19.2. Setting Password Administrators

The Directory Manager can add the password administrator role to a user or a group of users. Since access control instructions (ACI) need to be set, it is recommended that a group is used to allow just a single ACI set to manage all password administrators. A password administrator can perform any user password operations, including the following:
  • forcing the user to change their password,
  • changing a user's password to a different storage scheme defined in the password policy,
  • bypassing the password syntax checks,
  • and adding already hashed passwords.
As explained in Section 19.1, “Setting User Passwords”, it is recommended that ordinary password updates are done by an existing role in the database with permissions to update only the userPassword attribute. We recommend not to use the password administrator account for these ordinary tasks.
To specify a user or a group of users as password administrator in a local policy, use ldapmodify to set the passwordAdminDN attribute in the main configuration entry.
# ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -W
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com
changetype: modify
replace: passwordAdminDN
passwordAdminDN: cn=Passwd Admins,ou=groups,dc=example,dc=com
For setting in the global policy:
# ldapmodify  -h localhost -p 389 -D "cn=Directory Manager" -W
dn: cn=config
changetype: modify
replace: passwordAdminDN
passwordAdminDN: cn=Passwd Admins,ou=groups,dc=example,dc=com