4.9 - Add User

User addUser(User user) throws SecurityException

This command creates a new RBAC user. The command is valid only if the new user is not already a member of the USERS data set. The USER data set is updated. The new user does not own any session at the time of its creation.

required parameters:

  • User#userId - maps to INetOrgPerson uid
  • User#password - used when password authentication is required
  • User#ou - contains the name of an already existing User OU node

optional parameters:

  • User#pwPolicy - contains the name of an already existing OpenLDAP password policy node
  • User#cn - maps to INetOrgPerson common name attribute
  • User#sn - maps to INetOrgPerson surname attribute
  • User#description - maps to INetOrgPerson description attribute
  • User#title - maps to INetOrgPerson title attribute
  • User#employeeType - maps to INetOrgPerson employeeType attribute
  • User#phones * - multivalued attribute maps to organizationalPerson telephoneNumber attribute
  • User#mobiles * - multivalued attribute maps to INetOrgPerson mobile attribute
  • User#emails * - multivalued attribute maps to INetOrgPerson mail attribute
  • User#address * - multivalued attribute maps to organizationalPerson postalAddress, st, l, postalCode, postOfficeBox attributes
  • User#beginTime - HHMM - determines begin hour user may activate session
  • User#endTime - HHMM - determines end hour user may activate session.
  • User#beginDate - YYYYMMDD - determines date when user may sign on
  • User#endDate - YYYYMMDD - indicates latest date user may sign on
  • User#beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
  • User#endLockDate - YYYYMMDD - determines end of enforced inactive status
  • User#dayMask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of user may sign on
  • User#timeout - number (in minutes) of session inactivity time allowed
  • User#props * - multivalued attribute contains property key and values are separated with a ‘:'. e.g. mykey1:myvalue1


  • user - User entity must contain User#userId and User#ou (required) and optional User#description,User#roles and many others.


  • Returns entity containing user data that was added.


  • SecurityException - thrown in the event of data validation or system error.


import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.AdminMgr;
import org.apache.directory.fortress.core.AdminMgrFactory;
import org.apache.directory.fortress.core.ReviewMgr;
import org.apache.directory.fortress.core.ReviewMgrFactory;
import org.apache.directory.fortress.core.model.User;

public static void testCreateUser(String userId, String password, String userOu)
    String szLocation = ".testCreateUser";
        // Instantiate the AdminMgr implementation.  All AdminMgr APIs can throw a SecurityException in the event
        // of rule violation or system error.
        AdminMgr adminMgr = AdminMgrFactory.createInstance();
        User inUser = new User(userId, password);
        // ou is required attribute:
        // Now call the add API.  The API will return User entity with associated LDAP dn if creation was successful.
        User outUser = adminMgr.addUser(inUser);

        // Instantiate the ReviewMgr implementation which is used to interrogate policy information.
        ReviewMgr reviewMgr = ReviewMgrFactory.createInstance();

        // now read the newly created User entity back:
        User outUser2 = reviewMgr.readUser(inUser);
        assertTrue(szLocation + " failed read", inUser.equals(outUser2));
        LOG.info(szLocation + " user [" + outUser2.getUserId() + "] success");
    catch (SecurityException ex)
        LOG.error(szLocation + " caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);