After running, the web UI no longer shows a string of asterisks next to the password field of the user.

Thanks ever so much! Angus

________________________________ From: Rob Crittenden rcritten@redhat.com Sent: 04 May 2020 15:34 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Angus Clarke post@angusclarke.com Subject: Re: [Freeipa-users] Unset passwords for accounts

Angus Clarke via FreeIPA-users wrote:

Hello

We don't use FreeIPA passwords for user accounts however some accounts have had passwords set which is noticed from time to time. I would like to revert those account passwords to the point when the user was newly added but the password not yet set.

I don't see anything obvious in the documentation, perhaps there is some behind the scenes way of achieving this? (For reference, I used to put "!!" in /etc/shadow when using local files)

There is no equivalent of "no password allowed" in IPA. I think there is or was an RFE for this at one point.

To clear out existing password attributes you'd need to use ldapmodify and bind as the Directory Manager to remove them.

$ ldapmodify -x -D 'cn=directory manager' -W Enter LDAP Password: dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=test changetype: modify delete: krbprincipalkey - delete: userpassword - delete: krbextradata - delete: krbpasswordexpiration - delete: krblastpwdchange <extra blank line> ^D

rob