enableShadowUpdate Switch

If the enableShadowUpdate switch is set to true on the client, administrator credentials are used to update the shadow data. Shadow data is stored in the shadowAccount object class on the directory server. Administrator credentials are defined by the values of the adminDN and adminPassword attributes, as described in Defining Local Client Attributes.

Administrator credentials have properties similar to proxy credentials. However, for administrator credentials, the user must have all privileges for the zone or have an effective UID of root to read or update the shadow data.

---

Caution  -  Administrator credentials can be assigned to any entry that is allowed to bind to the directory. However, do not use the same directory manager identity (cn=Directory Manager) of the LDAP server.

---

An entry with administrator credentials must have sufficient access to read and write the shadow data to the directory. The entry is a shared-per-system resource. Therefore, you must configure the adminDN and adminPassword attributes on every client.

The encrypted adminPassword is stored locally on the client. The password uses the same authentication methods that are configured for the client. All users and processes on a specific system uses the administrator credentials to read and update the shadow data.