerberos authentication attempt from being visible in the ipa user-status output.

  2. Add the --ipaconfigstring=feature parameter for every feature to the ipa config-mod command that is currently enabled, except for KDC:Disable Last Success: 

    # ipa config-mod --ipaconfigstring='AllowNThash'
    Copy to Clipboard Toggle word wrap

    This command enables only the AllowNThash plug-in. To enable multiple features, specify the --ipaconfigstring=feature parameter separately for each feature.

  3. Restart IdM: 

    # ipactl restart
    Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat