Privileges can be granted to normal users on an individual basis. This can be accomplished by
adding the ds-privilege-name
operational attribute to that user's entry with
the names of the desired privileges. For example, the following change will grant the
proxied-auth
privilege to the
uid=proxy,dc=example,dc=com account:
dn: uid=proxy,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: proxied-auth
The user making this change will be required to have the privilege-change
privilege, and the server's access control configuration must also allow the requester to
write to the ds-privilege-name
attribute in the target user's entry.
This same method can be used to grant privileges to root users that they would not otherwise
have through the set of default root privileges. You can also remove default root privileges
from root users by prefixing the name of the privilege to remove with a minus sign. For
example, the following change grants a root user the jmx-read
privilege in
addition to the set of default root privileges, and removes the
server-restart
and server-shutdown
privileges:
dn: cn=Sync Root User,cn=Root DNs,cn=config changetype: modify add: ds-privilege-name ds-privilege-name: jmx-read ds-privilege-name: -server-restart ds-privilege-name: -server-shutdown
Note that because root user entries exist in the configuration, this update requires the
config-read
and config-write
privileges in addition to the
privilege-change
privilege.