How do I create a new admin user in DS 5.x and OpenDJ 3.x?
The purpose of this article is to provide information on creating a new administrator in DS/OpenDJ. You can either give admin privileges to a regular user or create a new admin user in the RootDN with the same privileges as the Directory Manager user.
This article has been archived and is no longer maintained by ForgeRock.
Creating a new admin user
This article only applies to DS 5.x and OpenDJ 3.x. Changes were introduced in DS 6 where the root DN users no longer belong to a special group or have alternate names, nor are their accounts stored in the configuration file, config.ldif. Instead, directory superusers, such as cn=Directory Manager, are now stored in their own, separate backends whose base DN is the user DN. See DS 6 › Release Notes › Important Changes to Existing Functionality for further information.
As a result of this change, the procedure to create a new admin user has changed. See the following documentation for DS 6.x instructions:
- To create a different superuser account with the same privileges as cn=Directory Manager, see Security Guide › Managing Administrator Accounts.
- To create a new superuser/admin account with different privileges to cn=Directory Manager, see Security Guide › About the Roles Directory Administrators Play for information on the different Directory Administrator roles and their privileges.
There are three approaches you can take to create an admin user:
- Recommended: Create an administrator group (for example, cn=Admins,ou=groups,dc=example,dc=com), assign privileges and access control to that group, and then add members to the group. See Developer's Guide › Working With Groups of Entries and Administration Guide › Configuring Privileges and Access Control for further information.
- Assign privileges and access control to an existing user. See Administration Guide › Configuring Privileges and Access Control for further information.
- Create a new admin user in the RootDN with the same privileges as the Directory Manager user as detailed below:
Create a new admin user in the RootDN
You can use the following process to create a new admin user:
- Create an admin.ldif file with the new admin user's details, ensuring they are below cn=Root DNs,cn=config and you specify: objectClass: ds-cfg-root-dn-user. For example: dn: cn=newAdminUser,cn=Root DNs,cn=config changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: ds-cfg-root-dn-user cn: newAdminUser givenName: newAdmin sn: User1 ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config userPassword: password ds-cfg-alternate-bind-dn: cn=newAdminUser ds-rlim-size-limit: 0 ds-rlim-time-limit: 0 ds-rlim-idle-time-limit: 0 ds-rlim-lookthrough-limit: 0
- Add the new admin user using ldapmodify, for example: $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password admin.ldif In OpenDJ 3.x, you must specify the -f option before the filename.
Your new admin user will be created with the same privileges as the Directory Manager user.
How do I change the admin account password used for replication in DS 6.x?
How do I know what the default Global ACIs are used for in OpenDJ 3.x?
Installing and Administering DS
Security Guide › Managing Administrator Accounts
Security Guide › Assigning Administrative Privileges
Security Guide › Using ACIs or Global Access Policies
Related Issue Tracker IDs