Show Table of Contents
19.2. Setting Password Administrators
The Directory Manager can add the password administrator role to a user or a group of users. Since access control instructions (ACI) need to be set, it is recommended that a group is used to allow just a single ACI set to manage all password administrators. A password administrator can perform any user password operations, including the following:
- forcing the user to change their password,
- changing a user's password to a different storage scheme defined in the password policy,
- bypassing the password syntax checks,
- and adding already hashed passwords.
As explained in Section 19.1, “Setting User Passwords”, it is recommended that ordinary password updates are done by an existing role in the database with permissions to update only the
userPassword
attribute. We recommend not to use the password administrator account for these ordinary tasks.
To specify a user or a group of users as password administrator in a local policy, use
ldapmodify
to set the passwordAdminDN
attribute in the main configuration entry.
# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -W dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com changetype: modify replace: passwordAdminDN passwordAdminDN: cn=Passwd Admins,ou=groups,dc=example,dc=com
For setting in the global policy:
# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -W dn: cn=config changetype: modify replace: passwordAdminDN passwordAdminDN: cn=Passwd Admins,ou=groups,dc=example,dc=com