Previously only the root DN (e.g. cn=Directory Manager) was allowed to do certain password operations. Such operations included resetting userpasswords(forcing the user to reset the password on the next login), changing a users password to a different storage scheme that is defined in the policy, and adding already hashed passwords.
Now directory administrators can define a user, or a group of users, who are “Password Administrators”, for example helpdesk employees.
In either the global password policy, or a local password policy, you can specify a DN of a group, or a user, that is a password administrator. These entries do need access control permissions to update such attributes as: userPassword, passwordExpirationtime, etc. Password Administrators and the Root DN (cn=directory manager) can also bypass all password syntax checks. Basically the RootDN, or a Password Administrator, can do anything with userpasswords, regardless of the current password policy settings.
The attribute for configuring this is: passwordAdminDN
Global Policy Example:
dn: cn=config
changetype: modify
replace: passwordAdminDN
passwordAdminDN: cn=Passwd Admins,ou=groups,dc=example,dc=com
Local Policy Example:
dn: cn=cn\3DnsPwPolicyEntry\2Cou\3DPeople\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=example,dc=com
changetype: modify
replace: passwordAdminDN
passwordAdminDN: cn=Passwd Admins,ou=groups,dc=example,dc=com
Since access control rules do need to be set, it is recommended that a group is used for the password administrators. This way only one ACI is needed to manage the password administrators. It is highly recommended to not use the Root DN, or a Password Administrator, to do all the password management. Any password management that needs to be follow the password policy should be done by an existing entry in the database that has permissions to update the userpassword attribute.
CLI Only
Use ldapmodify to set passwordAdminDN in the main config entry(cn=config) for in a local password policy container.
You must set the passwordAdminDN attribute.
No impact on replication.
No impact on updates and upgrades.
None.
No external impact.
Mark Reynolds mreynolds@redhat.com