1. Run dsconfig to remove the global ACI that limits access to the userPassword or authPassword attribute. This is present for backwards compatibility.
    $ bin/dsconfig set-access-control-handler-prop \
      --remove 'global-aci:(targetattr="userPassword || authPassword")
      (version 3.0; acl "Prevent clients from retrieving passwords from the server"; 
      deny (read,search,compare) userdn="ldap:///anyone";)'
  2. Run dsconfig to add the userPassword attribute as a global sensitive attribute, which is applied to all client connection policies. Do this by adding the built-in "Sensitive Password Attributes" Sensitive Attribute definition to the Global Configuration.
    $ bin/dsconfig set-global-configuration-prop \
      --add "sensitive-attribute:Sensitive Password Attributes"
  3. If the server is designated to synchronize passwords with a Sync Server, then it is necessary to configure a client connection policy for the Sync User to exclude the global sensitive attribute. The following is an example on how to create a new policy if the Data Sync Server binds with the default DN of cn=Sync User,cn=Root DNs,cn=config.
    $ bin/dsconfig create-connection-criteria \
      --criteria-name "Requests by Sync Users" \
      --type simple \
      --set user-auth-type:internal \
      --set user-auth-type:sasl \
      --set user-auth-type:simple \
      --set "included-user-base-dn:cn=Sync User,cn=Root DNs,cn=config"
    
    $ bin/dsconfig create-client-connection-policy \
      --policy-name "Data Sync Server Connection Policy" \
      --set enabled:true \
      --set evaluation-order-index:9998 \
      --set "connection-criteria:Requests by Sync Users" \
      --set "exclude-global-sensitive-attribute:Sensitive Password Attributes"