Show Table of Contents
19.2. Setting Password Administrators
The Directory Manager can add the password administrator role to a user or a group of users. Since access control instructions (ACI) need to be set, it is recommended that a group is used to allow just a single ACI set to manage all password administrators. A password administrator can perform any user password operations, including the following:
- forcing the user to change their password,
- changing a user's password to a different storage scheme defined in the password policy,
- bypassing the password syntax checks,
- and adding already hashed passwords.
As explained in Section 19.1, “Setting User Passwords”, it is recommended that ordinary password updates are done by an existing role in the database with permissions to update only the
userPassword attribute. We recommend not to use the password administrator account for these ordinary tasks.
To specify a user or a group of users as password administrator in a local policy, use
ldapmodify to set the passwordAdminDN attribute in the main configuration entry.
# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -W dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com changetype: modify replace: passwordAdminDN passwordAdminDN: cn=Passwd Admins,ou=groups,dc=example,dc=com
For setting in the global policy:
# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -W dn: cn=config changetype: modify replace: passwordAdminDN passwordAdminDN: cn=Passwd Admins,ou=groups,dc=example,dc=com
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.