How To

How do I create a new admin user in DS 5.x and OpenDJ 3.x?

Last updated Jan 31, 2019

The purpose of this article is to provide information on creating a new administrator in DS/OpenDJ. You can either give admin privileges to a regular user or create a new admin user in the RootDN with the same privileges as the Directory Manager user.


Creating a new admin user

Note

This article only applies to DS 5.x and OpenDJ 3.x. Changes were introduced in DS 6 where the root DN users no longer belong to a special group or have alternate names, nor are their accounts stored in the configuration file, config.ldif. Instead, directory superusers, such as cn=Directory Manager, are now stored in their own, separate backends whose base DN is the user DN. See DS 6 › Release Notes › Important Changes to Existing Functionality for further information. 

As a result of this change, the procedure to create a new admin user has changed. See the following documentation for DS 6.x instructions:

There are three approaches you can take to create an admin user:

Create a new admin user in the RootDN

You can use the following process to create a new admin user:

  1. Create an admin.ldif file with the new admin user's details, ensuring they are below cn=Root DNs,cn=config and you specify: objectClass: ds-cfg-root-dn-user. For example:
    dn: cn=newAdminUser,cn=Root DNs,cn=config
    changetype: add
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: ds-cfg-root-dn-user
    cn: newAdminUser
    givenName: newAdmin
    sn: User1
    ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config
    userPassword: password
    ds-cfg-alternate-bind-dn: cn=newAdminUser
    ds-rlim-size-limit: 0
    ds-rlim-time-limit: 0
    ds-rlim-idle-time-limit: 0
    ds-rlim-lookthrough-limit: 0
  2. Add the new admin user using ldapmodify, for example:
    $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password admin.ldif
    
    In OpenDJ 3.5.x and earlier, you must specify the -f option before the filename.

Your new admin user will be created with the same privileges as the Directory Manager user.

See Also

How do I change the admin account password used for replication in DS/OpenDJ (All versions)?

How do I know what the default Global ACIs are used for in DS/OpenDJ (All versions)?

Installing and Administering DS/OpenDJ

Security Guide › Managing Administrator Accounts

Security Guide › Assigning Administrative Privileges

Security Guide › Using ACIs or Global Access Policies

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...