Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide

Configuring Administration Users

Directory Server contains default administration users, the Directory Manager and the cn=admin,cn=Administrators,cn=config user. Both of these users have the same access rights, but cn=admin,cn=Administrators,cn=config is subject to ACIs.

This section explains how to create an administration user with root access, and how to configure the Directory Manager.

ProcedureTo Create an Administration User with Root Access

If you want to create a new administration user with the same rights as cn=admin,cn=Administrators,cn=config, create the new user in the group cn=Administrators,cn=config. All users in this group are subject to a global ACI that allows the same access as the Directory Manager.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

    Create a new administration user.

    For example, to create a new user cn=Admin24,cn=Administrators,cn=config, type:

    $ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w -
    dn: cn=admin24,cn=Administrators,cn=config
    changetype: add
    objectclass: top
    objectclass: person
    userPassword: password
    description: Administration user with the same access rights as Directory Manager.

    The -D and -w options give the bind DN and password, respectively, of a user with permissions to create this entry.

ProcedureTo Configure the Directory Manager

The Directory Manager is the privileged server administrator, comparable to the root user on UNIX systems. Access control does not apply to the Directory Manager.

For most administration tasks, you are not required to use the Directory Manager. Instead, you can use the user cn=admin,cn=Administrators,cn=config, or any other user that you create beneath cn=Administrators,cn=config. The only tasks that require the Directory Manager are changing the root ACI, and replication troubleshooting tasks, such as repairing replication and searching tombstones.

You can change the Directory Manager DN and password, as well as create a file from which the password can be automatically read.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Find the existing Directory Manager DN.

    $ dsconf get-server-prop -h host -p port root-dn
    root-dn:cn=Directory Manager
  2. Modify the Directory Manager settings as required.

    • To modify the Directory Manager DN, type:

      $ dsconf set-server-prop -h host -p port root-dn:new-root-dn

      Use quotes if there are spaces in the Directory Manager DN. For example:

      $ dsconf set-server-prop -h host1 -p 1389 root-dn:"cn=New Directory Manager"
    • To change the Directory Manager password, type:

      $ dsconf set-server-prop -h host -p port root-pwd:new-root-dn-password

      If for security reasons you do not want to pass the clear text password as a command-line argument, create a temporary file for setting the password.

      $ echo password > /tmp/pwd.txt

      This file is read once, and the password is stored for future use. Set the server root password file property.

      $ dsconf set-server-prop -h host -p port root-pwd-file:/tmp/pwd.txt

      This command prompts the server to read the password file. Remove the temporary password file after you have set the password file property.

      $ rm /tmp/pwd.txt