How to delegate password reset permissions - OpenIdentityPlatform/OpenDJ GitHub Wiki

Insufficient Access Rights: You do not have sufficient privileges to perform password reset operations

Some operations require both privileges and also access control instructions. For example, in order to reset user's passwords, an administrator needs both the password-reset privilege and also access control to write userPassword values on the user entries.

By combining an access control instruction with a privilege, you can effectively restrict the scope of that privilege to a particular branch of the Directory Information Tree.

$ bin/ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password
dn: uid=admin,ou=write-rest,ou=people,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

Processing MODIFY request for
uid=admin,ou=write-rest,ou=people,dc=example,dc=com
MODIFY operation successful for DN
uid=admin,ou=write-rest,ou=people,dc=example,dc=com

dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(version 3.0;acl "Admins"; allow(all) userdn ="ldap:///uid=admin,ou=write-rest,ou=people,dc=example,dc=com";)

Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com
^C

test ldappasswordmodify

$ bin/ldappasswordmodify --port 1389 --bindDN "uid=admin,ou=write-rest,ou=people,dc=example,dc=com" --bindPassword password --authzID "dn:uid=user.0,ou=People,dc=example,dc=com"  --newPassword changeit
The LDAP password modify operation was successful

test REST Access to OpenDJ Directory Server

$ curl -u "admin:password" --request POST -v -k  https://localhost:8443/api/users/user.0?_action=resetPassword
{"generatedPassword":"xvu91dui"}