Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory 11g Release 1 (11.1.1) |
2. The Directory Server Access Control Model
3. Understanding the Directory Server Schema
4. Directory Server Index Databases
5. Directory Server Replication
6. Directory Server Root Users and the Privilege Subsystem
Assigning Privileges to Normal Users
Root user accounts in the directory server are defined below the cn=Root DNs,cn=config branch in the server configuration. Each root account should be defined as a regular user entry, with the exception that it should include the ds-cfg-root-dn-user auxiliary object class. It can also have one or more values for the ds-cfg-alternate-bind-dn attribute. this attribute specifies alternate DNs that can be used to authenticate as that user (for example, so you can bind as cn=Directory Manager instead of having to use cn=Directory Manager,cn=Root DNs,cn=config, which is the actual entry DN).
Providing the ability to have multiple root users and breaking each of them out into their own entries provides a number of advantages:
Each administrator that needs root access to the directory server can have their own account with their own credentials. This makes it easier to keep an audit trail of who does what in the directory server than if all of the administrators had to share a single root account.
Since each root user account has its own set of credentials, the credentials for one root user can be changed without impacting any of the other root users. It is not necessary to coordinate root password changes among all of the administrators since each of them has their own account. If an administrator leaves, then that account can simply be deactivated or removed.
Since each root user has its own entry, and you can put whatever attributes and object classes you want in that entry (as long as it also has the ds-cfg-root-dn-user auxiliary object class), root users are capable of using strong authentication like the EXTERNAL or GSSAPI SASL mechanisms.
Root users are subject to password policy enforcement, which means that it is possible to do things like force root users to change their passwords on a regular basis, ensure that they are only allowed to authenticate or change their passwords using secure mechanisms, and ensure that they choose strong passwords. It is possible to use custom password policies for these users, so they are subject to different sets of password policy requirements than other users in the directory.
It is also possible to define different resource limits for root users than for regular users. Since each root account has its own entry, operational attributes like ds-rlim-size-limit, ds-rlim-time-limit, and ds-rlim-lookthrough-limit work for root users just as they do with normal user accounts.