My Oracle Support Banner

OUD 11g/12c - How to Use Virtual Attributes to Assign Root Privileges to Members of a Group (Doc ID 2358005.1)

Last updated on MAY 22, 2023

Applies to:

Oracle Unified Directory - Version 11.1.2.3.161018 and later
Information in this document applies to any platform.

Goal

Most LDAP directory servers typically have a single superuser, which is much like the root account in traditional UNIX systems.
This account can bypass access controls and other restrictions that might be enforced for regular users. In Oracle Unified Directory you can define multiple root users, and there is a privilege subsystem that makes it possible to control capabilities at a more fine-grained level. 

For more info: Managing Users and Groups - About Root Users

The goal of this document is to demonstrate how to grant root level privileges to members of a group using virtual attributes.

The ability to set admin privileges must be applied to specific user accounts and not directly to groups.

The following example gets around this by creating a new virtual attribute that will populate "ds-privilege-name: unindexed-search" for each user that is a member of a group.

***NOTE***
The operational performance of users that are indirectly assigned elevated privileges can be impacted by the degree of the number and size of groups
involved in privilege assignments. The best practice approach for optimal performance is to assign privileges directly to user objects.

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.