Exit Print View

Sun OpenDS Standard Edition 2.2 Administration Guide

Get PDF Book Print View
 

Document Information

Before You Start

Starting and Stopping Your Server Instance

Configuring the Server Instance

Configuring the Proxy Components

Configuring Security Between Clients and Servers

Configuring Security Between the Proxy and the Data Source

Configuring Servers With the Control Panel

Managing Directory Data

Replicating Directory Data

Controlling Access To Data

Managing Users and Groups

Managing Root User, Global Administrator, and Administrator Accounts

Working With Multiple Root Users

Root Users and the Privilege Subsystem

Managing Root Users With dsconfig

To View the Default Root User Privileges

To Edit the Default Root User Privileges

To Create a Root User

To Change a Root User's Password

To Change a Root User's Privileges

Setting Root User Resource Limits

Managing Global Administrators

Managing Administrators

To Create a New Administrator

To Create an Administrator with Root User Privileges

Managing Password Policies

Password Policy Components

Password Policies in a Replicated Environment

To View the List of Password Policies

Properties of the Default Password Policy

To View the Properties of the Default Password Policy

Configuring Password Policies

To Create a New Password Policy

To Create a First Login Password Policy

To Assign a Password Policy to an Individual Account

To Prevent Password Policy Modifications

To Assign a Password Policy to a Group of Users

To Delete a Password Policy

Managing User Accounts

Changing Passwords

To Change the Directory Manager's Password

To Reset and Generate a New Password for a User

To Change a User's Password

Managing a User's Account Information

To View a User's Account Information

To View Account Status Information

To Disable an Account

To Enable an Account

Setting Resource Limits on a User Account

To Set Resource Limits on an Account

Defining Groups

Defining Static Groups

To Create a Static Group With groupOfNames

To Create a Static Group With groupOfUniqueNames

To Create a Static Group With groupOfEntries

To List All Members of a Static Group

To List All Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Group

Defining Dynamic Groups

To Create a Dynamic Group

To List All Members of a Dynamic Group

To List All Dynamic Groups of Which a User Is a Member

To Determine Whether a User Is a Member of a Dynamic Group

Defining Virtual Static Groups

To Create a Virtual Static Group

To List All Members of a Virtual Static Group

To List All Virtual-Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Virtual Static Group

Defining Nested Groups

To Create a Nested Group

Maintaining Referential Integrity

Overview of the Referential Integrity Plug-In

To Enable the Referential Integrity Plug-In

Simulating DSEE Roles in an OpenDS Directory Server

To Determine Whether a User is a Member of a Role

To Alter Membership by Using the nsRoleDN Attribute

Monitoring Sun OpenDS Standard Edition

Improving Performance

Advanced Administration

Managing Administrators

An administrator generally has broader rights and permissions than most users. You can create a number of administrators, with different access controls and resource limits.

To Create a New Administrator

  1. Import the administrator data using import-ldif.

    For this example, the administrator being added has uid=Admin.Lab.

    • Alternatively, you can use an existing user.
  2. (Optional) Create a group of administrators with cn=Administrators.

    Since the group of administrators should have only a few users, you can create a static group. For more information, see Defining Static Groups.

    dn: cn=Administrators,ou=People,dc=example,dc=com
    objectClass: top
    objectClass: groupOfNames
    member: uid=Admin.Lab,ou=People,dc=example,dc=com
    cn: Administrator
  3. Set the privileges of the administrator by using the ldapmodify command.

    For example, the following command would give the administrator the rights to perform backup and restore on the back end.

    ldapmodify -h localhost -p 1389 -w password -D cn=directory\ manager
    dn: uid=Admin.Lab,ou=People,dc=example,dc=com
    changetype: modify
    add: ds-privilege-name
    ds-privilege-name: backend-backup
    ds-privilege-name: backend-restore
  4. Set resource limits, if required.

    The procedure is similar to setting the resource limits for a root user. See Setting Root User Resource Limits.

To Create an Administrator with Root User Privileges

You can assign root user privileges to an administration or user.

  1. Create an administrator, or use an existing user.

    See To Create a New Administrator.

  2. Modify the privileges using the ldapmodify command.

    For example, the command below changes the privileges for the administrator named Admin.Lab to have the same default privileges as a root user.

    ldapmodify -h localhost -p 1389 -w password -D cn=directory\ manager
    dn: uid=Admin.Lab,cn=Administrators,ou=People,dc=example,dc=com
    changetype: modify
    add: ds-privilege-name
    ds-privilege-name: bypass-acl
    ds-privilege-name: modify-acl
    ds-privilege-name: config-read
    ds-privilege-name: config-write
    ds-privilege-name: ldif-import
    ds-privilege-name: ldif-export
    ds-privilege-name: backend-backup
    ds-privilege-name: backend-restore
    ds-privilege-name: server-shutdown
    ds-privilege-name: server-restart
    ds-privilege-name: disconnect-client
    ds-privilege-name: cancel-request
    ds-privilege-name: password-reset
    ds-privilege-name: update-schema
    ds-privilege-name: privilege-change
    ds-privilege-name: unindexed-search

    Note - The privileges on the access controls bypass-acl and modify-acl should only be assigned to a restricted number of people. Assigning the rights to bypass or modify access controls to inexperienced users can be risky.