14.2. Managing the Directory Manager Password

The Directory Manager is the privileged database administrator, comparable to the root user in UNIX. The Directory Manager entry and its associated password are created during installation. The default DN is cn=Directory Manager.

14.2.1. Changing the Directory Manager Password

The password for the Directory Manager superuser is defined in the nsslapd-rootpw attribute.

Note

The password can be changed using ldapmodify by sending the password in plaintext. Changing the password through the Directory Server Console ensures that the password is immediately hashed when it is saved in the dse.ldif file, so it is never saved in clear text.

Important

When resetting the Directory Manager's password from the command line, do not use curly braces ({}) in the password. The root password is stored in the format {password-storage-scheme}hashed_password. Any characters in curly braces are interpreted by the server as the password storage scheme for the root password. If that text is not a valid storage scheme or if the password that follows is not properly hashed, then the Directory Manager cannot bind to the server.

Note

Both the Directory Manager password and its password storage scheme can be changed in the Directory Server Console. The password by itself can be changed. However, if the password storage scheme is changed than the password must also be changed, so that it can be rehashed and stored with the new scheme.
  1. Log into the Directory Server Console as Directory Manager.
  2. Select the Configuration tab, and then select the top entry in the navigation tree in the left pane.
  3. Select the Manager tab in the right pane.
  4. Enter a new password, and confirm it.

14.2.2. Changing the Directory Manager Password Storage Scheme

The nsslapd-rootpw attribute contains a hash of the password and an indication of the password storage scheme in braces, such as {SSHA}. If the password is in clear text, then the password storage scheme is CLEAR. The default password storage scheme is SSHA.
nsslapd-rootpw: {SSHA}od1V7JmQlMdldxrOlp3XSnMuXZVsXi8/YUVM7Q==
nsslapd-rootpwstoragescheme: SSHA
To change the password storage scheme:
  1. Log into the Directory Server Console as Directory Manager. For information on changing the bind DN, see Section 1.4.3, “Changing the Login Identity”.
  2. Select the Configuration tab, and then select the top entry in the navigation tree in the left pane.
  3. Select the Manager tab in the right pane.
  4. Set the storage scheme for the server to use to store the password for Directory Manager in the Manager Password Encryption pull-down menu.
  5. Enter a new password, and confirm it.

    Note

    If the password storage scheme is changed, then the password must also be changed so that it can be rehashed and stored with the new scheme.
    As always, do not use curly braces ({}) in the password. The root password is stored in the format {password-storage-scheme}hashed_password. Any characters in curly braces are interpreted by the server as the password storage scheme for the root password. If that text is not a valid storage scheme or if the password that follows is not properly hashed, then the Directory Manager cannot bind to the server.

14.2.3. Changing the Directory Manager DN

The default DN for the Directory Manager is cn=Directory Manager, which is created when the Directory Server is installed. This DN can be changed to a unique DN.
  1. Log into the Directory Server Console as Directory Manager.
  2. Select the Configuration tab, and then select the top entry in the navigation tree in the left pane.
  3. Select the Manager tab in the right pane.
  4. Change the distinguished name for the Directory Manager in the Root DN field. The default value is cn=Directory Manager.