[FreeIPA] Reset Failed Password Count for Locked Out Admin Account

If you get locked out of the FreeIPA admin account due to the failed password count being too high you’ll receive an error like this from the command line:

[root@ipa1 ~]# kinit admin

kinit: Client’s credentials have been revoked while getting initial credentials

You’ll also get an Internal Server error via the web interface or some other super ambiguous error message, even if you were in the middle of a web session.

If you don’t have another user with admin privileges that you can use to reset the count with the “ipa” command you’ll need to reset the failure count directly via LDAP (which will require the LDAP Directory Manager password):

[root@ipa1 ~]# ldapmodify -x -D “cn=directory manager” -W

Enter LDAP Password:

One you enter in the password it will return to the next line with NO FURTHER OUTPUT. So don’t sit around waiting for it to process anything. If the password failed it will let you know. Next enter your critia for the directory modification:

dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com

changetype: modify

delete: krbLoginFailedCount

To process the modification enter Control-D. If it’s successful you’ll receive a this message:

modifying entry “uid=admin,cn=users,cn=accounts,dc=example,dc=com”