lolcreds

Public credential defaults and exposure patterns for authorized security testing.

FreeIPA

FreeIPA Projectidentity4 credentials

Credentials4 documented
01

Directory Manager Password

freeipa / directory-manager-password

FreeIPA LDAP administration uses Directory Manager credentials for some installation and certificate-management operations. FreeIPA docs show DM_PASSWORD used with ipa-cacert-manage when installing CA certificates.

generated on installuser definedsecretusername/password

Location

config file

FreeIPA install answer files, administrative scripts, and deployment manifests

environment
DM_PASSWORD, IPA_DM_PASSWORD
secret store

password vaults, Ansible Vault, Kubernetes Secrets, and cloud secret managers

source code

committed install playbooks, scripts, and test configs

logs

installation logs, certificate-management command output, and shell history

public interface
LDAP/LDAPS, FreeIPA admin tools

Notes

Directory Manager is a highly privileged LDAP administrative identity. Keep its password separate from ordinary IPA user passwords.

02

IPA Admin/User Password

freeipa / admin-user-password

FreeIPA manages users and administrators through Kerberos and LDAP-backed identity data. The initial admin user password is created during server installation and then used for IPA web UI, CLI, and Kerberos login.

generated on installuser definedsecretusername/password

Location

database

FreeIPA LDAP/389 Directory Server and Kerberos database storing identity and credential verifier state

public interface
FreeIPA web UI, Kerberos, LDAP/LDAPS
environment
IPA_ADMIN_PASSWORD, ADMIN_PASSWORD
secret store

Ansible Vault, password vaults, and provisioning secrets

source code

installation playbooks, tests, and committed variables

logs

ipa-server-install logs, kinit traces, and shell history

Notes

The username admin is conventional for the first administrative account, but the password is installation-specific.

03

Kerberos Keytab

freeipa / keytab

FreeIPA issues Kerberos principals and keytabs for services and hosts. Keytab files act as reusable credentials for non-interactive authentication to IPA-managed services.

generated on installsecretkey pair

Looks like

pattern
pattern

textual/keytab export context; binary keytab files are usually identified by path and use rather than inline text

-----BEGIN .*KEYTAB.*-----

Location

config file
/etc/krb5.keytab, *.keytab

host and service keytab files

secret store

configuration management vaults, Kubernetes Secrets, and service keytab stores

source code

accidentally committed keytabs and deployment bundles

artifact

host backups, VM images, and container images containing keytabs

logs

kinit, ipa-getkeytab, and service startup troubleshooting output

Notes

A keytab can authenticate as the corresponding Kerberos principal until the principal keys are rotated.

04

Certificate / PKCS#12 Password

freeipa / certificate-private-key-password

FreeIPA certificate replacement workflows can use PKCS#12 bundles protected by passwords, including http_pin and dirsrv_pin values for HTTP and LDAP service certificates.

user definedsecretpassword

Location

config file

certificate deployment scripts and IPA certificate install commands

secret store

PKCS#12 bundles, NSS databases, HSM/KMS stores, and vault entries

source code

committed certificate automation and Ansible variables

artifact

certificate bundles and host backups

logs

certutil, ipa-server-certinstall, and shell command history output

Notes

These passwords protect private keys for FreeIPA HTTP and directory services and should be rotated if exposed.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.