Assigning privileges to normal users and individual root users
You can grant privileges to normal users on an individual basis.
Add the ds-privilege-name operational attribute to the user’s entry with the names of the desired privileges. For example, the following change grants the proxied-auth privilege to the uid=proxy,dc=example,dc=com account.
dn: uid=proxy,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: proxied-auth
The user making this change must have the privilege-change privilege, and the server’s access control configuration must also allow the requester to write to the ds-privilege-name attribute in the target user’s entry.
|
There’s a known issue with adding privileges to user entries when a virtual attribute targeting To successfully add a privilege to these entries, use a dn: uid=proxy,dc=example,dc=com changetype: modify replace: ds-privilege-name ds-privilege-name: proxied-auth This issue is resolved in version 10.1 and later of the PingDirectory server. |
You can use the same method to grant root users privileges that aren’t included in the set of default root privileges. You can also remove default root privileges from root users by prefixing the name of the privilege to remove with a minus sign. For example, the following change grants a root user the jmx-read privilege in addition to the set of default root privileges and removes the server-restart and server-shutdown privileges.
dn: cn=Sync Root User,cn=Root DNs,cn=config changetype: modify add: ds-privilege-name ds-privilege-name: jmx-read ds-privilege-name: -server-restart ds-privilege-name: -server-shutdown
|
Because root user entries exist in the configuration, this update requires the |