1. Create an LDIF file with an example Administrator entry.
    dn: uid=admin,dc=example,dc=com 
    objectClass: person 
    objectClass: inetOrgPerson 
    objectClass: organizationalPerson 
    objectClass: top
    givenName: Admin 
    uid: admin 
    cn: Admin User 
    sn: User 
    userPassword: password
  2. Then add the entry using the ldapmodify tool.
    $ bin/ldapmodify --defaultAdd --filename admin.ldif
  3. Create another LDIF file to add the access control instruction (ACI) to the root suffix, or base DN to give full access to the new administrator. The ACI grants full access to all user attributes, but not to operational attributes. If you want to grant access to operational attributes as well as user attributes, use (targetattr = "*||+") in the access control instruction.
    dn: dc=example,dc=com 
    changetype: modify 
    add: aci 
    aci: (targetattr = "*")
      (version 3.0; acl "Grant full access for the admin user"; 
        allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)
  4. Then add the entry using the ldapmodify tool.
    $ bin/ldapmodify --filename admin.ldif
  5. Verify the additions using ldapsearch. The first command searches for the entry that contains uid=Admin and returns it if the search is successful. The second command searches for the base DN and returns only those operational attributes, including access control instructions, associated with the entry.
    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=admin)"
    
    $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope base "(objectclass=*)" "+"
  6. Add specific privileges to the Admin account. In this example, add the password-reset privilege to the admin account from the command line. After typing the privileges, press CTRL-D to process the modify operation.
    $ bin/ldapmodify
    dn: uid=admin,dc=example,dc=com 
    changetype: modify 
    add: ds-privilege-name 
    ds-privilege-name: password-reset
    Processing MODIFY request for uid=admin,dc=example,dc=com 
    MODIFY operation successful for DN uid=admin,dc=example,dc=com
  7. Assign a password policy for the Admin account. For example, create an "Admin Password Policy", then add the password policy to the account.
    $ bin/dsconfig create-password-policy \ 
      --policy-name "Admin Password Policy" \ 
      --set "description:Password policy for administrators" \ 
      --set password-attribute:userpassword \ 
      --set "default-password-storage-scheme:Salted SHA-256" \
      --set password-change-requires-current-password:true \ 
      --set force-change-on-reset:true \ 
      --set "max-password-age:25w 5d" \
      --set grace-login-count:3 \
      --no-prompt
  8. Apply the password policy to the account. In this example, the password policy is being added from the command line. The following ldapmodify command should be executed with a bind DN that has sufficient rights, such as a Root DN.
    $ bin/ldapmodify
    dn: uid=admin,dc=example,dc=com 
    changetype: modify
    add: ds-pwp-password-policy-dn
    ds-pwp-password-policy-dn: cn=Admin Password Policy,cn=Password Policies,cn=config