Page created: 22 Jul 2020
|
Page updated: 1 Feb 2021
The special abilities that root users have are granted through privileges. Privileges can be
assigned to root users in two ways:
- By default, root users may be granted a specified set of privileges. Note that it is
possible to create root users which are not automatically granted these privileges by
including the
ds-cfg-inherit-default-root-privileges
attribute with a value of FALSE in the entries for those root users. - Individual root users can have additional privileges granted to them, and/or some automatically-granted privileges may be removed from that user.
The set of privileges that are automatically granted to root users is controlled by the
default-root-privilege-name
property of the Root DN configuration object.
By default, this set of privileges includes:- audit-data-security
- backend-backup
- backend-restore
- bypass-acl
- config-read
- config-write
- disconnect-client
- ldif-export
- lockdown-mode
- manage-topology
- metrics-read
- modify-acl
- password-reset
- permit-get-password-policy-state-issues
- privilege-change
- server-restart
- server-shutdown
- soft-delete-read
- stream-values
- unindexed-search
- update-schema
The privileges not granted to root users by default includes:
- bypass-pw-policy
- bypass-read-acl
- jmx-read
- jmx-write
- jmx-notify
- permit-externally-processed-authentication
- permit-proxied-mschapv2-details
- proxied-auth
The set of default root privileges can be altered to add or remove values as necessary. Doing
so will require the config-read
, config-write
, and
privilege-change
privileges, as well as either the
bypass-acl
privilege or sufficient permission granted by the access control
configuration to make the change to the server's configuration.