For root directory administrators, by default cn=Directory
Manager, you configure privileges using the
dsconfig command.
For non-root directory administrators, you add privileges with the ldapmodify command.
Procedure 5.1. To Change Root DN Privileges
-
Start dsconfig in interactive mode.
$ dsconfig --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password
-
Select the Root DN menu.
-
Select View and edit the Root DN.
-
Edit the
default-root-privilege-name. -
Make sure you apply the changes when finished.
Procedure 5.2. To Add Privileges on an Individual Entry
Privileges are specified using the ds-privilege-name
operational attribute, which you can change on the command-line using
ldapmodify.
-
Determine the privileges to add.
$ cat privilege.ldif dn: uid=kvaughan,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: config-read ds-privilege-name: password-reset
This example lets the user read the server configuration, and reset user passwords. In order for the user to be able to change a user password, you must also allow the modification using ACIs. For this example, Kirsten Vaughan is a member of the Directory Administrators group for Example.com, and already has access to modify user entries.
Prior to having the privileges, Kirsten gets messages about insufficent access when trying to read the server configuration, or reset a user password.
$ ldapsearch --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --baseDN cn=config "(objectclass=*)" SEARCH operation failed Result Code: 50 (Insufficient Access Rights) Additional Information: You do not have sufficient privileges to perform search operations in the Directory Server configuration $ ldappasswordmodify --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" --newPassword changeit The LDAP password modify operation failed with result code 50 Error Message: You do not have sufficient privileges to perform password reset operations
-
Apply the change as a user with the
privilege-changeprivilege.$ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename privilege.ldif Processing MODIFY request for uid=kvaughan,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=kvaughan,ou=People,dc=example,dc=com
At this point, Kirsten can perform the operations requiring privileges.
$ ldapsearch --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --baseDN cn=config "(objectclass=*)" dn: cn=config ds-cfg-return-bind-error-messages: false ds-cfg-default-password-policy: cn=Default Password Policy,cn=Password Policies, cn=config … $ ldappasswordmodify --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" --newPassword changeit The LDAP password modify operation was successful
Procedure 5.3. To Add Privileges For a Group of Administrators
For deployments with more than one administrator, you no doubt use a group to define adminstrative rights. You can use a collective attribute subentry to specify privileges for the administrator group.
Collective attributes provide a standard mechanism for defining attributes that appear on all the entries in a particular subtree. OpenDJ extends collective attributes to give you fine-grained control over the which entries in the subtree are targeted.
Also, by also extending the RFC 3672 SpecificationFilter
component, users may leverage virtual attributes, such as isMemberOf,
to construct a search filter for targeting entries to which the collective
attributes apply. This allows you, for example, to define administrative
privileges that apply to all users who belong to an administrator group.
In addition to this feature, the traditional Refinement
ASN.1 CHOICE component -- also defined within RFC 3672 -- is
supported for use as a SpecificationFilter statement as well.
-
Create an LDAP subentry that specifies the collective attributes.
$ cat collective.ldif dn: cn=Administrator Privileges,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: Administrator Privileges ds-privilege-name;collective: config-read ds-privilege-name;collective: config-write ds-privilege-name;collective: ldif-export ds-privilege-name;collective: modify-acl ds-privilege-name;collective: password-reset ds-privilege-name;collective: proxied-auth subtreeSpecification: {base "ou=people", specificationFilter "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" } $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename collective.ldif Processing ADD request for cn=Administrator Privileges,dc=example,dc=com ADD operation successful for DN cn=Administrator Privileges,dc=example,dc=comThe Directory Administrators group for Example.com includes members like Kirsten Vaughan.
-
Observe that the change takes effect immediately.
$ ldappasswordmodify --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" --newPassword changeit The LDAP password modify operation was successful
