The special abilities that root users have are granted through privileges.
You can assign privileges to root users in two ways:
- By default, root users can be granted a specified set of privileges.Note:
You can create root users which are not automatically granted these privileges by including the
ds-cfg-inherit-default-root-privileges
attribute with a value ofFALSE
in the entries for those root users. - You can grant additional privileges to individual root users and remove some automatically-granted privileges from individual root users.
The default-root-privilege-name
property of the root distinguished name
(DN) configuration object controls the set of privileges that are automatically granted to
root users. By default, these privileges include:
audit-data-security
backend-backup
backend-restore
bypass-acl
config-read
config-write
disconnect-client
ldif-export
lockdown-mode
manage-topology
metrics-read
modify-acl
password-reset
permit-get-password-policy-state-issues
privilege-change
server-restart
server-shutdown
soft-delete-read
stream-values
unindexed-search
update-schema
The privileges not granted to root users by default include:
bypass-pw-policy
bypass-read-acl
jmx-read
jmx-write
jmx-notify
permit-externally-processed-authentication
permit-proxied-mschapv2-details
proxied-auth
You can change the set of default root privileges to add or remove values as necessary.
This requires the config-read
, config-write
, and
privilege-change
privileges, and either the bypass-acl
privilege or sufficient permission granted by the access control configuration to change the
server's configuration.