Enabling the administrative group and roles
- cn=admingroup,cn=configuration
- cn=safadmingroup,cn=configuration
By default, the administrative group is not enabled in the LDAP server because the ibm-slapdAdminGroupEnabled attribute is set to false automatically in the cn=configuration entry, if the attribute does not exist. If the ibm-slapdAdminGroupEnabled attribute is set to true, group members can be added to member entries under the cn=admingroup,cn=configuration entry or added as member attribute values to the cn=safadmingroup,cn=configuration entry. If the ibm-slapdAdminGroupEnabled attribute is deleted, the LDAP server treats the attribute as if it is set to false. The member attribute can be used to specify a RACF® group as an administrative group member. This allows RACF administrators to assign administrative roles to all members of a RACF group.
ldapsearch -D binddn -w passwd -s base -b cn=configuration "objectclass=*" ibm-slapdAdminGroupEnabled
ldapmodify -D binddn -w passwd -f file.ldif
dn: cn=configuration
changetype: modify
replace: ibm-slapdAdminGroupEnabled
ibm-slapdAdminGroupEnabled: true
See CDBM backend configuration and policy entries for more information about the above entries and attribute values that affect the administrative group and roles configuration.