In PingDirectory Server, administrative accounts can be placed in any of three places.
- They can be created as root users. These accounts exist in the configuration (after
cn=Root DNs,cn=config) and are not synchronized across server instances. If you want to use root accounts across multiple servers, then you must create the account in each server and keep it up to date across all of them. Root user accounts can optionally automatically inherit a default set of privileges, and you can also explicitly grant and revoke privileges as needed.
- They can be created as topology administrators. These accounts also exist in the
cn=Topology Admin Users,cn=topology,cn=config), and these accounts are automatically synchronized between server instances within the same topology. Topology administrators can also automatically inherit a default set of privileges, and you can also explicitly grant or revoke privileges.
- They can be created in the user data. These accounts will be replicated across all Directory Servers and they can be used to authenticate to PingDirectory and PingDirectoryProxy Servers, but they cannot be used to authenticate to PingDataSync or PingDataMetrics Servers. They cannot automatically inherit a default set of privileges, but you can explicitly grant privileges to them as needed. Accounts created in the user data can also be unavailable if the backend containing that data is offline, such as when performing an online restore, replica initialization, or LDIF import.
We recommend using topology administrator accounts over root users or accounts created in the user data. Topology administrators have all of the same capabilities as root users, and their accounts are also automatically synchronized across all servers in the topology so there is no need to apply the same change across multiple servers.
See the config/sample-dsconfig-batch-files/create-topology-admin-user.dsconfig batch file for more information about creating topology administrator accounts.