PingDirectory

Administrator account classes

The PingDirectory server provides three different classes of administrator accounts: root user, administrator, and global administrator.

Root user

The root user is the LDAP-equivalent of a UNIX super-user account and inherits its privileges from the default root user privilege set. For more information on default root privileges, see Default root privileges. The root user account is an entry that is stored in the server’s configuration under cn=Root DNs,cn=config and bypasses access control evaluation. It can be created manually or with the dsconfig tool. This account has full access to the entire set of data in the directory information tree (DIT) and to the server configuration and its operations. One important difference between other vendors’ servers and the PingDirectory server’s implementation is that the root user’s rights are granted through a set of privileges. This allows the PingDirectory server to have multiple root users on its system, but the normal practice is to set up administrator user entries. The root user has no resource limits by default.

Administrator

The administrator user can have a full set of root user privileges but often has a subset of these privileges to limit the accessible functions that can be performed. The administrators' entries typically have limited access to the entire set of data in the DIT, which is controlled by access control instructions. These entries reside in the backend configuration, for example, uid=admin,dc=example,dc=com, and are replicated between servers in a replication topology. In some cases, administrator user accounts might be unavailable when the server enters lockdown mode unless the administrator is given the lockdown mode privilege.

Global administrator

A global administrator is primarily responsible for managing configuration server groups. A configuration server group is an administration domain that allows you to synchronize configuration changes to one or all of the servers in the group. For example, you can set up a group when configuring a replication topology where configuration changes to one server can be applied to all of the servers at one time. Global administrator entries are stored in the cn=Topology Admin Users,cn=Topology,cn=config backend and are always mirrored across servers in a replication topology. These users can be assigned privileges like other administrator users but are typically used to manage the data under cn=Topology,cn=config.