Page created: 6 Nov 2019
|
Page updated: 11 Jun 2020
| 2 min read
8.0 Product PingDirectory Administrator Audience IT Administrator System Administrator Software Deployment Method Administration User task Configuration Directory Capability
-
Create an LDIF file with an example Administrator entry.
dn: uid=admin,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: Admin uid: admin cn: Admin User sn: User userPassword: password
-
Then add the entry using the ldapmodify tool.
$ bin/ldapmodify --defaultAdd --filename admin.ldif
-
Create another LDIF file to add the access control instruction (ACI) to the
root suffix, or base DN to give full access to the new administrator. The ACI
grants full access to all user attributes, but not to operational attributes. If
you want to grant access to operational attributes as well as user attributes,
use
(targetattr = "*||+")
in the access control instruction.dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*") (version 3.0; acl "Grant full access for the admin user"; allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)
-
Then add the entry using the ldapmodify tool.
$ bin/ldapmodify --filename admin.ldif
-
Verify the additions using ldapsearch. The first command
searches for the entry that contains uid=Admin and returns
it if the search is successful. The second command searches for the base DN and
returns only those operational attributes, including access control
instructions, associated with the entry.
$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=admin)" $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope base "(objectclass=*)" "+"
-
Add specific privileges to the Admin account. In this example, add the
password-reset
privilege to the admin account from the command line. After typing the privileges, press CTRL-D to process the modify operation.$ bin/ldapmodify dn: uid=admin,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset
Processing MODIFY request for uid=admin,dc=example,dc=com MODIFY operation successful for DN uid=admin,dc=example,dc=com
-
Assign a password policy for the Admin account. For example, create an "Admin
Password Policy", then add the password policy to the account.
$ bin/dsconfig create-password-policy \ --policy-name "Admin Password Policy" \ --set "description:Password policy for administrators" \ --set password-attribute:userpassword \ --set "default-password-storage-scheme:Salted SHA-256" \ --set password-change-requires-current-password:true \ --set force-change-on-reset:true \ --set "max-password-age:25w 5d" \ --set grace-login-count:3 \ --no-prompt
-
Apply the password policy to the account. In this example, the password policy
is being added from the command line. The following ldapmodify
command should be executed with a bind DN that has sufficient rights, such as a Root DN.
$ bin/ldapmodify dn: uid=admin,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=Admin Password Policy,cn=Password Policies,cn=config