Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact UnboundID support in order to understand the potential impact of that change.
Root DN Users are administrative users whose accounts exist in the server configuration. Root DN Users may automatically inherit a set of privileges defined in the root DN configuration, which can be used to give them special capabilities that are not automatically granted to non-root users.
↓Parent Component
↓Relations to This Component
↓Properties
↓dsconfig Usage
The Root DN User component inherits from the User
The following components have a direct composition relation to Root DN Users:
The properties supported by this managed object are as follows:
Property Group | User Information |
Description | Specifies one or more alternate DNs that can be used to bind to the server as this User. |
Default Value | This root user is allowed to bind only using the DN of the associated configuration entry. |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | User Information |
Description | A description for this User. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | User Information |
Description | Specifies the user's password. This is stored in the userPassword LDAP attribute. To set a pre-hashed value, the account making the change must have the bypass-pw-policy privilege. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | User Information |
Description | Specifies the user's first name. This is stored in the givenName LDAP attribute. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | User Information |
Description | Specifies the user's last name. This is stored in the sn LDAP attribute. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | User Information |
Description | Specifies the user's user ID. This is stored in the uid LDAP attribute. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | User Information |
Description | Specifies the user's email address. This is stored in the mail LDAP attribute. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | User Information |
Description | Specifies the user's work telephone number. This is stored in the telephoneNumber LDAP attribute. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | User Information |
Description | Specifies the user's home telephone number. This is stored in the homePhone LDAP attribute. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | User Information |
Description | Specifies the user's mobile telephone number. This is stored in the mobile LDAP attribute. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | User Information |
Description | Specifies the user's pager telephone number. This is stored in the pager LDAP attribute. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
inherit-default-root-privileges
Property Group | Privileges |
Description | Indicates whether this User should be automatically granted the set of privileges defined in the default-root-privilege-name property of the Root DN configuration object. If this is false, then this User will not have any privileges by default, but may be explicitly granted one or more privileges using the privilege property. The privilege property can also be used to revoke inherited root privileges. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | Privileges |
Description | Privileges that are either explicitly granted or revoked from the root user. Privileges can be revoked by including a minus sign (-) before the privilege name. This is stored in the ds-privilege-name LDAP attribute. If the inherit-default-root-privileges property is set to true, then the root user will inherit all privileges defined in the default-root-privilege-name property of the Root DN configuration object. Any of these inherited root privileges can be revoked by specifying the privilege name here prefixed with a minus sign (-). If the inherit-default-root-privileges property is set to false, then the root user will not have any privileges defined by default, so privileges can be granted explicitly using this property. Even if inherit-default-root-privileges is true, you can still set additional privileges through this property that aren't granted as part of the default set of root privileges. |
Default Value | None |
Allowed Values | audit-data-security - Allows the associated user to execute data security auditing tasks. -audit-data-security - Denies the associated user to execute data security auditing tasks. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation. -bypass-acl - Denies the associated user to bypass all access control checks performed by the server for any type of operation. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations. -bypass-read-acl - Denies the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. modify-acl - Allows the associated user to modify the server's access control configuration. -modify-acl - Denies the associated user to modify the server's access control configuration. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. config-read - Allows the associated user to read the server configuration. -config-read - Denies the associated user to read the server configuration. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. config-write - Allows the associated user to update the server configuration. The config-read privilege is also required. -config-write - Denies the associated user to update the server configuration. The config-read privilege is also required. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. jmx-read - Allows the associated user to perform JMX read operations. -jmx-read - Denies the associated user to perform JMX read operations. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. jmx-write - Allows the associated user to perform JMX write operations. -jmx-write - Denies the associated user to perform JMX write operations. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. jmx-notify - Allows the associated user to subscribe to receive JMX notifications. -jmx-notify - Denies the associated user to subscribe to receive JMX notifications. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. ldif-import - Allows the user to request that the server process LDIF import tasks. -ldif-import - Denies the user to request that the server process LDIF import tasks. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. ldif-export - Allows the user to request that the server process LDIF export tasks. -ldif-export - Denies the user to request that the server process LDIF export tasks. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. backend-backup - Allows the user to request that the server process backup tasks. -backend-backup - Denies the user to request that the server process backup tasks. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. backend-restore - Allows the user to request that the server process restore tasks. -backend-restore - Denies the user to request that the server process restore tasks. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. server-shutdown - Allows the user to request that the server shut down. -server-shutdown - Denies the user to request that the server shut down. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. server-restart - Allows the user to request that the server perform an in-core restart. -server-restart - Denies the user to request that the server perform an in-core restart. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity. -proxied-auth - Denies the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. disconnect-client - Allows the user to terminate other client connections. -disconnect-client - Denies the user to terminate other client connections. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. password-reset - Allows the user to reset user passwords. -password-reset - Denies the user to reset user passwords. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. update-schema - Allows the user to make changes to the server schema. -update-schema - Denies the user to make changes to the server schema. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users. -privilege-change - Denies the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes. -unindexed-search - Denies the user to request that the server process a search that cannot be optimized using server indexes. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. unindexed-search-with-control - Allows the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control. -unindexed-search-with-control - Denies the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control. bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server. -bypass-pw-policy - Denies the associated user to bypass password policy processing performed by the server. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode. -lockdown-mode - Denies the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT. -stream-values - Denies the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. third-party-task - Allows the associated user to invoke tasks created by third-party developers. -third-party-task - Denies the associated user to invoke tasks created by third-party developers. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. use-admin-session - Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads. -use-admin-session - Denies the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. soft-delete-read - Allows the associated user access to soft-deleted entries. -soft-delete-read - Denies the associated user access to soft-deleted entries. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. metrics-read - Allows the associated user access to data in the metrics backend. -metrics-read - Denies the associated user access to data in the metrics backend. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. manage-topology - Allows the associated user to manage the set of server instances that are part of a topology. -manage-topology - Denies the associated user to manage the set of server instances that are part of a topology. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. permit-get-password-policy-state-issues - Allows the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control. -permit-get-password-policy-state-issues - Denies the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. permit-proxied-mschapv2-details - Allows the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control. -permit-proxied-mschapv2-details - Denies the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. permit-externally-processed-authentication - Allows the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism. -permit-externally-processed-authentication - Denies the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges. permit-forwarding-client-connection-policy - Allows the associated user to request that an operation be processed using a specified client connection policy. -permit-forwarding-client-connection-policy - Denies the associated user to request that an operation be processed using a specified client connection policy. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Resource Limits |
Description | Specifies the maximum number of entries that the server may return to the user in response to any single search request. A value of 0 indicates no limit should be enforced. This is stored in the ds-rlim-size-limit LDAP attribute. |
Default Value | 0 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | Resource Limits |
Description | Specifies the maximum length of time (in seconds) that the server may spend processing any single search request. A value of 0 indicates no limit should be enforced. This is stored in the ds-rlim-time-limit LDAP attribute. |
Default Value | 0 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | Resource Limits |
Description | Specifies the maximum number of candidate entries that the server may examine in the course of processing any single search request. A value of 0 indicates no limit should be enforced. This is stored in the ds-rlim-lookthrough-limit LDAP attribute. |
Default Value | 0 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | Resource Limits |
Description | Specifies the maximum length of time (in seconds) that a connection authenticated as this user may remain established without issuing any requests. A value of 0 indicates no limit should be enforced. This is stored in the ds-rlim-idle-time-limit LDAP attribute. |
Default Value | 0 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | Authentication |
Description | Specifies the password policy for the user. This is stored in the ds-pwp-password-policy-dn LDAP attribute. |
Default Value | Root Password Policy |
Allowed Values | The DN of any Password Policy. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | Authentication |
Description | Specifies whether the root user account should be disabled. A disabled account is not permitted to authenticate, nor can it be used as an authorization identity. This is stored in the ds-pwp-account-disabled LDAP attribute. |
Default Value | false |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Authentication |
Description | Indicates whether this User must authenticate in a secure manner. When set to "true", the User will only be allowed to authenticate over a secure connection or using a mechanism that does not expose user credentials (e.g., the CRAM-MD5, DIGEST-MD5, and GSSAPI SASL mechanisms). |
Default Value | false |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | Authentication |
Description | Indicates whether this User must be required to communicate with the server over a secure connection. When set to "true", the User will only be allowed to communicate with the server over a secure connection (i.e., using TLS or the StartTLS extended operation). |
Default Value | false |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | Proxied Authorization |
Description | This can be used to indicate whether the User can be used as an alternate authorization identity (using the proxied authorization v1 or v2 control, the intermediate client control, or a SASL mechanism that allows specifying an alternate authorization identity). |
Default Value | allowed |
Allowed Values | allowed - The User may authenticate directly against the server or be the target of proxied authorization. prohibited - The User will not be allowed to be the target of proxied authorization and may only authenticate directly to the server. required - This User will not be allowed to authenticate directly to the server but instead will only be allowed to be referenced by proxied authorization. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Proxied Authorization |
Description | Specifies the DNs of accounts that can proxy as this User using the proxied authorization v1 or v2 control, the intermediate client control, or a SASL mechanism that allows specifying an alternate authorization identity. This property is only applicable if is-proxyable is set to "allowed" or "required". By default, Users with a is-proxyable property value of "allowed" or "required" can be proxied by any account with sufficient privileges. However, this can be restricted so that it is only allowed by accounts with a DN specified with the is-proxyable-by-dn property, accounts in a group specified with the is-proxyable-by-group property, or accounts that match entries specified by the is-proxyable-by-url property. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Proxied Authorization |
Description | Specifies the DNs of groups whose members can proxy as this User using the proxied authorization v1 or v2 control, the intermediate client control, or a SASL mechanism that allows specifying an alternate authorization identity. This property is only applicable if is-proxyable is set to "allowed" or "required". By default, Users with a is-proxyable property value of "allowed" or "required" can be proxied by any account with sufficient privileges. However, this can be restricted so that it is only allowed by accounts with a DN specified with the is-proxyable-by-dn property, accounts in a group specified with the is-proxyable-by-group property, or accounts that match entries specified by the is-proxyable-by-url property. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Proxied Authorization |
Description | Specifies LDAP URLs of accounts that can proxy as this User using the proxied authorization v1 or v2 control, the intermediate client control, or a SASL mechanism that allows specifying an alternate authorization identity. This property is only applicable if is-proxyable is set to "allowed" or "required". By default, Users with a is-proxyable property value of "allowed" or "required" can be proxied by any account with sufficient privileges. However, this can be restricted so that it is only allowed by accounts with a DN specified with the is-proxyable-by-dn property, accounts in a group specified with the is-proxyable-by-group property, or accounts that match entries specified by the is-proxyable-by-url property. |
Default Value | None |
Allowed Values | An absolute URL, or a relative URL |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Proxied Authorization |
Description | This restricts the set of accounts that this User can proxy as to entries with the specified DNs. By default any User with the proxied-auth privilege can proxy as any account that does not explicitly disallow proxying by this user. However, this can be restricted so that it may only proxy as accounts with a DN specified with the may-proxy-as-dn property, accounts in a group specified with the may-proxy-as-group property, or accounts that match entries specified by the may-proxy-as-url property. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Proxied Authorization |
Description | This restricts the set of accounts that this User can proxy as to entries that are in the group with the specified DN. By default any User with the proxied-auth privilege can proxy as any account that does not explicitly disallow proxying by this user. However, this can be restricted so that it may only proxy as accounts with a DN specified with the may-proxy-as-dn property, accounts in a group specified with the may-proxy-as-group property, or accounts that match entries specified by the may-proxy-as-url property. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Proxied Authorization |
Description | This restricts the set of accounts that this User can proxy as to entries that are matched by the specified LDAP URL. By default any User with the proxied-auth privilege can proxy as any account that does not explicitly disallow proxying by this user. However, this can be restricted so that it may only proxy as accounts with a DN specified with the may-proxy-as-dn property, accounts in a group specified with the may-proxy-as-group property, or accounts that match entries specified by the may-proxy-as-url property. |
Default Value | None |
Allowed Values | An absolute URL, or a relative URL |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
account-activation-time (Advanced Property)
Property Group | Authentication |
Description | Specifies the time, in generalized time format (e.g., '20160101070000Z'), that the root user account should become active. If an activation time is specified, the user will not be permitted to authenticate, nor can the account be used as an authorization identity, until the activation time has arrived. This is stored in the ds-pwp-account-activation-time LDAP attribute. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
account-expiration-time (Advanced Property)
Property Group | Authentication |
Description | Specifies the time, in generalized time format (e.g., '20240101070000Z'), that the root user account should expire. If an expiration time is specified, the user will not be permitted to authenticate, nor can the account be used as an authorization identity, after this time has passed. This is stored in the ds-pwp-account-expiration-time LDAP attribute. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
allowed-authentication-type (Advanced Property)
Property Group | Authentication |
Description | Indicates that User should only be allowed to authenticate in certain ways. Allowed values include "simple" (to indicate that the user should be allowed to bind using simple authentication) or "sasl {mech}" (to indicate that the user should be allowed to bind using the specified SASL mechanism, like "sasl PLAIN"). The list of available SASL mechanisms can be retrieved by running "dsconfig --advanced list-sasl-mechanism-handlers". |
Default Value | The User can authenticate using any supported authentication mechanism. |
Allowed Values | The authentication type (e.g., "simple" or "sasl PLAIN.") |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
allowed-authentication-ip-address (Advanced Property)
Property Group | Authentication |
Description | An IPv4 or IPv6 address mask that controls the set of IP addresses from which this User can authenticate to the server. For instance a value of 127.0.0.1 (or ::1 in IPv6) would restricted access only to localhost connections, whereas 10.6.1.* would restrict access to servers on the 10.6.1.* subnet. |
Default Value | The User is allowed to connect from any system. |
Allowed Values | An IP address mask |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
preferred-otp-delivery-mechanism (Advanced Property)
Property Group | Authentication |
Description | Overrides the default settings for the mechanisms (e.g., email or SMS) that are used to deliver one time passwords to Users. If this property is specified, then the server will attempt to deliver a one-time password to the user in the order the mechanisms are specified, until one of them is successful. The list of available delivery mechanisms can be retrieved by running "dsconfig --advanced list-otp-delivery-mechanisms." |
Default Value | The server will use the mechanisms specified by the default-otp-delivery-mechanism property of the Deliver OTP Extended Operation Handler. |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Root DN Users:
dsconfig list-root-dn-users [--property {propertyName}] ...
To view the configuration for an existing Root DN User:
dsconfig get-root-dn-user-prop --user-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Root DN User:
dsconfig set-root-dn-user-prop --user-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Root DN User:
dsconfig create-root-dn-user --user-name {name} --type root-dn [--set {propertyName}:{propertyValue}] ...
To delete an existing Root DN User:
dsconfig delete-root-dn-user --user-name {name}