Enabling user creation
Enable the creation of new users and resources by configuring either a parent entry distinguished name (DN) or parent resource type where new users will be located.
If you configure a parent DN, the entry that it references must exist in the PingDirectory server. All new users are created in this single location. If necessary, use ldapmodify
to create the parent entry. For more information about the ldapmodify
tool or about command-line help, see the PingDirectory Server Administration Guide. Alternatively, if a parent resource type is configured, the administrator can choose the specific resource where the new user is created.
Delegated Admin cannot list organizations in which the delegated administrator is unable to manage user entries. Administrators who manage only specific subtrees cannot create users in an organization that does not reside under, or at the same level as, one of the subtrees. |
The following example specifies a single location for new users on the PingDirectory server:
$ bin/dsconfig set-rest-resource-type-prop \
--type-name users \
--set "parent-dn:ou=people,dc=example,dc=com" \
--reset parent-resource-type
The setup script creates a resource type named orgs
, which works with entries that feature the organization objectClass
.
The following example shows that any organization resource can function as the location for new users on the PingDirectory server:
$ bin/dsconfig set-rest-resource-type-prop \
--type-name users \
--reset parent-dn \
--set parent-resource-type:orgs
A different resource type can be created for organizationalUnit objectClass
entries, as follows.
$ bin/dsconfig create-rest-resource-type \
--type-name orgUnits \
--set "display-name:Organizational Units" \
--set primary-display-attribute-type:ou \
--set "search-filter-pattern:(&(objectClass=organizationalUnit)(ou=%%))" \
--set structural-ldap-objectclass:organizationalUnit \
--set enabled:false
$ bin/dsconfig create-delegated-admin-attribute \
--type-name orgUnits \
--attribute-type ou \
--set "display-name:Organizational Unit"
$ bin/dsconfig set-rest-resource-type-prop \
--type-name orgUnits \
--set enabled:true
The new resource type can be referenced as a parent-resource-type
.
By default, new entries are named by their server-generated entryUUID
values. To change this behavior, configure the LDAP RDN
attribute.
The |
In the following example, uid
names new entries and becomes a required attribute.
$ bin/dsconfig set-rest-resource-type-prop \
--type-name users \
--set create-rdn-attribute-type:uid
New users are always created with their configured structural LDAP objectclass
. One or more auxiliary Lightweight Directory Access Protocol (LDAP) objectclasses
can be specified, as the following example shows.
$ bin/dsconfig set-rest-resource-type-prop \
--type-name users \
--set auxiliary-ldap-objectclass:ubidPersonAux
When existing users without all of the specified auxiliary objectclasses
are edited, the missing objectclasses
are updated automatically.
By default, the password field appears at the top of the Create User form outside any category. The next example adds the password field to the Required fields category and sets the location of the field to 2.
dsconfig set-rest-resource-type-prop \ --type-name users \ --set "password-attribute-category:Required fields" \ --set password-display-order-index:2
If the server does not require a password, you can leave the password field blank when you create a user. Without a password, the user can’t sign on to Configuring user self-service. |