389 ds - using an user other than cn=Directory Manager for users administration

Hello. I’m configuring a 389 Directory Server on SLES 15. I created a LDAPUsersAdministrators group and made it member of cn=user_admin,ou=permissions,dc=example,dc=com. Then I created a new administration user and made it member of the LDAPUsersAdministrators group.

Now with this new administrator user I’m able to create other users using ldapadd utility and a ldif file, but this works only if the userPassword attribute is NOT present in the ldif file.

LDIF file example

dn: uid=johndoe,ou=people,dc=example,dc=com
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
uid: johndoe
cn: John Doe
displayName: John Doe
legalName: John Doe
uidNumber: 99998
gidNumber: 99998
homeDirectory: /var/empty
loginShell: /bin/false
userPassword: bigsecret

If I remove the userPassword attribute from the ldif file the user is created, if I add it I’m getting this error:

ldap_add: Insufficient access (50)
additional info: Insufficient ‘add’ privilege to the ‘userPassword’ attribute

Of course if I use cn=Directory Manager I am able to create a new user with a password, but I wish to be able to do that with the new administrator user that I just created.

This document describe how to define a group of users as “Password Administrators”:

https://www.port389.org/docs/389ds/design/password-administrator.html

I followed these istructions but it still don’t work, so I’m stuck. Any suggestion?

Thank you & Kind regards - Cristian