PingDirectory

Setting up a single administrator account

About this task

To create an example of a single, generic administrator account:

Steps

  1. Create an LDIF file with an example administrator entry.

    Example:

    dn: uid=admin,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
givenName: Admin
uid: admin
cn: Admin User
sn: User
userPassword: password

  2. To add the entry, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify --defaultAdd --filename admin.ldif

  3. To add the access control instruction (ACI) to the root suffix or base DN to give full access to the new administrator, create another LDIF file.

    The ACI grants full access to all user attributes, but not to operational attributes. To grant access to operational attributes as well as user attributes, use (targetattr = "*||+") in the access control instruction.

    Example:

    dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "*")
  (version 3.0; acl "Grant full access for the admin user";
    allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)

  4. To add the entry, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify --filename admin.ldif

  5. To verify the additions, use the ldapsearch tool.

    Example:

    In the following example, the first command searches for the entry that contains uid=Admin and returns it if the search is successful. The second command searches for the base DN and returns only those operational attributes, including ACIs, associated with the entry.

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=admin)"

$ bin/ldapsearch --baseDN dc=example,dc=com --searchScope base "(objectclass=*)" "+"

  6. Add specific privileges to the administrator account, then to process the modify operation press CTRL-D.

    Example:

    For this example, add the password-reset privilege to the administrator account from the command line.

    $ bin/ldapmodify
dn: uid=admin,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

    Result:

    Processing MODIFY request for uid=admin,dc=example,dc=com
MODIFY operation successful for DN uid=admin,dc=example,dc=com

  7. Assign a password policy for the administrator account.

    Example:

    Create an Admin Password Policy, then add the password policy to the account.

    $ bin/dsconfig create-password-policy \
  --policy-name "Admin Password Policy" \
  --set "description:Password policy for administrators" \
  --set password-attribute:userpassword \
  --set "default-password-storage-scheme:Salted SHA-256" \
  --set password-change-requires-current-password:true \
  --set force-change-on-reset:true \
  --set "max-password-age:25w 5d" \
  --set grace-login-count:3 \
  --no-prompt

  8. To apply the password policy to the account, run the ldapmodify command.

    Example:

    Execute the ldapmodify command with a bind DN that has sufficient rights, such as a root DN, as in the following example.

    $ bin/ldapmodify
dn: uid=admin,dc=example,dc=com
changetype: modify
add: ds-pwp-password-policy-dn
ds-pwp-password-policy-dn: cn=Admin Password Policy,cn=Password Policies,cn=config