This section describes what to do if you forgot the password for Directory Manager or for the global (replication) administrator.
Procedure 25.1. Resetting the Directory Manager's Password
OpenDJ directory server stores the entry for Directory Manager in the LDIF representation of its configuration. You must be able to edit directory server files in order to reset Directory Manager's password.
-
Generate the encoded version of the new password using the OpenDJ encode-password command.
$ cd /path/to/opendj/bin/ $ ./encode-password --storageScheme SSHA512 --clearPassword password Encoded Password: "{SSHA512}yWqHnYV4a5llPvE7WHLe5jzK27oZQWLIlVcs9gySu4TyZJMg NQNRtnR/Xx2xces1wu1dVLI9jVVtl1W4BVsmOKjyjr0rWrHt" -
Stop OpenDJ directory server while you edit the configuration.
$ ./stop-ds
-
Find Directory Manager's entry, which has DN
cn=Directory Manager,cn=Root DNs,cn=config, in/path/to/opendj/config/config.ldif, and carefully replace theuserpasswordattribute value with the encoded version of the new password, taking care not to leave any whitespace at the end of the line.dn: cn=Directory Manager,cn=Root DNs,cn=config objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: ds-cfg-root-dn-user objectClass: top userpassword: {SSHA512}yWqHnYV4a5llPvE7WHLe5jzK27oZQWLIlVcs9gySu4TyZJMg NQNRtnR/Xx2xces1wu1dVLI9jVVtl1W4BVsmOKjyjr0rWrHt givenName: Directory cn: Directory Manager ds-cfg-alternate-bind-dn: cn=Directory Manager sn: Manager ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies ,cn=config ds-rlim-time-limit: 0 ds-rlim-lookthrough-limit: 0 ds-rlim-idle-time-limit: 0 ds-rlim-size-limit: 0 -
Start OpenDJ directory server again.
$ ./start-ds
-
Verify that you can administer the server as Directory Manager using the new password.
$ ./dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password >>>> OpenDJ configuration console main menu What do you want to configure? ... Enter choice: q
Procedure 25.2. To Reset the Global Administrator's Password
When you enable replication, part of the process involves creating a
global administrator and setting that user's password. This user is present
on all replicas. If you chose default values, this user has DN
cn=admin,cn=Administrators,cn=admin data. You reset the
password as you would for any other user, though you do so as Directory
Manager.
-
Use the ldappasswordmodify command to reset the global administrator's password
$ cd /path/to/opendj/bin/ $ ./ldappasswordmodify --useStartTLS --port 1389 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --authzID "cn=admin,cn=Administrators,cn=admin data" --newPassword password The LDAP password modify operation was successful
-
Let replication copy the password change to other replicas.
