2. The Directory Server Access Control Model
3. Understanding the Directory Server Schema
4. Directory Server Index Databases
5. Understanding Directory Server Plug-Ins
6. Directory Server Replication
7. Directory Server Root Users and the Privilege Subsystem
With the introduction of the privilege subsystem, the primary distinguishing characteristics of root users that separate them from other accounts in the server are that they exist in the configuration rather than in the user data, and that because they are root users they automatically inherit a certain set of privileges. The set of privileges automatically granted to root users is defined in the ds-cfg-default-root-privilege-name attribute of the cn=Root DNs,cn=config entry. By default, root users are automatically granted the following privileges:
bypass-acl
modify-acl
config-read
config-write
ldif-import
ldif-export
backend-backup
backend-restore
server-shutdown
server-restart
disconnect-client
cancel-request
unindexed-search
password-reset
update-schema
privilege-change
If you want to alter the set of privileges that are automatically assigned to root users, then you may do so by editing the ds-cfg-default-root-privilege-name attribute. Further, if you want to have a different set of privileges for a specific root user, then you can accomplish that using the ds-privilege-name attribute in that root user's entry, just like for a normal user. For example, the following modification may be used to give a specific root user (in this case cn=Test Root User,cn=Root DNs,cn=config) the ability to use proxied authorization while removing the ability to change user privileges or access the configuration. (The minus sign before the privilege indicates that it is being removed rather than granted.):
dn: cn=Test Root User,cn=Root DNs,cn=config changetype: modify add: ds-privilege-name ds-privilege-name: proxied-auth ds-privilege-name: -config-read ds-privilege-name: -config-write
In this case, the cn=Test Root User,cn=Root DNs,cn=config user inherits all privileges automatically granted to root users with the exception of the config-read and config-write privileges and is also given the proxied-auth privilege.