Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
Displaying the Configuration of Directory Server Instance
Modifying the Configuration Using DSCC
Modifying the Configuration From the Command Line
Protecting Configuration Information
Changing Directory Server Port Numbers
To Modify a Port Number, Enable a Port, and Disable a Port
To Enable the DSML-over-HTTP Service
To Disable the DSML-over-HTTP Service
To Define a New Identity Mapping for HTTP Headers
Setting the Server as Read-Only
To Enable or Disable the Server Read-Only Mode
To Configure Heap Memory Threshold
Setting Resource Limits For Each Client Account
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
Directory Server contains default administration users, the Directory Manager and the cn=admin,cn=Administrators,cn=config user. Both of these users have the same access rights, but cn=admin,cn=Administrators,cn=config is subject to ACIs.
This section explains how to create an administration user with root access, and how to configure the Directory Manager.
If you want to create a new administration user with the same rights as cn=admin,cn=Administrators,cn=config, create the new user in the group cn=Administrators,cn=config. All users in this group are subject to a global ACI that allows the same access as the Directory Manager.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
For example, to create a new user cn=Admin24,cn=Administrators,cn=config, type:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w - dn: cn=admin24,cn=Administrators,cn=config changetype: add objectclass: top objectclass: person userPassword: password description: Administration user with the same access rights as Directory Manager.
The -D and -w options give the bind DN and password, respectively, of a user with permissions to create this entry.
The Directory Manager is the privileged server administrator, comparable to the root user on UNIX systems. Access control does not apply to the Directory Manager.
For most administration tasks, you are not required to use the Directory Manager. Instead, you can use the user cn=admin,cn=Administrators,cn=config, or any other user that you create beneath cn=Administrators,cn=config. The only tasks that require the Directory Manager are changing the root ACI, and replication troubleshooting tasks, such as repairing replication and searching tombstones.
You can change the Directory Manager DN and password, as well as create a file from which the password can be automatically read.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
$ dsconf get-server-prop -h host -p port root-dn root-dn:cn=Directory Manager
To modify the Directory Manager DN, type:
$ dsconf set-server-prop -h host -p port root-dn:new-root-dn
Use quotes if there are spaces in the Directory Manager DN. For example:
$ dsconf set-server-prop -h host1 -p 1389 root-dn:"cn=New Directory Manager"
To change the Directory Manager password, type:
Create a temporary file for setting the password. This file is read once, and the password is stored for future use.
$ echo password > /tmp/pwd.txt
Set the server root password file property.
$ dsconf set-server-prop -h host -p port root-pwd-file:/tmp/pwd.txt
This command prompts the server to read the password file. Remove the temporary password file after you have set the password file property.
$ rm /tmp/pwd.txt