4.2. Centralized versus Distributed Administration
The directory administrator (the user with the root DN) is, by default, the only one person who can administer information in the directory. At times, it will be necessary to allow other users to have administrative privileges on all or portions of the directory. The Directory Information Tree (DIT) can be divided into administrative areas; the directory administrator can give other distinguished names (DNs) full privileges to manage some subsection of the directory. In order to grant a user administrative permission to a subtree, that user DN must be specified in the entry owner attribute. The administrative domain will be delimited by the value of an owner inheritance attribute (OwnerPropagate); ...
Get LDAP Implementation Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.