Exit Print View

Sun OpenDS Standard Edition 2.0 Administration Guide

Get PDF Book Print View
 
Previous Next

Document Information

Configuring the Directory Server

Configuring Security in the Directory Server

Managing Directory Data

Controlling Access To Data

Replicating Data

Managing Users and Groups

Managing Root User, Global Administrator, and Administrator Accounts

Working With Multiple Root Users

Root Users and the Privilege Subsystem

Managing Root Users With dsconfig

To View the Default Root User Privileges

To Edit the Default Root User Privileges

To Create a Root User

To Change a Root User's Password

To Change a Root User's Privileges

Setting Root User Resource Limits

Managing Global Administrators

Managing Administrators

To Create a New Administrator

Managing Password Policies

Password Policy Components

Password Policies in a Replicated Environment

To View the List of Password Policies

Properties of the Default Password Policy

To View the Properties of the Default Password Policy

Configuring Password Policies

To Create a New Password Policy

To Create a First Login Password Policy

To Assign a Password Policy to an Individual Account

To Prevent Password Policy Modifications

To Assign a Password Policy to a Group of Users

To Delete a Password Policy

Managing User Accounts

Changing Passwords

To Change the Directory Manager's Password

To Reset and Generate a New Password for a User

To Change a User's Password

Managing a User's Account Information

To View a User's Account Information

To View Account Status Information

To Disable an Account

To Enable an Account

Setting Resource Limits on a User Account

To Set Resource Limits on an Account

Defining Groups

Defining Static Groups

To Create a Static Group With groupOfNames

To Create a Static Group With groupOfUniqueNames

To Create a Static Group With groupOfEntries

To List All Members of a Static Group

To List All Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Group

Defining Dynamic Groups

To Create a Dynamic Group

To List All Members of a Dynamic Group

To List All Dynamic Groups of Which a User Is a Member

To Determine Whether a User Is a Member of a Dynamic Group

Defining Virtual Static Groups

To Create a Virtual Static Group

To List All Members of a Virtual Static Group

To List All Virtual-Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Virtual Static Group

Defining Nested Groups

To Create a Nested Group

Maintaining Referential Integrity

Overview of the Referential Integrity Plug-In

To Enable the Referential Integrity Plug-In

Simulating DSEE Roles in an OpenDS Directory Server

To Determine Whether a User is a Member of a Role

To Alter Membership by Using the nsRoleDN Attribute

Directory Server Monitoring

Improving Performance

Advanced Administration

Root Users and the Privilege Subsystem

The Privilege Subsystem allows you to assign refined privileges to users who might require only a specific set of root user access privileges. Root users are automatically granted a set of privileges defined in the default-root-privilege-name attribute in the "cn=Root DNs,cn=config" subtree.

The Privilege Subsystem is independent from the Access Control Subsystem, but some operations might be subject to access controls.

The following set of privileges are automatically assigned to the root user.

Privilege
Description
bypass-acl
Allows the user to bypass access control evaluation.
modify-acl
Allows the user to make changes to access control instructions defined in the directory server.
config-read
Allows the user to have read access to the server configuration.
config-write
Allows the user to have write access to the server configuration.
ldif-import
Allows the user to request the LDIF import task.
ldif-export
Allows the user to request the LDIF export task.
backend-backup
Allows the user to request the back-end backup task.
backend-restore
Allows the user to request the back-end restore task.
server-shutdown
Allows the user to request the server shutdown task.
server-restart
Allows the user to request the server restart task.
disconnect-client
Allows the user to terminate arbitrary client connections.
cancel-request
Allows the user to cancel arbitrary client requests.
unindexed-search
Allows the user to request unindexed search operations.
password-reset
Allows the user to reset the user passwords.
update-schema
Allows the user to update the directory server schema.
privilege-change
Allows the user to change the set of privileges assigned to a user, or to change the set of default root privileges.

The following privileges can be assigned to the root user.

Privilege
Description
data-sync
Allows the user to participate in data synchronization environment.
jmx-read
Allows the user to read JMX attribute values.
jmx-write
Allows the user to update JMX attribute values.
jmx-notify
Allows the user to subscribe to JMX notifications.
proxied-auth
Allows the user to use the proxied authorization control or to request an alternate SASL authorization ID.
Legal Copyright 1994-2009 Sun Microsystems, Inc.
Previous Next