PingDirectory

Enabling user creation

Enable the creation of new users and resources by configuring either a parent entry distinguished name (DN) or parent resource type where new users will be located.

If you configure a parent DN, the entry that it references must exist in the PingDirectory server. All new users are created in this single location. If necessary, use ldapmodify to create the parent entry. For more information about the ldapmodify tool or about command-line help, see the PingDirectory Server Administration Guide. Alternatively, if a parent resource type is configured, the administrator can choose the specific resource where the new user is created.

Delegated Admin cannot list organizations in which the delegated administrator is unable to manage user entries. Administrators who manage only specific subtrees cannot create users in an organization that does not reside under, or at the same level as, one of the subtrees.

The following example specifies a single location for new users on the PingDirectory server:

$ bin/dsconfig set-rest-resource-type-prop \
  --type-name users \
  --set "parent-dn:ou=people,dc=example,dc=com" \
  --reset parent-resource-type

The setup script creates a resource type named orgs, which works with entries that feature the organization objectClass.

The following example shows that any organization resource can function as the location for new users on the PingDirectory server:

$ bin/dsconfig set-rest-resource-type-prop \
   --type-name users \
   --reset parent-dn \
   --set parent-resource-type:orgs

A different resource type can be created for organizationalUnit objectClass entries, as follows.

$ bin/dsconfig create-rest-resource-type \
  --type-name orgUnits \
  --set "display-name:Organizational Units" \
  --set primary-display-attribute-type:ou \
  --set "search-filter-pattern:(&(objectClass=organizationalUnit)(ou=%%))" \
  --set structural-ldap-objectclass:organizationalUnit \
  --set enabled:false

$ bin/dsconfig create-delegated-admin-attribute \
  --type-name orgUnits \
  --attribute-type ou \
  --set "display-name:Organizational Unit"

$ bin/dsconfig set-rest-resource-type-prop \
  --type-name orgUnits \
  --set enabled:true

The new resource type can be referenced as a parent-resource-type.

By default, new entries are named by their server-generated entryUUID values. To change this behavior, configure the LDAP RDN attribute.

The RDN attribute type must also be configured as a Delegated Admin attribute. For more information, see Configuring attributes and attribute search on the PingDirectory server. Do not set read-only attributes as the RDN attribute.

In the following example, uid names new entries and becomes a required attribute.

$ bin/dsconfig set-rest-resource-type-prop \
  --type-name users \
  --set create-rdn-attribute-type:uid

New users are always created with their configured structural LDAP objectclass. One or more auxiliary Lightweight Directory Access Protocol (LDAP) objectclasses can be specified, as the following example shows.

$ bin/dsconfig set-rest-resource-type-prop \
  --type-name users \
  --set auxiliary-ldap-objectclass:ubidPersonAux

When existing users without all of the specified auxiliary objectclasses are edited, the missing objectclasses are updated automatically.

By default, the password field appears at the top of the Create User form outside any category. The next example adds the password field to the Required fields category and sets the location of the field to 2.

dsconfig set-rest-resource-type-prop \
    --type-name users \
    --set "password-attribute-category:Required fields" \
    --set password-display-order-index:2

If the server does not require a password, you can leave the password field blank when you create a user. Without a password, the user can’t sign on to Configuring user self-service.