wiki:LDAP_admin_passwords

Version 2 (modified by lttoth@…, 10 years ago) (diff)

--

iPlanet Administrative Account Passwords

There are two administrative accounts utilized by iPlanet to manage an iPlanet install and its individual directory instances:

  • admin
  • cn=Directory Manager

The admin account grants access to the iPlanet console through which directory instances can be created/deleted.

The Directory Manager account grants full access to a particular directory instance.

Administrative Passwords

Both passwords are stored in encrypted form in various iplanet related config files:

/e01/iplanet/servers/admin-serv/config/local.conf /e01/iplanet/servers/slapd-<server><Inst>/config/dse.ldif

However, the passwords should always be changed via the iPlanet console.

<<ssh to "e" box>>

$ export DISPLAY=<yourIP>:0.0
$ startadmin
$ startconsole
	# make your password changes via console, then exit
$ stopadmin

The passwords for admin and Directory Manager passwords are local to an iPlanet install and directory instance. They are *NOT* replicated. Therefore, these passwords must be changed independently on each "e" box and in each directory instance.

CRITICAL NOTE

The Directory Manager account is utilized by the back end to EDIR/AUTHSERV to perform restricted actions not currently granted to individuals. For that reason, follow this procedure when changing the Directory Manager password:

  1. Request server be quiesced in applicable Equalizer clusters
  2. Change Directory Manager password via iPlanet console
  3. Bounce directory

Starting and Stopping Directory Instances

  1. Change Directory Manager utilized by back end to EDIR/AUTHSERV

(see ~iplanet .*pass)

  1. Confirm Directory Manager access continues to function with new password

ldap_queryProd "(ou=routing)" dn

  1. Request server to activated in applicable Equalizer clusters

###########################
20081028 elm