You can grant privileges to normal users on an individual basis.
Add the ds-privilege-name
operational attribute to the user's entry with
the names of the desired privileges. For example, the following change grants the
proxied-auth
privilege to the
uid=proxy,dc=example,dc=com
account.
dn: uid=proxy,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: proxied-auth
The user making this change must have the privilege-change
privilege, and
the server's access control configuration must also allow the requester to write to the
ds-privilege-name
attribute in the target user's entry.
You can use the same method to grant root users privileges that aren't included in the set
of default root privileges. You can also remove default root privileges from root users by
prefixing the name of the privilege to remove with a minus sign. For example, the following
change grants a root user the jmx-read
privilege in addition to the set of
default root privileges and removes the server-restart
and
server-shutdown
privileges.
dn: cn=Sync Root User,cn=Root DNs,cn=config
changetype: modify
add: ds-privilege-name
ds-privilege-name: jmx-read
ds-privilege-name: -server-restart
ds-privilege-name: -server-shutdown
Because root user entries exist in the configuration, this update requires the
config-read
and config-write
privileges in addition
to the privilege-change
privilege.