Starting and Stopping Your Server Instance
Configuring the Server Instance
Configuring the Proxy Components
Configuring Security Between Clients and Servers
Configuring Security Between the Proxy and the Data Source
Configuring Servers With the Control Panel
Managing Root User, Global Administrator, and Administrator Accounts
Working With Multiple Root Users
Root Users and the Privilege Subsystem
Managing Root Users With dsconfig
To View the Default Root User Privileges
To Edit the Default Root User Privileges
To Change a Root User's Password
To Change a Root User's Privileges
Setting Root User Resource Limits
Managing Global Administrators
Password Policies in a Replicated Environment
To View the List of Password Policies
Properties of the Default Password Policy
To View the Properties of the Default Password Policy
To Create a New Password Policy
To Create a First Login Password Policy
To Assign a Password Policy to an Individual Account
To Prevent Password Policy Modifications
To Assign a Password Policy to a Group of Users
To Change the Directory Manager's Password
To Reset and Generate a New Password for a User
Managing a User's Account Information
To View a User's Account Information
To View Account Status Information
Setting Resource Limits on a User Account
To Set Resource Limits on an Account
To Create a Static Group With groupOfNames
To Create a Static Group With groupOfUniqueNames
To Create a Static Group With groupOfEntries
To List All Members of a Static Group
To List All Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Group
To List All Members of a Dynamic Group
To List All Dynamic Groups of Which a User Is a Member
To Determine Whether a User Is a Member of a Dynamic Group
Defining Virtual Static Groups
To Create a Virtual Static Group
To List All Members of a Virtual Static Group
To List All Virtual-Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Virtual Static Group
Maintaining Referential Integrity
Overview of the Referential Integrity Plug-In
To Enable the Referential Integrity Plug-In
Simulating DSEE Roles in an OpenDS Directory Server
To Determine Whether a User is a Member of a Role
To Alter Membership by Using the nsRoleDN Attribute
An administrator generally has broader rights and permissions than most users. You can create a number of administrators, with different access controls and resource limits.
For this example, the administrator being added has uid=Admin.Lab.
Since the group of administrators should have only a few users, you can create a static group. For more information, see Defining Static Groups.
dn: cn=Administrators,ou=People,dc=example,dc=com objectClass: top objectClass: groupOfNames member: uid=Admin.Lab,ou=People,dc=example,dc=com cn: Administrator
For example, the following command would give the administrator the rights to perform backup and restore on the back end.
ldapmodify -h localhost -p 1389 -w password -D cn=directory\ manager dn: uid=Admin.Lab,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: backend-backup ds-privilege-name: backend-restore
The procedure is similar to setting the resource limits for a root user. See Setting Root User Resource Limits.
You can assign root user privileges to an administration or user.
For example, the command below changes the privileges for the administrator named Admin.Lab to have the same default privileges as a root user.
ldapmodify -h localhost -p 1389 -w password -D cn=directory\ manager dn: uid=Admin.Lab,cn=Administrators,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: bypass-acl ds-privilege-name: modify-acl ds-privilege-name: config-read ds-privilege-name: config-write ds-privilege-name: ldif-import ds-privilege-name: ldif-export ds-privilege-name: backend-backup ds-privilege-name: backend-restore ds-privilege-name: server-shutdown ds-privilege-name: server-restart ds-privilege-name: disconnect-client ds-privilege-name: cancel-request ds-privilege-name: password-reset ds-privilege-name: update-schema ds-privilege-name: privilege-change ds-privilege-name: unindexed-search
Note - The privileges on the access controls bypass-acl and modify-acl should only be assigned to a restricted number of people. Assigning the rights to bypass or modify access controls to inexperienced users can be risky.