How To

How do I create a new admin user in DS 5.x and OpenDJ 3.x?

Last updated Apr 8, 2021

The purpose of this article is to provide information on creating a new administrator in DS/OpenDJ. You can either give admin privileges to a regular user or create a new admin user in the RootDN with the same privileges as the Directory Manager user.


This article has been archived and is no longer maintained by ForgeRock.

Creating a new admin user


This article only applies to DS 5.x and OpenDJ 3.x. Changes were introduced in DS 6 where the root DN users no longer belong to a special group or have alternate names, nor are their accounts stored in the configuration file, config.ldif. Instead, directory superusers, such as cn=Directory Manager, are now stored in their own, separate backends whose base DN is the user DN. See DS 6 › Release Notes › Important Changes to Existing Functionality for further information. 

As a result of this change, the procedure to create a new admin user has changed. See the following documentation for DS 6.x instructions:

There are three approaches you can take to create an admin user:

Create a new admin user in the RootDN

You can use the following process to create a new admin user:

  1. Create an admin.ldif file with the new admin user's details, ensuring they are below cn=Root DNs,cn=config and you specify: objectClass: ds-cfg-root-dn-user. For example: dn: cn=newAdminUser,cn=Root DNs,cn=config changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: ds-cfg-root-dn-user cn: newAdminUser givenName: newAdmin sn: User1 ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config userPassword: password ds-cfg-alternate-bind-dn: cn=newAdminUser ds-rlim-size-limit: 0 ds-rlim-time-limit: 0 ds-rlim-idle-time-limit: 0 ds-rlim-lookthrough-limit: 0
  2. Add the new admin user using ldapmodify, for example: $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password admin.ldif In OpenDJ 3.x, you must specify the -f option before the filename.

Your new admin user will be created with the same privileges as the Directory Manager user.

See Also

How do I change the admin account password used for replication in DS 6.x?

How do I know what the default Global ACIs are used for in OpenDJ 3.x?

Installing and Administering DS

Security Guide › Managing Administrator Accounts

Security Guide › Assigning Administrative Privileges

Security Guide › Using ACIs or Global Access Policies

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.