To create an example of a single, generic administrator account:
-
Create an LDIF file with an example administrator entry.
dn: uid=admin,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: Admin uid: admin cn: Admin User sn: User userPassword: password
-
To add the entry, use the ldapmodify tool.
$ bin/ldapmodify --defaultAdd --filename admin.ldif
-
To add the access control instruction (ACI) to the root suffix or base DN to give
full access to the new administrator, create another LDIF file.
Note:
The ACI grants full access to all user attributes, but not to operational attributes. To grant access to operational attributes as well as user attributes, use
(targetattr = "*||+")
in the access control instruction.dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*") (version 3.0; acl "Grant full access for the admin user"; allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)
-
To add the entry, use the ldapmodify tool.
$ bin/ldapmodify --filename admin.ldif
-
To verify the additions, use the ldapsearch tool.
In the following example, the first command searches for the entry that contains
uid=Admin
and returns it if the search is successful. The second command searches for the base DN and returns only those operational attributes, including ACIs, associated with the entry.$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=admin)" $ bin/ldapsearch --baseDN dc=example,dc=com --searchScope base "(objectclass=*)" "+"
-
Add specific privileges to the administrator account, then to process the modify
operation press CTRL-D.
For this example, add the
password-reset
privilege to the administrator account from the command line.$ bin/ldapmodify dn: uid=admin,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset
Processing MODIFY request for uid=admin,dc=example,dc=com MODIFY operation successful for DN uid=admin,dc=example,dc=com
-
Assign a password policy for the administrator account.
Create an Admin Password Policy, then add the password policy to the account.
$ bin/dsconfig create-password-policy \ --policy-name "Admin Password Policy" \ --set "description:Password policy for administrators" \ --set password-attribute:userpassword \ --set "default-password-storage-scheme:Salted SHA-256" \ --set password-change-requires-current-password:true \ --set force-change-on-reset:true \ --set "max-password-age:25w 5d" \ --set grace-login-count:3 \ --no-prompt
-
To apply the password policy to the account, run the ldapmodify
command.
Execute the ldapmodify command with a bind DN that has sufficient rights, such as a root DN, as in the following example.
$ bin/ldapmodify dn: uid=admin,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=Admin Password Policy,cn=Password Policies,cn=config