Chapter 20. Managing User Authentication

When a user connects to the Red Hat Directory Server, first the user is authenticated. Then, the directory grants access rights and resource limits to the user depending upon the identity established during authentication.
This chapter describes tasks for managing users, including configuring the password and account lockout policy for the directory, denying groups of users access to the directory, and limiting system resources available to users depending upon their bind DNs.

20.1. Setting User Passwords

You can use an entry to bind to the directory only if it has a userPassword attribute and if it has not been inactivated. Because user passwords are stored in the directory, the user passwords can be set or reset with any LDAP operation, such as using the ldapmodify utility.
When an administrator changes the password of a user, Directory Server sets the pwdReset operational attribute in the user's entry to true. Applications can use this attribute to identify if a password of a user has been reset by an administrator.
For information on creating and modifying directory entries, see Chapter 3, Managing Directory Entries. For information on inactivating user accounts, see Section 20.16, “Manually Inactivating Users and Roles”.
Only password administrators, described in Section 20.2, “Setting Password Administrators”, and the root DN can add pre-hashed passwords. These users can also violate password policies.


When using a password administrator account or the Directory Manager (root DN) to set a password, password policies are bypassed and not verified. Do not use these accounts for regular user password management. Use them only to perform password administration tasks that require bypassing the password policies.