PingDirectory

Use separate accounts for each administrator

The PingDirectory server’s setup process automatically creates an initial root user that can be used to manage content in the server, and it suggests a DN of cn=Directory Manager for this account.

Many directory servers only support creating a single root account that is shared by server administrators. However, this comes with a lot of disadvantages, including:

  • If there is only a single root account, then it is difficult to audit the actions of individual administrators.

  • If there is only a single root account, then its credentials have to be shared across multiple administrators. This increases the risk that those credentials will be compromised because the more people who have access to them, the greater the chance that they will be leaked.

  • If there is only a single root account whose credentials have to be shared across multiple administrators, then it can be disruptive to change those credentials if required (for example, if the credentials are compromised, or if one of the administrators leaves the organization or takes on a different role).

  • If there is only a single root account, then it becomes more difficult to use strong authentication for that account in a secure manner.

  • If there is only a single root account, then that account must have full access to perform any operation that any administrator might need to do. If this account is shared by multiple administrators, then that can give some of them more access than necessary.

PingDirectory server allows you to create any number of root user and topology administrator accounts. Each administrator should have their own account with separate credentials, support for strong authentication, and rights and privileges tailored to their role.