PingDirectory

Setting up an administrator group

About this task

The following example shows how to set up a group of administrators that have access rights to the whole PingDirectory server.

The example uses a static group using the GroupOfUniqueNames object class.

Steps

  1. Create an LDIF file with an example administrator group.

    Example:

    For this example, name the file admin-group.ldif

    dn: ou=Groups,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: Groups

dn: cn=Dir Admins,ou=Groups,dc=example,dc=com
objectClass: groupofuniquenames
objectClass: top
uniqueMember: uid=user.0, ou=People, dc=example,dc=com
uniqueMember: uid=user.1, ou=People, dc=example,dc=com
cn: Dir Admins
ou: Groups

  2. To add the entries, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify --defaultAdd --filename admin-group.ldif

  3. To add the ACI to the root suffix or base DN to provide full access to the PingDirectory server to the new administrator, create another LDIF file.

    Example:

    For this example, name the file admin-aci.ldif.

    dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=example,dc=com")
  (targetattr != "aci")
  (version 3.0; acl "allow all Admin group";
    allow(all) groupdn = "ldap:///cn=Dir Admins,ou=Groups,dc=example,dc=com";)

  4. To add the ACI, use the ldapmodify tool.

    Example:

    $ bin/ldapmodify --filename admin-aci.ldif

  5. To verify the additions, use the ldapsearch tool.

    Example:

    In the following example, the first command searches for the entry that contains cn=Dir Admins and returns it if the search is successful. The second command searches for the base DN and returns only those operational attributes, including ACIs, associated with the entry.

    $ bin/ldapsearch --baseDN dc=example,dc=com "(cn=Dir Admins)"

$ bin/ldapsearch --baseDN dc=example,dc=com --searchScope base \
  "(objectclass=*)" "+"

  6. To add specific privileges to each administrator account, use an LDIF file.

    Example:

    For this example, name the file admin-priv.ldif.

    For this example, add the password-reset privilege to the user.0 administrator account from the command line. To add the privilege, use the ldapmodify tool. Repeat the process for the other administrators configured in the administrator group.

    dn: uid=user.0,ou=People,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset

$ bin/ldapmodify --filename admin-priv.ldif

    Result:

    Processing MODIFY request for uid=user.0,dc=example,dc=com
MODIFY operation successful for DN uid=user.0,dc=example,dc=com

  7. To assign a password policy for the administrator account, use an LDIF file. Save the file as admin-pwd-policy.ldif.

    Example:

    For example, create an Admin Password Policy, then add the password policy to the account. To apply the password policy to the account, use the ldapmodify tool.

    dn: uid=user.0,dc=example,dc=com
changetype: modify
add: ds-pwp-password-policy-dn
ds-pwp-password-policy-dn: cn=Admin Password Policy,cn=Password Policies,cn=config

$ bin/ldapmodify --filename admin-pwd-policy.ldif