A lot of us end up using the superuser 'cn=orcladmin' to connect to OID for all use-cases.
Certainly this is not the best practice as the superuser 'cn=orcladmin' is a privileged user having more privileges than are needed certain admin functions having access to multiple realms on OID.
While there is no documented way to create a second superuser for OID, like cn=orcladmin. But, a user with the same privileges as the realm Admin (cn=orcladmin,dc=<companyName,dc=com) can be created and used for the following use cases :
- Use in OAM Console for Identity Store credentials
- Providing ODSM login capability to admin users to view/modify the LDAP Tree for their realm
- Any kind of CRUD based LDAP APIs used in Java Code
- Separate password policies can be created for these users which are different from the cn=orcladmin superuser etc.
This user can be created as follows :
- Create an LDIF file with the following contentdn: cn=myadmin,cn=Users,dc=oracle,dc=com
givenname: myadmin
sn: myadmin
cn: myadmin
uid: myadmin
mail: myadmin@oracle.com
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: orclUser
objectclass: orclUserV2
objectclass: organizationalPerson
- Run ldapaddldapadd -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <password> -f <LDIF_filename>
Alternatively, we can use the 'Import' function available in Data Browser tab in ODSM .
3. Confirm that you are able to bind successfully as the newly created user
ldapbind -h <OID_host> -p <OID_port> -D "cn=myadmin,cn=users,dc=oracle,dc=com" -w <password>
4. Get the existing group memberships for the orcladmin user
ldapsearch -h <OID_host> -p <OID_port> -D "cn=orcladmin" -w <password> "<DN_of_orcladmin>" "dn"Alternatively use 'Import' feature in Data Browser tab of ODSM to import the SuperUser.ldif file attached (essentially contains the all groups to be added for a Realm Admin in LDIF format)
Reference : Doc ID 454796.1
Good reads :