To create an example of a single, generic administrator account:

  1. Create an LDIF file with an example administrator entry.
    dn: uid=admin,dc=example,dc=com 
    objectClass: person 
    objectClass: inetOrgPerson 
    objectClass: organizationalPerson 
    objectClass: top
    givenName: Admin 
    uid: admin 
    cn: Admin User 
    sn: User 
    userPassword: password
  2. To add the entry, use the ldapmodify tool.
    $ bin/ldapmodify --defaultAdd --filename admin.ldif
  3. To add the access control instruction (ACI) to the root suffix or base DN to give full access to the new administrator, create another LDIF file.
    Note:

    The ACI grants full access to all user attributes, but not to operational attributes. To grant access to operational attributes as well as user attributes, use (targetattr = "*||+") in the access control instruction.

    dn: dc=example,dc=com 
    changetype: modify 
    add: aci 
    aci: (targetattr = "*")
      (version 3.0; acl "Grant full access for the admin user"; 
        allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)
  4. To add the entry, use the ldapmodify tool.
    $ bin/ldapmodify --filename admin.ldif
  5. To verify the additions, use the ldapsearch tool.

    In the following example, the first command searches for the entry that contains uid=Admin and returns it if the search is successful. The second command searches for the base DN and returns only those operational attributes, including ACIs, associated with the entry.

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=admin)"
    
    $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope base "(objectclass=*)" "+"
  6. Add specific privileges to the administrator account, then to process the modify operation press CTRL-D.

    For this example, add the password-reset privilege to the administrator account from the command line.

    $ bin/ldapmodify
    dn: uid=admin,dc=example,dc=com 
    changetype: modify 
    add: ds-privilege-name 
    ds-privilege-name: password-reset
    Processing MODIFY request for uid=admin,dc=example,dc=com 
    MODIFY operation successful for DN uid=admin,dc=example,dc=com
  7. Assign a password policy for the administrator account.

    Create an Admin Password Policy, then add the password policy to the account.

    $ bin/dsconfig create-password-policy \ 
      --policy-name "Admin Password Policy" \ 
      --set "description:Password policy for administrators" \ 
      --set password-attribute:userpassword \ 
      --set "default-password-storage-scheme:Salted SHA-256" \
      --set password-change-requires-current-password:true \ 
      --set force-change-on-reset:true \ 
      --set "max-password-age:25w 5d" \
      --set grace-login-count:3 \
      --no-prompt
  8. To apply the password policy to the account, run the ldapmodify command.

    Execute the ldapmodify command with a bind DN that has sufficient rights, such as a root DN, as in the following example.

    $ bin/ldapmodify
    dn: uid=admin,dc=example,dc=com 
    changetype: modify
    add: ds-pwp-password-policy-dn
    ds-pwp-password-policy-dn: cn=Admin Password Policy,cn=Password Policies,cn=config