This is a short note on how to unlock admin account for FreeIPA.

# kinit admin
kinit: Client’s credentials have been revoked while getting initial credentials

When too many incorrect password attempts are made, the admin account is locked out. To unlock it, perform the following on the FreeIPA server:

# ldapmodify -x -D "cn=directory manager" -W
Enter LDAP Password:
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
delete: krbLoginFailedCount

To process the modification enter Control-D. If it’s successful you’ll receive a this message:

modifying entry “uid=admin,cn=users,cn=accounts,dc=example,dc=com”