如何在Oracle Unified Directory（OUD）11g r2中添加管理员用户？

Question

I'm using OUD 11G R2. I just installed OUD with the default setting and setup an instance. I tried to add an admin user with the command:

./ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password --defaultAdd --filename admin.ldif 

Here is the content of admin.ldif

dn: cn=oimuser,cn=Root DNs,cn=config
objectClass: inetOrgPerson
objectClass: person
objectClass: top
objectClass: ds-cfg-root-dn-user
objectClass: organizationalPerson
userPassword: Oracle123
cn: oimuser
sn: oimuser
ds-cfg-alternate-bind-dn: cn=oimuser
givenName: OIM User
ds-privilege-name: -config-read
ds-privilege-name: -config-write
ds-privilege-name: -backend-backup
ds-privilege-name: -backend-restore
ds-privilege-name: -data-sync
ds-privilege-name: -disconnect-client
ds-privilege-name: -jmx-notify
ds-privilege-name: -jmx-read
ds-privilege-name: -jmx-write
ds-privilege-name: -ldif-export
ds-privilege-name: -ldif-import
ds-privilege-name: -modify-acl
ds-privilege-name: -privilege-change
ds-privilege-name: -proxied-auth
ds-privilege-name: -server-restart
ds-privilege-name: -server-shutdown
ds-privilege-name: -update-schema
ds-privilege-name: -cancel-request

I got the error as below:

The provided entry cn=oimuser,cn=Root DNs,cn=config cannot be added because its suffix is not registered with the network group network-group

Would you please advise how I can fix that? Thanks

Answer 1

I got the reason. cn=config is an administrative suffix.

In general, direct LDAP access to the administrative suffixes (using the ldap* utilities) is discouraged. In most cases, it is preferable to use the dedicated administrative command-line utilities to access these suffixes.

If you must use the ldap* commands to access the administrative suffixes, you must use the administration connector port (with the --useSSL or -Z option).

It works when I use the command:

./ldapmodify -h localhost -p 4444 -D "cn=Directory Manager" -w Oracle123 --defaultAdd -Z --filename admin.ldif

You can verify it by:

./ldapsearch -h localhost -p 4444 -D "cn=Directory Manager" -w password --useSSL -b "cn=root DNs,cn=config" "cn=oimuser"

Answer 2

I'm only familiar with OUD 11.1.2.1.0. OUD 11.1.2.1.0 has more than one way to add a root user:

• ldapmodify The other way you mentioned works just fine (documentation: OUD 11.1.2.1.0 Admin Guide, 19.2.1.2 To Create a New Root User ). The problem comes when you try to limit the root user's privileges through the Privilege Subsystem, then you'll have to use the dsconfig tool too.

• Oracle Directory Services Manager GUI ODSM is a JavaEE 6 application compressed into an Enterprise ARchive. If you install an Oracle Fusion Middleware 11gR2 stack with Weblogic 10.3.6 as application server, you can create a WLS domain in which you are able to deploy ODSM (eg. on AdminServer). If you are not familiar with FMW I don't suggest this option regarding the huge overhead the configuration & learning needs. Nevertheless, once you configured it properly, the GUI helps a lot! In ODSM, you can find what you need here: Log in -> Configuration -> General Configuration -> Root Users

Hope I helped a little.

PS: I would add to Jacky's answer: You might need to use -X too to trust the admin connector's certificate (if you haven't flagged it trusted by adding it to the JKS truststore).

Answer 3

Change "dn: cn=oimuser,cn=Root DNs,cn=config" to "dn: cn=oimuser,cn=Users,dc=xyz,dc=com"

update cn=Users,dc=xyz,dc=com according to your directory structure.