Show Table of Contents
19.6. Managing the Directory Manager Password
The Directory Manager is the privileged database administrator, comparable to the
root user in Linux. The Directory Manager entry and the corresponding password are set during the instance installation.
The default distinguished name (DN) of the Directory Manager is
cn=Directory Manager.
Warning
Do not use curly braces (
{}) in the password. Directory Server stores the password in the {password-storage-scheme}hashed_password format. The server interprets characters in curly braces as the password storage scheme. If the string is an invalid storage scheme or if the password is not correctly hashed, the Directory Manager cannot connect to the server.
19.6.1. Resetting the Directory Manager Password
If you lose the Directory Manager password, reset it:
- Stop the Directory Server instance:
# systemctl stop dirsrv@instance_name
- Generate a new password hash. For example:
# pwdhash -D /etc/dirsrv/slapd-instance_name password {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kNSpecifying the path to the Directory Server configuration automatically uses the password storage scheme set in thensslapd-rootpwstorageschemeattribute to encrypt the new password. - Edit the
/etc/dirsrv/slapd-instance_name/dse.ldiffile and set thensslapd-rootpwattribute to the value displayed in the previous step:nsslapd-rootpw: {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kN - Start the Directory Server instance:
# systemctl start dirsrv@instance_name
19.6.2. Changing the Directory Manager Password
19.6.2.1. Changing the Directory Manager Password Using the Command Line
To change the Directory Manager password using the command line, your server must support encrypted connections. If your server does not support encrypted connections, use the Directory Server Console to update the Directory Manager password. See Section 19.6.2.2, “Changing the Directory Manager Password Using the Directory Server Console”.
If your server supports encrypted connections, perform these steps to change the password:
- Generate a new password hash. For example:
# pwdhash -D /etc/dirsrv/slapd-instance_name password {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kNSpecifying the path to the Directory Server configuration automatically uses the password storage scheme set in thensslapd-rootpwstorageschemeattribute to encrypt the new password. - Set the
nsslapd-rootpwattribute to the value displayed in the previous step using a secure connection (STARTTLS):# ldapmodify -W -x -D "cn=Directory Manager" -p 389 -h server.example.com -x -ZZ dn: cn=config changetype: modify replace: nsslapd-rootpw nsslapd-rootpw: {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kN
19.6.2.2. Changing the Directory Manager Password Using the Directory Server Console
As the administrator, perform these steps to change the password:
- Open the Directory Server Console. For details, see Section 1.3.1, “Opening the Directory Server Console”.
- In the Configuration tab, select the host name in the left pane and click the Manager tab.
- Enter a new password and confirm it.
- Click .
19.6.3. Changing the Directory Manager Password Storage Scheme
The password storage scheme specifies which algorithm Directory Server uses to hash a password. To change the storage scheme using the command line, your server must support encrypted connections. If your server does not support encrypted connections, use the Directory Server Console to set the storage scheme. See Section 19.6.3.2, “Changing the Directory Manager Password Storage Scheme Using the Console”.
Note that the storage scheme of the Directory Manager (
nsslapd-rootpwstoragescheme) can be differ than the scheme used to encrypt user passwords (nsslapd-pwstoragescheme).
For a list of supported password storage schemes, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
Note
If you change the Directory Manager's password storage scheme you must also reset its password. Existing passwords cannot be re-encrypted.
19.6.3.1. Changing the Directory Manager Password Storage Scheme Using the Command Line
If your server supports encrypted connections, perform these steps to change the password storage scheme:
- Generate a new password hash that uses the new storage scheme. For example:
# pwdhash -s SSHA512 password {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kN - Set the
nsslapd-rootpwstorageschemeattribute to the storage scheme and thensslapd-rootpwattribute to the value displayed in the previous step using a secure connection (STARTTLS):# ldapmodify -W -x -D "cn=Directory Manager" -p 389 -h server.example.com -x -F dn: cn=config changetype: modify replace: nsslapd-rootpwstoragescheme nsslapd-rootpwstoragescheme: SSHA512 - replace: nsslapd-rootpw nsslapd-rootpw: {SSHA512}2eyW2uSFhh8LeB/nwZipfvFhSwL2DKZ58kXrCXsxr98Vz0nZI8fhd0W5BbL321Sr9Ulhzo3LhiQLiv4iVGF7hEGezIka65kN
19.6.3.2. Changing the Directory Manager Password Storage Scheme Using the Console
As the administrator, perform these steps to change the Directory Manager password storage scheme:
- Open the Directory Server Console. For details, see Section 1.3.1, “Opening the Directory Server Console”.
- In the Configuration tab, select to the host name in the left pane and click the Manager tab.
- Select a new password storage scheme in the Manager password encryption field.
- Enter a new password and confirm it.
- Click .
19.6.4. Changing the Directory Manager DN
19.6.4.1. Changing the Directory Manager DN Using the Command Line
As the administrator, perform the following step to change the Directory Manager DN to
cn=New Directory Manager:
# ldapmodify -W -x -D "cn=Directory Manager" -p 389 -h server.example.com -x dn: cn=config changetype: modify replace: nsslapd-rootdn nsslapd-rootdn: cn=New Directory Manager
19.6.4.2. Changing the Directory Manager DN Using the Console
As the administrator, perform these steps to change the Directory Manager DN:
- Open the Directory Server Console. For details, see Section 1.3.1, “Opening the Directory Server Console”.
- In the Configuration tab, select to the host name in the left pane and click the Manager tab.
- Enter a new DN for the Directory Manager into the Directory Manager DN field.
- Click .
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.