Directory Server (LDAP) - Administrative access

The IBM directory server allows the following types of administrative access:

Projected i5/OS administrator: A client authenticated as a projected user (an LDAP entry representing an operating system user profile) with *ALLOBJ and *IOSYSCFG special authorities has authority to change the directory configuration using LDAP interfaces (the cn=configuration subtree, or the Web administration tool "Server administration" tasks), as well as act as an LDAP administrator for other directory entries (entries stored in one of the DB2 suffixes or the schema). Only projected i5/OS administrators can change the server configuration.
LDAP administrator: The IBM Directory Server allows a single user ID (DN) to be the primary LDAP server administrator. iSeries™ also allows projected operating system user profiles to be LDAP administrators. The LDAP server administrators can perform a long list of administrative tasks such as managing replication, schema, and directory entries. For more information, see Grant administrator access to projected users.
Group of administrative users: A projected i5/OS administrator can appoint several users to be in the administrative group. Members of this group can perform many tasks because they have the same administrative access as an LDAP server administrator.
Note:

When using Web administration, tasks that have not been granted to administrative group members are disabled.

An LDAP administrator or administrative group member can perform the following server administration tasks:

Change their own password
Terminate connections
Enable and change password policy, except for password encryption, which can only be changed by a projected i5/OS administrator.
Manage unique attributes
Manage the server schema
Manage replication, except for the replication properties task (includes master server bind DN and password and the default referral), which can only be performed by a projected i5/OS administrator.

For information on how to create an administrative group, see Work with the administrative group.