The following example shows how to set up a group of administrators that have access rights to the whole Directory Server. The example uses a static group using the GroupOfUniqueNames object class.

  1. Create an LDIF file with an example Administrator group, and save it as admin-group.ldif.
    dn: ou=Groups,dc=example,dc=com 
    objectClass: organizationalunit 
    objectClass: top 
    ou: Groups
    dn: cn=Dir Admins,ou=Groups,dc=example,dc=com 
    objectClass: groupofuniquenames 
    objectClass: top 
    uniqueMember: uid=user.0, ou=People, dc=example,dc=com 
    uniqueMember: uid=user.1, ou=People, dc=example,dc=com
    cn: Dir Admins 
    ou: Groups
  2. Then, add the entries using the ldapmodify tool.
    $ bin/ldapmodify --defaultAdd --filename admin-group.ldif
  3. Create another LDIF file to add the access control instruction (ACI) to the root suffix, or base DN to provide full access to the Directory Server to the new administrator. Save the file as admin-aci.ldif.
    dn: dc=example,dc=com 
    changetype: modify 
    add: aci 
    aci: (target="ldap:///dc=example,dc=com") 
      (targetattr != "aci")
      (version 3.0; acl "allow all Admin group"; 
        allow(all) groupdn = "ldap:///cn=Dir Admins,ou=Groups,dc=example,dc=com";)
  4. Then, add the ACI using the ldapmodify tool:
    $ bin/ldapmodify --filename admin-aci.ldif
  5. Verify the additions using ldapsearch. The first command searches for the entry that contains cn=Dir Admins and returns it if the search is successful. The second command searches for the base DN and returns only those operational attributes, including access control instructions, associated with the entry.
    $ bin/ldapsearch --baseDN dc=example,dc=com "(cn=Dir Admins)"
    $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope base \
      "(objectclass=*)" "+"
  6. Add specific privileges to each Admin account using an LDIF file, saved as admin-priv.ldif. In this example, add the password-reset privilege to the user.0 admin account from the command line. Add the privilege using the ldapmodify tool. Repeat the process for the other administrators configured in the Admin group.
    dn: uid=user.0,ou=People,dc=example,dc=com 
    changetype: modify 
    add: ds-privilege-name
    ds-privilege-name: password-reset
    $ bin/ldapmodify --filename admin-priv.ldif
    Processing MODIFY request for uid=user.0,dc=example,dc=com 
    MODIFY operation successful for DN uid=user.0,dc=example,dc=com
  7. Assign a password policy for the Admin account using an LDIF file, saved as admin-pwd-policy.ldif. For example, create an "Admin Password Policy", then add the password policy to the account. Apply the password policy to the account using the ldapmodify tool.
    dn: uid=user.0,dc=example,dc=com 
    changetype: modify
    add: ds-pwp-password-policy-dn
    ds-pwp-password-policy-dn: cn=Admin Password Policy,cn=Password Policies,cn=config
    $ bin/ldapmodify --filename admin-pwd-policy.ldif