Data Governance Server Documentation Index
Configuration Reference Home

Root DN User

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

Root DN Users are administrative users whose accounts exist in the server configuration. Root DN Users may automatically inherit a set of privileges defined in the root DN configuration, which can be used to give them special capabilities that are not automatically granted to non-root users.

Parent Component
Relations to This Component
Properties
dsconfig Usage

Parent Component

The Root DN User component inherits from the User

Relations to This Component

The following components have a direct composition relation to Root DN Users:

Properties

The properties supported by this managed object are as follows:


User Information Basic Properties: Advanced Properties:
↓ alternate-bind-dn  None
↓ description
↓ password
↓ first-name
↓ last-name
↓ user-id
↓ email-address
↓ work-telephone-number
↓ home-telephone-number
↓ mobile-telephone-number
↓ pager-telephone-number
Privileges Basic Properties: Advanced Properties:
↓ inherit-default-root-privileges  None
↓ privilege
Resource Limits Basic Properties: Advanced Properties:
↓ search-result-entry-limit  None
↓ time-limit-seconds
↓ look-through-entry-limit
↓ idle-time-limit-seconds
Authentication Basic Properties: Advanced Properties:
↓ password-policy ↓ account-activation-time
↓ disabled ↓ account-expiration-time
↓ require-secure-authentication ↓ allowed-authentication-type
↓ require-secure-connections ↓ allowed-authentication-ip-address
↓ preferred-otp-delivery-mechanism
Proxied Authorization Basic Properties: Advanced Properties:
↓ is-proxyable  None
↓ is-proxyable-by-dn
↓ is-proxyable-by-group
↓ is-proxyable-by-url
↓ may-proxy-as-dn
↓ may-proxy-as-group
↓ may-proxy-as-url

Basic Properties

alternate-bind-dn

Property Group
User Information
Description
Specifies one or more alternate DNs that can be used to bind to the server as this User.
Default Value
This root user is allowed to bind only using the DN of the associated configuration entry.
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

description

Property Group
User Information
Description
A description for this User.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

password

Property Group
User Information
Description
Specifies the user's password. This is stored in the userPassword LDAP attribute. To set a pre-hashed value, the account making the change must have the bypass-pw-policy privilege.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

first-name

Property Group
User Information
Description
Specifies the user's first name. This is stored in the givenName LDAP attribute.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

last-name

Property Group
User Information
Description
Specifies the user's last name. This is stored in the sn LDAP attribute.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

user-id

Property Group
User Information
Description
Specifies the user's user ID. This is stored in the uid LDAP attribute.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

email-address

Property Group
User Information
Description
Specifies the user's email address. This is stored in the mail LDAP attribute.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

work-telephone-number

Property Group
User Information
Description
Specifies the user's work telephone number. This is stored in the telephoneNumber LDAP attribute.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

home-telephone-number

Property Group
User Information
Description
Specifies the user's home telephone number. This is stored in the homePhone LDAP attribute.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

mobile-telephone-number

Property Group
User Information
Description
Specifies the user's mobile telephone number. This is stored in the mobile LDAP attribute.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

pager-telephone-number

Property Group
User Information
Description
Specifies the user's pager telephone number. This is stored in the pager LDAP attribute.
Default Value
None
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

inherit-default-root-privileges

Property Group
Privileges
Description
Indicates whether this User should be automatically granted the set of privileges defined in the default-root-privilege-name property of the Root DN configuration object. If this is false, then this User will not have any privileges by default, but may be explicitly granted one or more privileges using the privilege property. The privilege property can also be used to revoke inherited root privileges.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

privilege

Property Group
Privileges
Description
Privileges that are either explicitly granted or revoked from the root user. Privileges can be revoked by including a minus sign (-) before the privilege name. This is stored in the ds-privilege-name LDAP attribute. If the inherit-default-root-privileges property is set to true, then the root user will inherit all privileges defined in the default-root-privilege-name property of the Root DN configuration object. Any of these inherited root privileges can be revoked by specifying the privilege name here prefixed with a minus sign (-). If the inherit-default-root-privileges property is set to false, then the root user will not have any privileges defined by default, so privileges can be granted explicitly using this property. Even if inherit-default-root-privileges is true, you can still set additional privileges through this property that aren't granted as part of the default set of root privileges.
Default Value
None
Allowed Values
audit-data-security - Allows the associated user to execute data security auditing tasks.

-audit-data-security - Denies the associated user to execute data security auditing tasks. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation.

-bypass-acl - Denies the associated user to bypass all access control checks performed by the server for any type of operation. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations.

-bypass-read-acl - Denies the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

modify-acl - Allows the associated user to modify the server's access control configuration.

-modify-acl - Denies the associated user to modify the server's access control configuration. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

config-read - Allows the associated user to read the server configuration.

-config-read - Denies the associated user to read the server configuration. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

config-write - Allows the associated user to update the server configuration. The config-read privilege is also required.

-config-write - Denies the associated user to update the server configuration. The config-read privilege is also required. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

jmx-read - Allows the associated user to perform JMX read operations.

-jmx-read - Denies the associated user to perform JMX read operations. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

jmx-write - Allows the associated user to perform JMX write operations.

-jmx-write - Denies the associated user to perform JMX write operations. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

jmx-notify - Allows the associated user to subscribe to receive JMX notifications.

-jmx-notify - Denies the associated user to subscribe to receive JMX notifications. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

ldif-import - Allows the user to request that the server process LDIF import tasks.

-ldif-import - Denies the user to request that the server process LDIF import tasks. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

ldif-export - Allows the user to request that the server process LDIF export tasks.

-ldif-export - Denies the user to request that the server process LDIF export tasks. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

backend-backup - Allows the user to request that the server process backup tasks.

-backend-backup - Denies the user to request that the server process backup tasks. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

backend-restore - Allows the user to request that the server process restore tasks.

-backend-restore - Denies the user to request that the server process restore tasks. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

server-shutdown - Allows the user to request that the server shut down.

-server-shutdown - Denies the user to request that the server shut down. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

server-restart - Allows the user to request that the server perform an in-core restart.

-server-restart - Denies the user to request that the server perform an in-core restart. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.

-proxied-auth - Denies the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

disconnect-client - Allows the user to terminate other client connections.

-disconnect-client - Denies the user to terminate other client connections. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

password-reset - Allows the user to reset user passwords.

-password-reset - Denies the user to reset user passwords. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

update-schema - Allows the user to make changes to the server schema.

-update-schema - Denies the user to make changes to the server schema. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.

-privilege-change - Denies the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes.

-unindexed-search - Denies the user to request that the server process a search that cannot be optimized using server indexes. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

unindexed-search-with-control - Allows the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control.

-unindexed-search-with-control - Denies the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control.

bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server.

-bypass-pw-policy - Denies the associated user to bypass password policy processing performed by the server. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode.

-lockdown-mode - Denies the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT.

-stream-values - Denies the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

third-party-task - Allows the associated user to invoke tasks created by third-party developers.

-third-party-task - Denies the associated user to invoke tasks created by third-party developers. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

use-admin-session - Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads.

-use-admin-session - Denies the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

soft-delete-read - Allows the associated user access to soft-deleted entries.

-soft-delete-read - Denies the associated user access to soft-deleted entries. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

metrics-read - Allows the associated user access to data in the metrics backend.

-metrics-read - Denies the associated user access to data in the metrics backend. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

manage-topology - Allows the associated user to manage the set of server instances that are part of a topology.

-manage-topology - Denies the associated user to manage the set of server instances that are part of a topology. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

permit-get-password-policy-state-issues - Allows the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control.

-permit-get-password-policy-state-issues - Denies the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

permit-proxied-mschapv2-details - Allows the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control.

-permit-proxied-mschapv2-details - Denies the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

permit-externally-processed-authentication - Allows the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism.

-permit-externally-processed-authentication - Denies the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism. The privilege is denied if the user would be granted that ability through other means like inheriting a default set of root privileges.

permit-forwarding-client-connection-policy - Allows the associated user to request that an operation be processed using a specified client connection policy.

-permit-forwarding-client-connection-policy - Denies the associated user to request that an operation be processed using a specified client connection policy.

exec-task - Allows the associated user to schedule an exec task.

-exec-task - Denies the associated user the ability to schedule an exec task.

collect-support-data - Allows the requester to invoke the collect-support-data tool via an administrative task or an extended operation.

-collect-support-data - Forbids the requester from invoking the collect-support-data tool via an administrative task or an extended operation.

file-servlet-access - Allows the requester to access the content exposed by file servlet instances that require this privilege.

-file-servlet-access - Forbids the requester from accessing the content exposed by file servlet instances that require this privilege.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

search-result-entry-limit

Property Group
Resource Limits
Description
Specifies the maximum number of entries that the server may return to the user in response to any single search request. A value of 0 indicates no limit should be enforced. This is stored in the ds-rlim-size-limit LDAP attribute.
Default Value
0
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

time-limit-seconds

Property Group
Resource Limits
Description
Specifies the maximum length of time (in seconds) that the server may spend processing any single search request. A value of 0 indicates no limit should be enforced. This is stored in the ds-rlim-time-limit LDAP attribute.
Default Value
0
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

look-through-entry-limit

Property Group
Resource Limits
Description
Specifies the maximum number of candidate entries that the server may examine in the course of processing any single search request. A value of 0 indicates no limit should be enforced. This is stored in the ds-rlim-lookthrough-limit LDAP attribute.
Default Value
0
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

idle-time-limit-seconds

Property Group
Resource Limits
Description
Specifies the maximum length of time (in seconds) that a connection authenticated as this user may remain established without issuing any requests. A value of 0 indicates no limit should be enforced. This is stored in the ds-rlim-idle-time-limit LDAP attribute.
Default Value
0
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

password-policy

Property Group
Authentication
Description
Specifies the password policy for the user. This is stored in the ds-pwp-password-policy-dn LDAP attribute.
Default Value
Root Password Policy
Allowed Values
The DN of any Password Policy.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

disabled

Property Group
Authentication
Description
Specifies whether the root user account should be disabled. A disabled account is not permitted to authenticate, nor can it be used as an authorization identity. This is stored in the ds-pwp-account-disabled LDAP attribute.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

require-secure-authentication

Property Group
Authentication
Description
Indicates whether this User must authenticate in a secure manner. When set to "true", the User will only be allowed to authenticate over a secure connection or using a mechanism that does not expose user credentials (e.g., the CRAM-MD5, DIGEST-MD5, and GSSAPI SASL mechanisms).
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

require-secure-connections

Property Group
Authentication
Description
Indicates whether this User must be required to communicate with the server over a secure connection. When set to "true", the User will only be allowed to communicate with the server over a secure connection (i.e., using TLS or the StartTLS extended operation).
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

is-proxyable

Property Group
Proxied Authorization
Description
This can be used to indicate whether the User can be used as an alternate authorization identity (using the proxied authorization v1 or v2 control, the intermediate client control, or a SASL mechanism that allows specifying an alternate authorization identity).
Default Value
allowed
Allowed Values
allowed - The User may authenticate directly against the server or be the target of proxied authorization.

prohibited - The User will not be allowed to be the target of proxied authorization and may only authenticate directly to the server.

required - This User will not be allowed to authenticate directly to the server but instead will only be allowed to be referenced by proxied authorization.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

is-proxyable-by-dn

Property Group
Proxied Authorization
Description
Specifies the DNs of accounts that can proxy as this User using the proxied authorization v1 or v2 control, the intermediate client control, or a SASL mechanism that allows specifying an alternate authorization identity. This property is only applicable if is-proxyable is set to "allowed" or "required". By default, Users with a is-proxyable property value of "allowed" or "required" can be proxied by any account with sufficient privileges. However, this can be restricted so that it is only allowed by accounts with a DN specified with the is-proxyable-by-dn property, accounts in a group specified with the is-proxyable-by-group property, or accounts that match entries specified by the is-proxyable-by-url property.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

is-proxyable-by-group

Property Group
Proxied Authorization
Description
Specifies the DNs of groups whose members can proxy as this User using the proxied authorization v1 or v2 control, the intermediate client control, or a SASL mechanism that allows specifying an alternate authorization identity. This property is only applicable if is-proxyable is set to "allowed" or "required". By default, Users with a is-proxyable property value of "allowed" or "required" can be proxied by any account with sufficient privileges. However, this can be restricted so that it is only allowed by accounts with a DN specified with the is-proxyable-by-dn property, accounts in a group specified with the is-proxyable-by-group property, or accounts that match entries specified by the is-proxyable-by-url property.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

is-proxyable-by-url

Property Group
Proxied Authorization
Description
Specifies LDAP URLs of accounts that can proxy as this User using the proxied authorization v1 or v2 control, the intermediate client control, or a SASL mechanism that allows specifying an alternate authorization identity. This property is only applicable if is-proxyable is set to "allowed" or "required". By default, Users with a is-proxyable property value of "allowed" or "required" can be proxied by any account with sufficient privileges. However, this can be restricted so that it is only allowed by accounts with a DN specified with the is-proxyable-by-dn property, accounts in a group specified with the is-proxyable-by-group property, or accounts that match entries specified by the is-proxyable-by-url property.
Default Value
None
Allowed Values
An absolute URL, or a relative URL
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

may-proxy-as-dn

Property Group
Proxied Authorization
Description
This restricts the set of accounts that this User can proxy as to entries with the specified DNs. By default any User with the proxied-auth privilege can proxy as any account that does not explicitly disallow proxying by this user. However, this can be restricted so that it may only proxy as accounts with a DN specified with the may-proxy-as-dn property, accounts in a group specified with the may-proxy-as-group property, or accounts that match entries specified by the may-proxy-as-url property.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

may-proxy-as-group

Property Group
Proxied Authorization
Description
This restricts the set of accounts that this User can proxy as to entries that are in the group with the specified DN. By default any User with the proxied-auth privilege can proxy as any account that does not explicitly disallow proxying by this user. However, this can be restricted so that it may only proxy as accounts with a DN specified with the may-proxy-as-dn property, accounts in a group specified with the may-proxy-as-group property, or accounts that match entries specified by the may-proxy-as-url property.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

may-proxy-as-url

Property Group
Proxied Authorization
Description
This restricts the set of accounts that this User can proxy as to entries that are matched by the specified LDAP URL. By default any User with the proxied-auth privilege can proxy as any account that does not explicitly disallow proxying by this user. However, this can be restricted so that it may only proxy as accounts with a DN specified with the may-proxy-as-dn property, accounts in a group specified with the may-proxy-as-group property, or accounts that match entries specified by the may-proxy-as-url property.
Default Value
None
Allowed Values
An absolute URL, or a relative URL
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

account-activation-time (Advanced Property)

Property Group
Authentication
Description
Specifies the time, in generalized time format (e.g., '20160101070000Z'), that the root user account should become active. If an activation time is specified, the user will not be permitted to authenticate, nor can the account be used as an authorization identity, until the activation time has arrived. This is stored in the ds-pwp-account-activation-time LDAP attribute.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

account-expiration-time (Advanced Property)

Property Group
Authentication
Description
Specifies the time, in generalized time format (e.g., '20240101070000Z'), that the root user account should expire. If an expiration time is specified, the user will not be permitted to authenticate, nor can the account be used as an authorization identity, after this time has passed. This is stored in the ds-pwp-account-expiration-time LDAP attribute.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allowed-authentication-type (Advanced Property)

Property Group
Authentication
Description
Indicates that User should only be allowed to authenticate in certain ways. Allowed values include "simple" (to indicate that the user should be allowed to bind using simple authentication) or "sasl {mech}" (to indicate that the user should be allowed to bind using the specified SASL mechanism, like "sasl PLAIN"). The list of available SASL mechanisms can be retrieved by running "dsconfig --advanced list-sasl-mechanism-handlers".
Default Value
The User can authenticate using any supported authentication mechanism.
Allowed Values
The authentication type (e.g., "simple" or "sasl PLAIN.")
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

allowed-authentication-ip-address (Advanced Property)

Property Group
Authentication
Description
An IPv4 or IPv6 address mask that controls the set of IP addresses from which this User can authenticate to the server. For instance a value of 127.0.0.1 (or ::1 in IPv6) would restricted access only to localhost connections, whereas 10.6.1.* would restrict access to servers on the 10.6.1.* subnet.
Default Value
The User is allowed to connect from any system.
Allowed Values
An IP address mask
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

preferred-otp-delivery-mechanism (Advanced Property)

Property Group
Authentication
Description
Overrides the default settings for the mechanisms (e.g., email or SMS) that are used to deliver one time passwords to Users. If this property is specified, then the server will attempt to deliver a one-time password to the user in the order the mechanisms are specified, until one of them is successful. The list of available delivery mechanisms can be retrieved by running "dsconfig --advanced list-otp-delivery-mechanisms."
Default Value
The server will use the mechanisms specified by the default-otp-delivery-mechanism property of the Deliver OTP Extended Operation Handler.
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Root DN Users:

dsconfig list-root-dn-users
     [--property {propertyName}] ...

To view the configuration for an existing Root DN User:

dsconfig get-root-dn-user-prop
     --user-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Root DN User:

dsconfig set-root-dn-user-prop
     --user-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Root DN User:

dsconfig create-root-dn-user
     --user-name {name}
     --type root-dn
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Root DN User:

dsconfig delete-root-dn-user
     --user-name {name}