Configuring the Directory Server
Configuring Security in the Directory Server
Managing Root User, Global Administrator, and Administrator Accounts
Working With Multiple Root Users
Root Users and the Privilege Subsystem
Managing Root Users With dsconfig
To View the Default Root User Privileges
To Edit the Default Root User Privileges
Setting Root User Resource Limits
Managing Global Administrators
Password Policies in a Replicated Environment
To View the List of Password Policies
Properties of the Default Password Policy
To View the Properties of the Default Password Policy
To Create a New Password Policy
To Create a First Login Password Policy
To Assign a Password Policy to an Individual Account
To Prevent Password Policy Modifications
To Assign a Password Policy to a Group of Users
To Change the Directory Manager's Password
To Reset and Generate a New Password for a User
Managing a User's Account Information
To View a User's Account Information
To View Account Status Information
Setting Resource Limits on a User Account
To Set Resource Limits on an Account
To Create a Static Group With groupOfNames
To Create a Static Group With groupOfUniqueNames
To Create a Static Group With groupOfEntries
To List All Members of a Static Group
To List All Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Group
To List All Members of a Dynamic Group
To List All Dynamic Groups of Which a User Is a Member
To Determine Whether a User Is a Member of a Dynamic Group
Defining Virtual Static Groups
To Create a Virtual Static Group
To List All Members of a Virtual Static Group
To List All Virtual-Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Virtual Static Group
Maintaining Referential Integrity
Overview of the Referential Integrity Plug-In
To Enable the Referential Integrity Plug-In
Simulating DSEE Roles in an OpenDS Directory Server
To Determine Whether a User is a Member of a Role
Use the dsconfig command to manage root users. For more information, see Configuring the Directory Server With dsconfig.
The default root user has a number of privileges, which are stored as values of the default-root-privilege-name property.
$ dsconfig -D "cn=directory manager" -w password -n \ get-root-dn-prop Property : Value(s) ----------------------------:-------------------------------------------------- default-root-privilege-name : backend-backup, backend-restore, bypass-acl, : cancel-request, config-read, config-write, : disconnect-client, ldif-export, ldif-import, : modify-acl, password-reset, privilege-change, : server-restart, server-shutdown, : unindexed-search, update-schema
The easiest way to manage root user privileges is to use dsconfig in interactive mode. Interactive mode walks you through the root user configuration, and is therefore not documented here.
To add or remove privileges for the default root user, add or remove the values of the default-root-privilege-name property. This property can hold the following values:
backend-backup
backend-restore
bypass-acl
cancel-request
config-read
config-write
data-sync
disconnect-client
jmx-notify
jmx-read
jmx-write
ldif-export
ldif-import
modify-acl
password-reset
privilege-change
proxied-auth
server-restart
server-shutdown
unindexed-search
update-schema
This example adds the data-sync privilege to the default root user, by using dsconfig in non-interactive mode.
$ dsconfig -D "cn=directory manager" -w password -n \ set-root-dn-prop --add default-root-privilege-name:data-sync
Root users are stored below the entry cn=Root DNs,cn=config. To create a new root user, create the entry in LDIF and add it by using the ldapmodify command.
Root users automatically inherit the set of default root user privileges on the server. For information about adding or removing privileges for a specific root user, see To Change a Root User's Privileges.
The following LDIF file represents a new root user named “Administration Manager”. The entry is saved in a file named add-root-user.ldif.
dn: cn=MyRootUser,cn=Root DNs,cn=config objectClass: inetOrgPerson objectClass: person objectClass: top objectClass: ds-cfg-root-dn-user objectClass: organizationalPerson userPassword: password cn: MyRootUser sn: MyRootUser ds-cfg-alternate-bind-dn: cn=MyRootUser givenName: Directory
$ ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password \ --defaultAdd --filename "add-root-user.ldif" Processing ADD request for cn=MyRootUser,cn=Root DNs,cn=config ADD operation successful for DN cn=MyRootUser,cn=Root DNs,cn=config
$ ldapsearch -p 1389 -b "cn=root DNs,cn=config" -D "cn=directory manager" -w password \ "objectclass=*" dn dn: cn=Root DNs,cn=config dn: cn=MyRootUser,cn=Root DNs,cn=config dn: cn=Directory Manager,cn=Root DNs,cn=config
$ ldappasswordmodify -h localhost -p 1389 -D "cn=MyRootUser" -w password \ --newPasswordFile rootuser_pwd.txt The LDAP password modify operation was successful
If you want to have a different set of privileges for a specific root user, add the ds-privilege-name attribute to that root user's entry.
The following example gives the root user "cn=MyRootUser,cn=Root DNs,cn=config" the ability to use proxied authorization. The example removes the ability to change user privileges or access the configuration. The minus sign before the privilege indicates that the privilege is being removed rather than granted.
dn: cn=MyRootUser,cn=Root DNs,cn=config changetype: modify add: ds-privilege-name ds-privilege-name: proxied-auth ds-privilege-name: -config-read ds-privilege-name: -config-write
In this example, the root user "cn=MyRootUser,cn=Root DNs,cn=config" would inherit all privileges automatically granted to root users with the exception of the config-read and config-write privileges. The user would also be given the proxied-auth privilege.