Page created: 24 Jul 2019
|
Page updated: 6 Nov 2019
| 2 min read
7.3 Product PingDirectory
The following example shows how to set up a group of administrators that have access
rights to the whole Directory Server. The example uses a static group
using the GroupOfUniqueNames
object class.
-
Create an LDIF file with an example Administrator group, and save it as
admin-group.ldif.
dn: ou=Groups,dc=example,dc=com objectClass: organizationalunit objectClass: top ou: Groups dn: cn=Dir Admins,ou=Groups,dc=example,dc=com objectClass: groupofuniquenames objectClass: top uniqueMember: uid=user.0, ou=People, dc=example,dc=com uniqueMember: uid=user.1, ou=People, dc=example,dc=com cn: Dir Admins ou: Groups
-
Then, add the entries using the ldapmodify tool.
$ bin/ldapmodify --defaultAdd --filename admin-group.ldif
-
Create another LDIF file to add the access control instruction (ACI) to the
root suffix, or base DN to provide full access to the Directory Server to the new administrator. Save the file as
admin-aci.ldif.
dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com") (targetattr != "aci") (version 3.0; acl "allow all Admin group"; allow(all) groupdn = "ldap:///cn=Dir Admins,ou=Groups,dc=example,dc=com";)
-
Then, add the ACI using the ldapmodify tool:
$ bin/ldapmodify --filename admin-aci.ldif
-
Verify the additions using ldapsearch. The first command
searches for the entry that contains cn=Dir Admins and
returns it if the search is successful. The second command searches for the base
DN and returns only those operational attributes, including access control
instructions, associated with the entry.
$ bin/ldapsearch --baseDN dc=example,dc=com "(cn=Dir Admins)" $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope base \ "(objectclass=*)" "+"
-
Add specific privileges to each Admin account using an LDIF file, saved as
admin-priv.ldif
. In this example, add thepassword-reset
privilege to theuser.0
admin account from the command line. Add the privilege using the ldapmodify tool. Repeat the process for the other administrators configured in the Admin group.dn: uid=user.0,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset $ bin/ldapmodify --filename admin-priv.ldif
Processing MODIFY request for uid=user.0,dc=example,dc=com MODIFY operation successful for DN uid=user.0,dc=example,dc=com
-
Assign a password policy for the Admin account using an LDIF file, saved as
admin-pwd-policy.ldif
. For example, create an "Admin Password Policy", then add the password policy to the account. Apply the password policy to the account using the ldapmodify tool.dn: uid=user.0,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=Admin Password Policy,cn=Password Policies,cn=config $ bin/ldapmodify --filename admin-pwd-policy.ldif