After running, the web UI no longer shows a string of asterisks next to the password field
of the user.
Thanks ever so much!
Angus
________________________________
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: 04 May 2020 15:34
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Angus Clarke <post(a)angusclarke.com>
Subject: Re: [Freeipa-users] Unset passwords for accounts
Angus Clarke via FreeIPA-users wrote:
Hello
We don't use FreeIPA passwords for user accounts however some accounts
have had passwords set which is noticed from time to time. I would like
to revert those account passwords to the point when the user was newly
added but the password not yet set.
I don't see anything obvious in the documentation, perhaps there is some
behind the scenes way of achieving this? (For reference, I used to put
"!!" in /etc/shadow when using local files)
There is no equivalent of "no password allowed" in IPA. I think there is
or was an RFE for this at one point.
To clear out existing password attributes you'd need to use ldapmodify
and bind as the Directory Manager to remove them.
$ ldapmodify -x -D 'cn=directory manager' -W
Enter LDAP Password:
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=test
changetype: modify
delete: krbprincipalkey
-
delete: userpassword
-
delete: krbextradata
-
delete: krbpasswordexpiration
-
delete: krblastpwdchange
<extra blank line>
^D
rob