JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1)
search filter icon
search icon

Document Information

Preface

1.  Starting and Stopping the Server

2.  Configuring the Server Instance

3.  Configuring the Proxy Components

4.  Configuring Security Between Clients and Servers

5.  Configuring Security Between the Proxy and the Data Source

6.  Managing Oracle Unified Directory With Oracle Directory Services Manager

7.  Managing Directory Data

8.  Replicating Directory Data

9.  Controlling Access To Data

10.  Managing Users and Groups With dsconfig

Managing Root User, Global Administrator, and Administrator Accounts

Working With Multiple Root Users

Root Users and the Privilege Subsystem

Managing Root Users With dsconfig

To View the Default Root User Privileges

To Edit the Default Root User Privileges

To Create a Root User

To Change a Root User's Password

To Change a Root User's Privileges

Setting Root User Resource Limits

Managing Global Administrators

Managing Administrators

To Create a New Administrator

To Create an Administrator with Root User Privileges

Managing User Accounts

Changing Passwords

To Change the Directory Manager's Password

To Reset and Generate a New Password for a User

To Change a User's Password

Managing a User's Account Information

To View a User's Account Information

To View Account Status Information

To Disable an Account

To Enable an Account

Setting Resource Limits on a User Account

To Set Resource Limits on an Account

Defining Groups

Defining Static Groups

To Create a Static Group With groupOfNames

To Create a Static Group With groupOfUniqueNames

To Create a Static Group With groupOfEntries

To List All Members of a Static Group

To List All Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Group

Defining Dynamic Groups

To Create a Dynamic Group

To List All Members of a Dynamic Group

To List All Dynamic Groups of Which a User Is a Member

To Determine Whether a User Is a Member of a Dynamic Group

Defining Virtual Static Groups

To Create a Virtual Static Group

To List All Members of a Virtual Static Group

To List All Virtual-Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Virtual Static Group

Defining Nested Groups

To Create a Nested Group

Maintaining Referential Integrity

Overview of the Referential Integrity Plug-In

To Enable the Referential Integrity Plug-In

Simulating ODSEE Roles in an Oracle Unified Directory Server

To Determine Whether a User is a Member of a Role

To Alter Membership by Using the nsRoleDN Attribute

11.  Managing Password Policies

12.  Managing Directory Schema

13.  Monitoring Oracle Unified Directory

14.  Tuning Performance

15.  Advanced Administration

Managing Root User, Global Administrator, and Administrator Accounts

Oracle Unified Directory provides a flexible Privilege Subsystem that allows you to configure root users, Global Administrators, and administrators for your server. You can configure multiple root users and assign different root privileges to each administrator. For administrative domains, you can also configure multiple Global Administrators to manage administrative domains in your network or in a replicated environment.

The topics in this section describe the management of multiple root users and the privilege subsystem. The topics also provide instructions on how to configure and maintain the various user accounts required to administer your server securely.

Before you start with the procedures outlined here, determine the following guidelines for your server:

Working With Multiple Root Users

Oracle Unified Directory provides one default root DN or root user, "cn=Directory Manager". The default root DN is a user entry assigned with specialized privileges with full read and write access to all data in the server. Comparable to a Unix root user or superuser, the root DN can bypass access controls to carry out tasks on the server. The root user is defined below the "cn=Root DNs,cn=config" branch of the server at cn=Directory Manager,cn=Root DNs,cn=config.

The server supports multiple root users who have their own entries and their own set of credentials on the server. This allows you to assign privileges to a user who might need root access for a particular task but might not need the full set of root user privileges. With each entry, you can assign strong authentication such as the GSSAPI SASL mechanism, password policies, or add resource limits (if your schema allows it) to one root user while having a completely different configuration for another root user.

Root users differ from regular user entries in the following ways:

The Privilege Subsystem supports the configuration of multiple root users.

Root Users and the Privilege Subsystem

The Privilege Subsystem allows you to assign refined privileges to users who might require only a specific set of root user access privileges. Root users are automatically granted a set of privileges defined in the default-root-privilege-name attribute in the "cn=Root DNs,cn=config" subtree.

The Privilege Subsystem is independent from the Access Control Subsystem, but some operations might be subject to access controls.

The following set of privileges are automatically assigned to the root user.

Privilege
Description
bypass-acl
Allows the user to bypass access control evaluation.
modify-acl
Allows the user to make changes to access control instructions defined in the server.
config-read
Allows the user to have read access to the server configuration.
config-write
Allows the user to have write access to the server configuration.
ldif-import
Allows the user to request the LDIF import task.
ldif-export
Allows the user to request the LDIF export task.
backend-backup
Allows the user to request the back-end backup task.
backend-restore
Allows the user to request the back-end restore task.
server-shutdown
Allows the user to request the server shutdown task.
server-restart
Allows the user to request the server restart task.
disconnect-client
Allows the user to terminate arbitrary client connections.
cancel-request
Allows the user to cancel arbitrary client requests.
unindexed-search
Allows the user to request unindexed search operations.
password-reset
Allows the user to reset the user passwords.
update-schema
Allows the user to update the server schema.
privilege-change
Allows the user to change the set of privileges assigned to a user, or to change the set of default root privileges.

The following privileges can be assigned to the root user.

Privilege
Description
data-sync
Allows the user to participate in data synchronization environment.
jmx-read
Allows the user to read JMX attribute values.
jmx-write
Allows the user to update JMX attribute values.
jmx-notify
Allows the user to subscribe to JMX notifications.
proxied-auth
Allows the user to use the proxied authorization control or to request an alternate SASL authorization ID.

Managing Root Users With dsconfig

Use the dsconfig command to manage root users. For more information, see Managing the Server Configuration With dsconfig.

To View the Default Root User Privileges

The default root user has a number of privileges, which are stored as values of the default-root-privilege-name property.

To Edit the Default Root User Privileges

The easiest way to manage root user privileges is to use dsconfig in interactive mode. Interactive mode walks you through the root user configuration, and is therefore not documented here.

To add or remove privileges for the default root user, add or remove the values of the default-root-privilege-name property. This property can hold the following values:

This example adds the data-sync privilege to the default root user, by using dsconfig in non-interactive mode.

To Create a Root User

Root users are stored below the entry cn=Root DNs,cn=config. To create a new root user, create the entry in LDIF and add it by using the ldapmodify command. Note that the cn=config suffix is available only through the administration connector, and must therefore be accessed over SSL, via the administration port.

Root users automatically inherit the set of default root user privileges on the server. For information about adding or removing privileges for a specific root user, see To Change a Root User's Privileges.

  1. Create a root user entry below the cn=Root DNs,cn=config entry.

    The following LDIF file represents a new root user named “Administration Manager”. The entry is saved in a file named add-root-user.ldif.

    dn: cn=MyRootUser,cn=Root DNs,cn=config
    objectClass: inetOrgPerson
    objectClass: person
    objectClass: top
    objectClass: ds-cfg-root-dn-user
    objectClass: organizationalPerson
    userPassword: password
    cn: MyRootUser
    sn: MyRootUser
    ds-cfg-alternate-bind-dn: cn=MyRootUser
    givenName: Directory
  2. Use the ldapmodify command to add the entry.
    $ ldapmodify -h localhost -p 4444 -D "cn=Directory Manager" -w password \
      --useSSL --defaultAdd --filename "add-root-user.ldif"
    Processing ADD request for cn=MyRootUser,cn=Root DNs,cn=config
    ADD operation successful for DN cn=MyRootUser,cn=Root DNs,cn=config
  3. (Optional) Use the ldapsearch command to display all the root users defined in the server.
    $ ldapsearch -p 4444 -b "cn=root DNs,cn=config" -D "cn=directory manager" -w password \
      --useSSL "objectclass=*" dn
    dn: cn=Root DNs,cn=config
    
    dn: cn=MyRootUser,cn=Root DNs,cn=config
    
    dn: cn=Directory Manager,cn=Root DNs,cn=config

To Change a Root User's Password

  1. Create a password in a secure file.
  2. Use ldappasswordmodify to change the password.
    $ ldappasswordmodify -h localhost -p 4444 -D "cn=MyRootUser" -w password \
      --useSSL --newPasswordFile rootuser_pwd.txt
    The LDAP password modify operation was successful

To Change a Root User's Privileges

If you want to have a different set of privileges for a specific root user, add the ds-privilege-name attribute to that root user's entry.

The following example gives the root user "cn=MyRootUser,cn=Root DNs,cn=config" the ability to use proxied authorization. The example removes the ability to change user privileges or access the configuration. The minus sign before the privilege indicates that the privilege is being removed rather than granted.

Setting Root User Resource Limits

You can set resource limits on the server for search operations by using the operational attributes on the client application that is binding to the server. The following resource limits are available:

The following LDIF update statement sets resource limits for the new root user created in the previous section. This statement should be applied to the root user's entry.

dn: cn=MyRootUser,cn=Root DNs,cn=config
changetype: modify
add: ds-rlim-lookthrough-limit
ds-rlim-lookthrough-limit: 1000
-
add: ds-rlim-size-limit
ds-rlim-size-limit: 500
-
add: ds-rlim-time-limit
ds-rlim-time-limit: 300

To set a particular resource limit to unlimited, set the value of the corresponding attribute to 0 (zero).

Managing Global Administrators

When you set up replication servers using the graphical installer or the dsreplication command, you are prompted to set a user name and password for the Global Administrator. The Global Administrator is responsible for managing and maintaining administrative server domains in replicated environments.

The Global Administrator exists in the cn=Administrators,cn=admin data subtree. To view the Global Administrator entry, run the following ldapsearch command:

$ ldapsearch -h localhost -p 4444 -D "cn=Directory Manager" -w password \
  --useSSL -b "cn=Administrators,cn=admin data" -s sub "(objectclass=*)"
dn: cn=Administrators,cn=admin data
objectClass: top
objectClass: groupofurls
description: Group of identities which have full access.
cn: Administrators
memberURL: ldap:///cn=Administrators,cn=admin data??one?(objectclass=*)
dn: cn=admin,cn=Administrators,cn=admin data
objectClass: person
objectClass: top
userPassword: {SSHA}+ed1wbhcWjxtv2zJ6OHEA2TuE9n1qIJGnuR94w==
description: The Administrator that can manage all the OUD instances.
cn: admin
sn: admin

Managing Administrators

An administrator generally has broader rights and permissions than most users. You can create a number of administrators, with different access controls and resource limits.

To Create a New Administrator

  1. Import the administrator data using import-ldif.

    For this example, the administrator being added has uid=Admin.Lab.

    • Alternatively, you can use an existing user.
  2. (Optional) Create a group of administrators with cn=Administrators.

    Since the group of administrators should have only a few users, you can create a static group. For more information, see Defining Static Groups.

    dn: cn=Administrators,ou=People,dc=example,dc=com
    objectClass: top
    objectClass: groupOfNames
    member: uid=Admin.Lab,ou=People,dc=example,dc=com
    cn: Administrator
  3. Set the privileges of the administrator by using the ldapmodify command.

    For example, the following command would give the administrator the rights to perform backup and restore on the back end.

    ldapmodify -h localhost -p 1389 -w password -D "cn=directory manager"
    dn: uid=Admin.Lab,ou=People,dc=example,dc=com
    changetype: modify
    add: ds-privilege-name
    ds-privilege-name: backend-backup
    ds-privilege-name: backend-restore
  4. Set resource limits, if required.

    The procedure is similar to setting the resource limits for a root user. See Setting Root User Resource Limits.

To Create an Administrator with Root User Privileges

You can assign root user privileges to an administration or user.

  1. Create an administrator, or use an existing user.

    See To Create a New Administrator.

  2. Modify the privileges using the ldapmodify command.

    For example, the command below changes the privileges for the administrator named Admin.Lab to have the same default privileges as a root user.

    ldapmodify -h localhost -p 1389 -w password -D "cn=directory manager"
    dn: uid=Admin.Lab,cn=Administrators,ou=People,dc=example,dc=com
    changetype: modify
    add: ds-privilege-name
    ds-privilege-name: bypass-acl
    ds-privilege-name: modify-acl
    ds-privilege-name: config-read
    ds-privilege-name: config-write
    ds-privilege-name: ldif-import
    ds-privilege-name: ldif-export
    ds-privilege-name: backend-backup
    ds-privilege-name: backend-restore
    ds-privilege-name: server-shutdown
    ds-privilege-name: server-restart
    ds-privilege-name: disconnect-client
    ds-privilege-name: cancel-request
    ds-privilege-name: password-reset
    ds-privilege-name: update-schema
    ds-privilege-name: privilege-change
    ds-privilege-name: unindexed-search

    Note - The privileges on the access controls bypass-acl and modify-acl should only be assigned to a restricted number of people. Assigning the rights to bypass or modify access controls to inexperienced users can be risky.