A lot of us end up using the superuser 'cn=orcladmin' to connect to OID for all use-cases.
Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having way more privileges than are needed for non-admin functions. We should create read-only LDAP users for the following use cases :
- LDAP Monitoring at the F5/Load Balancer level (LDAP health check using ldapbind)
- Use for username/password for Authenticators in Weblogic Console (which are for only authentication purposes)
- Providing ODSM login capability to non-admin users to view the LDAP Tree (based on allowed ACLs)
- Any kind of query only LDAP APIs used in Java Code
- Separate password policies can be created for read-only users which are different from superusers/realm-admins
Only three tabs are visible in ODSM for read-only users : Home, Data Browser, Schema.
Security and Advanced tabs are not visible.
One of the ways in which the read-only users can be created is :
- Create a text file (e.g., readonly.ldif) with the following:
dn: cn=readonly, cn=Users,< subscriber domain >userpassword: < password >
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
mail: readonly
givenname: readonly
uid: readonly
description: account to have readonly access
sn: readonly
cn: readonly
2. Load the above file with ldapadd command :
ldapadd -h <OID_host> -p <OID_port> -D cn=orcladmin -w <password> -v -f readonly.ldif
ldapadd -h <OID_host> -p <OID_port> -D cn=orcladmin -w <password> -v -f readonly.ldif
Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .
The key is to make sure the user is not a member of any groups.
3. Check Group Memberships:
To verify the user is NOT a member of any group, issue the following search:
To verify the user is NOT a member of any group, issue the following search:
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <pwd> -s sub -b "" "(uniquemember=<full_user_DN>)" "dn"
4.Confirm that you are able to bind successfully as the newly created user
ldapbind -h <OID_host> -p <OID_port> -D "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>
4.Confirm that you are able to bind successfully as the newly created user
ldapbind -h <OID_host> -p <OID_port> -D "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>
Reference : Doc ID 746612.1
