Directory Server provides three different classes of administrator accounts: root user, administrator, and global administrator.
The root user is the LDAP-equivalent of a UNIX super-user account and inherits its
privileges from the default root user privilege set. For more information on default
root privileges, see Default root privileges.
The root user account is an entry that is stored in the server’s configuration under
cn=Root DNs,cn=config and bypasses access control evaluation. It can
be created manually or with the
dsconfig tool. This account has full
access to the entire set of data in the directory information tree (DIT) and to the
server configuration and its operations. One important difference between other vendors’
servers and Directory Server’s implementation is that the root user’s
rights are granted through a set of privileges. This allows Directory Server to have multiple root users on its system, but the normal practice is to set up
administrator user entries. The root user has no resource limits by default.
The administrator user can have a full set of root user privileges but often has a
subset of these privileges to limit the accessible functions that can be performed. The
administrators' entries typically have limited access to the entire set of data in the
DIT, which is controlled by access control instructions. These entries reside in the
backend configuration, for example,
are replicated between servers in a replication topology. In some cases, administrator
user accounts might be unavailable when the server enters lockdown mode unless the
administrator is given the lockdown mode privilege.
A global administrator is primarily responsible for managing configuration server
groups. A configuration server group is an administration domain that allows you to
synchronize configuration changes to one or all of the servers in the group. For
example, you can set up a group when configuring a replication topology where
configuration changes to one server can be applied to all of the servers at one time.
Global administrator entries are stored in the
Users,cn=Topology,cn=config backend and are always mirrored across servers
in a replication topology. These users can be assigned privileges like other
administrator users but are typically used to manage the data under