The privilege mechanism is the same as that used for root distinguished name (DN) accounts and allows individual privileges to be assigned to an administrator entry.

Typically, administrator user entries are controlled by access control evaluation to limit access to the entire set of data in the directory information tree (DIT). You can grant fine-grained read and write access using the access control definitions available through the aci attribute. Administrator entries reside in the backend configuration, for example, uid=admin,dc=example,dc=com, and are replicated between servers in a replication topology.

The following examples show how to configure administrator accounts:

  • The first procedure shows how to set up a single, generic uid=admin,dc=example,dc=com account with limited privileges.

    If you generated sample data at install, you can view an example uid=admin entry using ldapsearch.

  • The second example shows a more realistic example where the user is part of the administrators group.

Both examples are based on a simple DIT. Actual deployment cases depend on your schema.