Chapter 7. Assigning password administrator permissions
The Directory Manager can assign the password administrator role to a user or a group of users. Because password administrators need access control instructions (ACIs) with the appropriate permissions, Red Hat recommends that you configure a group to allow a single ACI set to manage all password administrators.
Using the password administrator role is beneficial in the following scenarios:
- setting up an atribute that forces the user to change their password at the time of the next login
- changing a user’s password to a different storage scheme defined in the password policy
A password administrator can perform any user password operations. When using a password administrator account or the Directory Manager (root DN) to set a password, password policies are bypassed and not verified. Do not use these accounts for regular user password management. Red Hat recommends performing ordinary password updates under an existing role in the database with permissions to update only the userPassword attribute.
You can add a new passwordAdminSkipInfoUpdate: on/off setting under the cn=config entry to provide a fine grained control over password updates performed by password administrators. When you enable this setting, passwords updates do not update certain attributes, for example, passwordHistory, passwordExpirationTime, passwordRetryCount, pwdReset, and passwordExpWarned.
7.1. Assigning password administrator permissions in a global policy
In a global policy, you can assign the password administrator role to a user or a group of users. Red Hat recommends that you configure a group to allow a single access control instruction (ACI) set to manage all password administrators.
Prerequisites
-
You have created a group named
password_adminsthat includes all of the users to whom you want to assign the password administrator role.
Procedure
Create the ACI that defines the permissions for a password administrator role:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x << EOF dn: ou=people,dc=example,dc=com changetype: modify add: aci aci: (targetattr="userPassword || nsAccountLock || userCertificate || nsSshPublicKey")(targetfilter="(objectClass=nsAccount)")(version 3.0; acl "Enable user password reset"; allow (write, read)(groupdn="ldap:///cn=password_admins,ou=groups,dc=example,dc=com");) EOF
Assign the password administrator role to the group:
# dsconf -D "cn=Directory Manager" ldap://server.example.com pwpolicy set --pwdadmin "cn=password_admins,ou=groups,dc=example,dc=com"
7.2. Assigning password administrator permissions in a local policy
In a local policy, you can assign the password administrator role to a user or a group of users. Red Hat recommends that you configure a group to allow a single access control instruction (ACI) set to manage all password administrators.
Prerequisites
-
You have created a group named
password_adminsthat includes all of the users to whom you want to assign the password administrator role.
Procedure
Create the ACI that defines the permissions for a password administrator role:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x << EOF dn: ou=people,dc=example,dc=com changetype: modify add: aci aci: (targetattr="userPassword || nsAccountLock || userCertificate || nsSshPublicKey")(targetfilter="(objectClass=nsAccount)")(version 3.0; acl "Enable user password reset"; allow (write, read)(groupdn="ldap:///cn=password_admins,ou=groups,dc=example,dc=com");) EOF
Assign the password administrator role to the group:
# dsconf -D "cn=Directory Manager" ldap://server.example.com localpwp set ou=people,dc=example,dc=com --pwdadmin "cn=password_admins,ou=groups,dc=example,dc=com"
