Enabling the administrative group and roles

The server compatibility level must be 7 or greater and the CDBM backend must be configured to use the administrative group and roles. See serverCompatLevel {3 | 4 | 5 | 6 | 7| 8} for more information about the serverCompatLevel configuration option. When the LDAP server compatibility level is 7 or greater, the following entries are automatically created in the CDBM backend, if they do not exist:
  • cn=admingroup,cn=configuration
  • cn=safadmingroup,cn=configuration

By default, the administrative group is not enabled in the LDAP server because the ibm-slapdAdminGroupEnabled attribute is set to false automatically in the cn=configuration entry, if the attribute does not exist. If the ibm-slapdAdminGroupEnabled attribute is set to true, group members can be added to member entries under the cn=admingroup,cn=configuration entry or added as member attribute values to the cn=safadmingroup,cn=configuration entry. If the ibm-slapdAdminGroupEnabled attribute is deleted, the LDAP server treats the attribute as if it is set to false. The member attribute can be used to specify a RACF® group as an administrative group member. This allows RACF administrators to assign administrative roles to all members of a RACF group.

The following ldapsearch utility command can be used to query the status of the ibm-slapdAdminGroupEnabled attribute value in the cn=configuration entry:
ldapsearch -D binddn -w passwd -s base -b cn=configuration "objectclass=*" ibm-slapdAdminGroupEnabled
The following ldapmodify utility command can be used to set the ibm-slapdAdminGroupEnabled attribute value to true in the cn=configuration entry. When successful, this activates the administrative group and roles feature:
ldapmodify -D binddn -w passwd -f file.ldif
where, the file.ldif contents are:
dn: cn=configuration
changetype: modify
replace: ibm-slapdAdminGroupEnabled
ibm-slapdAdminGroupEnabled: true

See CDBM backend configuration and policy entries for more information about the above entries and attribute values that affect the administrative group and roles configuration.