FreeIPA - Reset directory manager password

When inheriting environments, documentation might not be complete and you'll have to reset administrative passwords. In this example, I'll talk about resetting the password for 'cn=Directory Manager' in a FreeIPA setup. I'll be using a replica based on EL8, although the steps should be the same for EL7 and EL9.

First, stop the ipa services on the node:

 [root@ipa01 ~]# ipactl stop  

Next, create a backup of the current configuration, you know ... just in case anything goes wrong:

 [root@ipa01 ~]# cp /etc/dirsrv/slapd-ARCHYSLIFE.LAN/dse.ldif /root/dse.ldif.$(date +%F)   

Now, create a new hash that will replace the current value:

 [root@ipa01 ~]# pwdhash -s 'SSHA512' 'my_new_supersecure_adminpw'  
 {SSHA512}BdvV0vQ31PBBCjRIXlxl1Ba4xRI/rNNDquWICfP3fO0CPTADgDmtBJGoSgfLIwPPnIV7LWDJLcCXDy96eQJhckKpcNmDZHXd  

The password hash is stored in '/etc/dirsrv/slapd-ARCHYSLIFE.LAN/dse.ldif', so we'll have to edit it:

 [root@ipa01 ~]# vim /etc/dirsrv/slapd-ARCHYSLIFE.LAN/dse.ldif  

Locate the line starting with 'nsslapd-rootpw' and replace it with the new hash. In my example, I had to replace this (example hash):

 nsslapd-rootpw: {SSHA512}swjGSaEE3AN3McTsqvWGBo3dmphPUlDI7shQfSSITus0CShVNeCpSu  
  3n5ablNyLz90Gewimd65gs36kd1C1oveZaxQNsuV4L  

with this:

 nsslapd-rootpw: {SSHA512}BdvV0vQ31PBBCjRIXlxl1Ba4xRI/rNNDquWICfP3fO0CPTADgDmtBJ  
  GoSgfLIwPPnIV7LWDJLcCXDy96eQJhckKpcNmDZHXd  

Now you can start the ipa services again:

 [root@ipa01 ~]# ipactl start  

Keep in mind that this password is not replicated so you'll have to redo these steps on every one of your ipa-servers.

Feel free to comment and / or suggest a topic.