19.6. Managing the Directory Manager Password

The Directory Manager is the privileged database administrator, comparable to the root user in Linux. The Directory Manager entry and the corresponding password are set during the instance installation.
The default distinguished name (DN) of the Directory Manager is cn=Directory Manager.

Warning

Do not use curly braces ({}) in the password. Directory Server stores the password in the {password-storage-scheme}hashed_password format. The server interprets characters in curly braces as the password storage scheme. If the string is an invalid storage scheme or if the password is not correctly hashed, the Directory Manager cannot connect to the server.

19.6.1. Resetting the Directory Manager Password

If you lose the Directory Manager password, reset it:
  1. Stop the Directory Server instance:
    # systemctl stop dirsrv@instance_name
  2. Generate a new password hash. For example:
    # pwdhash -D /etc/dirsrv/slapd-instance_name password
    {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kN
    Specifying the path to the Directory Server configuration automatically uses the password storage scheme set in the nsslapd-rootpwstoragescheme attribute to encrypt the new password.
  3. Edit the /etc/dirsrv/slapd-instance_name/dse.ldif file and set the nsslapd-rootpw attribute to the value displayed in the previous step:
    nsslapd-rootpw: {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kN
  4. Start the Directory Server instance:
    # systemctl start dirsrv@instance_name

19.6.2. Changing the Directory Manager Password

19.6.2.1. Changing the Directory Manager Password Using the Command Line

To change the Directory Manager password using the command line, your server must support encrypted connections. If your server does not support encrypted connections, use the Directory Server Console to update the Directory Manager password. See Section 19.6.2.2, “Changing the Directory Manager Password Using the Directory Server Console”.
If your server supports encrypted connections, perform these steps to change the password:
  1. Generate a new password hash. For example:
    # pwdhash -D /etc/dirsrv/slapd-instance_name password
    {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kN
    Specifying the path to the Directory Server configuration automatically uses the password storage scheme set in the nsslapd-rootpwstoragescheme attribute to encrypt the new password.
  2. Set the nsslapd-rootpw attribute to the value displayed in the previous step using a secure connection (STARTTLS):
    # ldapmodify -W -x -D "cn=Directory Manager" -p 389 -h server.example.com -x -ZZ
    
    dn: cn=config
    changetype: modify
    replace: nsslapd-rootpw
    nsslapd-rootpw: {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kN

19.6.2.2. Changing the Directory Manager Password Using the Directory Server Console

As the administrator, perform these steps to change the password:
  1. Open the Directory Server Console. For details, see Section 1.3.1, “Opening the Directory Server Console”.
  2. In the Configuration tab, select the host name in the left pane and click the Manager tab.
  3. Enter a new password and confirm it.
  4. Click Save.

19.6.3. Changing the Directory Manager Password Storage Scheme

The password storage scheme specifies which algorithm Directory Server uses to hash a password. To change the storage scheme using the command line, your server must support encrypted connections. If your server does not support encrypted connections, use the Directory Server Console to set the storage scheme. See Section 19.6.3.2, “Changing the Directory Manager Password Storage Scheme Using the Console”.
Note that the storage scheme of the Directory Manager (nsslapd-rootpwstoragescheme) can be differ than the scheme used to encrypt user passwords (nsslapd-pwstoragescheme).
For a list of supported password storage schemes, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.

Note

If you change the Directory Manager's password storage scheme you must also reset its password. Existing passwords cannot be re-encrypted.

19.6.3.1. Changing the Directory Manager Password Storage Scheme Using the Command Line

If your server supports encrypted connections, perform these steps to change the password storage scheme:
  1. Generate a new password hash that uses the new storage scheme. For example:
    # pwdhash -s SSHA512 password
    {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kN
  2. Set the nsslapd-rootpwstoragescheme attribute to the storage scheme and the nsslapd-rootpw attribute to the value displayed in the previous step using a secure connection (STARTTLS):
    # ldapmodify -W -x -D "cn=Directory Manager" -p 389 -h server.example.com -x -F
    
    dn: cn=config
    changetype: modify
    replace: nsslapd-rootpwstoragescheme
    nsslapd-rootpwstoragescheme: SSHA512
    -
    replace: nsslapd-rootpw
    nsslapd-rootpw: {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kN

19.6.3.2. Changing the Directory Manager Password Storage Scheme Using the Console

As the administrator, perform these steps to change the Directory Manager password storage scheme:
  1. Open the Directory Server Console. For details, see Section 1.3.1, “Opening the Directory Server Console”.
  2. In the Configuration tab, select to the host name in the left pane and click the Manager tab.
  3. Select a new password storage scheme in the Manager password encryption field.
  4. Enter a new password and confirm it.
  5. Click Save.

19.6.4. Changing the Directory Manager DN

19.6.4.1. Changing the Directory Manager DN Using the Command Line

As the administrator, perform the following step to change the Directory Manager DN to cn=New Directory Manager:
# ldapmodify -W -x -D "cn=Directory Manager" -p 389 -h server.example.com -x

dn: cn=config
changetype: modify
replace: nsslapd-rootdn
nsslapd-rootdn: cn=New Directory Manager

19.6.4.2. Changing the Directory Manager DN Using the Console

As the administrator, perform these steps to change the Directory Manager DN:
  1. Open the Directory Server Console. For details, see Section 1.3.1, “Opening the Directory Server Console”.
  2. In the Configuration tab, select to the host name in the left pane and click the Manager tab.
  3. Enter a new DN for the Directory Manager into the Directory Manager DN field.
  4. Click Save.