Friday, July 9, 2010

How to reset DSCC Directory Service Manager password?

I was with a customer the other day. He has another Sun Directory Server setup by another vendor long time ago. He attempted to login to DSCC, but he was not able to remember the "admin" (Directory Service Manager) password.

Some forums I searched talked about resetting the Service Manager password via the DSCC console. What a joke! :) I can't even login, how am I able to reset password via DSCC console?

Changing password via DSCC console

There are 2 ways to resolve this issue:

1. To dismantle and initialize DSCC again

bash-3.00# ./dsccsetup dismantle
bash-3.00# ./dsccsetup initialize
Registration is on-going. Please wait...
DSCC is registered in Sun Java(TM) Web Console
DSCC agent has been successfully registered in Cacao.
Choose password for Directory Service Manager:
Confirm password for Directory Service Manager:
Creating DSCC registry...
DSCC Registry has been created successfully

Simple. But of course, previous configuration of registered servers are gone. You need to register again.

2. Change password via CLI

Some basic concepts first.

bash-3.00# ./dsccsetup status
DSCC Registry has been created
Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads
Port of DSCC registry is 3998

  • DSCC configuration are stored in a LDAP database at port 3998
  • Service Manager is known as cn=admin,cn=Administrators,cn=dscc in this LDAP database (see screenshot above)
  • "cn=Directory Manager" credential is required to modify the Service Manager password 
  • The funny thing is the default password for "cn=Directory Manager" is the same as Directory Service Manager. (see dsccsetup initialize above. the steps are so simple. it assumes both to have the same password) 

So we need to perform 2 steps:

Step 1 - Change the Directory Manager password

bash-3.00# /opt/SUNWdsee/ds6/bin/pwdhash -D /var/opt/SUNWdsee/dscc6/dcc/ads -s SHA password2

bash-3.00# cd /var/opt/SUNWdsee/dscc6/dcc/ads/
bash-3.00# ./stop-slapd
bash-3.00# cd /var/opt/SUNWdsee/dscc6/dcc/ads/config
bash-3.00# cp dse.ldif dse.ldif.OLD
bash-3.00# vi dse.ldif
At dn: cn=config
nsslapd-rootpw: {SSHA}guaZfnFtTHeT8EpWpBhuRlBCMLWpdgt0tBvfBw==
nsslapd-rootpw: {SSHA}qFcXDQCKZ4u4GyrM8Uw4uGOHdsnVPP9MaC0WeQ==

bash-3.00# ./start-slapd

Step 2 - Change the Service Manager password

bash-3.00# ldapmodify -p 3998 -D "cn=Directory Manager"
Enter bind password:
dn: cn=admin,cn=Administrators,cn=dscc
changetype: modify
replace: userPassword
userPassword: password2 <-- Rest assured. This password will be hashed during modification.

modifying entry cn=admin,cn=Administrators,cn=dscc




  1. I am trying to do this procedure but when i try to change the Service Manager password it says to me: ldap_modify: No exits such object

  2. Have you initialize DSCC in the first place? It seems like the entry "dn: cn=admin,cn=Administrators,cn=dscc" does not even exist.

  3. Hi. Thanks for the the article, explanation is superb!
    I am trying to reset my DSCC password but I donot have dn: cn=admin,cn=Administrators,cn=dscc in my dse.ldif. do I need to create it? if yes, how?

  4. Are you in the correct folder? You should not be going to the data folder. The correct folder is where the ADS is. e.g. /var/opt/SUNWdsee/dscc6/dcc/ads/config

  5. Generally can we have two different passwords for port 389 & port 3998?

    Is it a valid scenario to have two different passwords specific to port?

  6. is there any documentation supporting that two ports having two different password is a valid scenario?

  7. My company policy does not allow any shared/generic account. Can I disable this "admin" account (I can set up individual accounts for administrators)? Or at least make this account "locked" so that no one can log on to this account?