Sun Java System Directory Server Enterprise Edition 6.3 Migration Guide

Changes to Administrative Password Reset Classification

Password policy features such as must-change-on-reset (pwd-must- change-enabled) and administrative bypass of password quality checks (pwd-root-dn-bypass-enabled) depend on classifying the modification of the userPassword attribute as either a self-change or an administrative reset.

In Directory Server 5, by default, only the Directory Manager can perform an administrative reset of a user's password. Any other password change is considered as a self-change. Directory Server 5.2p4 introduced the password policy configuration attribute passwordNonRootMayResetUserpwd that, when enabled, limits the userPassword modify operations that are considered as a self-change to the following two cases:

  1. A user is authenticated and changing the password of his or her own account.

  2. An administrator changes the password, but the LDAP Proxied Authorization Control ( is set for the userPassword modify operation, and the proxied user DN is the target of the modify operation.

Any other password change is considered as an administrative reset. This feature eliminates the requirement of using Directory Manager for routine password administration, while the simple other-than- self (password change made by any other user but not by self) test avoids the complexity of a separate scheme to identify administrative users.

Directory Server 6.x evaluates password changes similar to Directory Server 5.x with passwordNonRootMayResetUserPassword enabled. That is, Directory Server 6.x considers a password change as an administrative reset except for a user changing his or her own password, or when the proxied authorization control is used. Even though the passwordNonRootMayResetUserpwd attribute can be present in a Directory Server 6.x password policy configuration entry when the instance is in Directory Server 5.x compatible mode, the attribute can not be modified and the feature is always enabled.

If your Directory Server 5 based LDAP application uses an administrative account other than Directory Manager to change a password on behalf of a user (that is, the change should be a self-change), when the application is used with Directory Server 6.x, the change will be considered as an administrative reset. You can restore the original behavior by using the LDAP Proxied Authorization Control ( with the userPassword modify operation. The proxied authorization control handles the operation as if it is invoked by the proxied user. The control is available in the LDAP C SDK ( and LDAP SDK for Java (, and the ldapmodify command included with DSRK 6. Invoke the proxied authorization control using the ldapmodify command as follows:

$ ldapmodify -D <administrative-user-DN > -Y <proxied-user-DN>

Note –

The ldapmodify commands from other products might use a different flag, or might not support the proxied authorization control at all.