Update README.md

README.md

@@ -55,7 +55,50 @@ root@example:/# ldapsearch -x -H ldap://localhost -b "dc=example,dc=com" -s base
 In order to create users with different attributes and permits, we need to create a new admin account besides the root one that comes by default.\
 We will refer to the Administrator account as admin, and in a few cases, the root account as the set by default.\
 
-**`why is this needed?`** _unnecesary long explanation, but just in case:_ in openLDAP, by default a special administrative account is created as core base to execute first hand tasks, however aside being able to bypass ACLs (Access Control Lists), and therefore any other account created, being allowed to authenthicate for operations like ldapadd, ldapmodify and ldapsearch, etc. it has not an actual entry in the dc=example,dc=com tree (our parentDN). This account it is only configured as olcRootDN in the core base directory/database, cn=config (/etc/ldap/slapd.d/'cn=config') and nothing more. It does not create the corresponding entry in any data tree, therefore the server cannot locate the full entry cn=admin,dc=example,dc=com because it does not exists. In pragmatic terms, we need to create an administrative account for our DN and our parentDN, the later being our domain name as previously explained.
+**`why is this needed?`** _unnecesary long explanation, but just in case:_ in openLDAP, by default a special administrative account is created as core base to execute first hand tasks, however aside being able to bypass ACLs (Access Control Lists), and therefore any other account created, being allowed to authenthicate for operations like ldapadd, ldapmodify and ldapsearch, etc. it has not an actual entry in the dc=example,dc=com tree (our parentDN). This account it is only configured as olcRootDN in the core base directory/database, cn=config (/etc/ldap/slapd.d/'cn=config') and nothing more. It does not create the corresponding entry in any data tree, therefore the server cannot locate the full entry cn=admin,dc=example,dc=com because it does not exists. In pragmatic terms, we need to create an administrative account for our DN and our parentDN, the later being our domain name as previously explained.\ 
+tl;dr cn=admin,dc=example,dc=com is only a rootDN and not a admin data entry directory which is what we need to setup Access Control Lists (ACLs) as well as setup password schemas.
+
+Generate a password hash for our admin user
+```
+root@example:/# slappasswd -s 1234
+{SSHA}yxIgYTzcuRRdlesjfWkIN6K97/8jOrZF
+```
+Create the .ldif file that will create the admin user
+```
+root@example:/# vim create_admin.ldif
+dn: cn=admin,dc=example,dc=com
+changetype: add
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+cn: admin
+userPassword: {SSHA}yxIgYTzcuRRdlesjfWkIN6K97/8jOrZF  # Replace with the hash of your password
+description: LDAP administrator
+```
+Execute create_admin.ldif
+```
+root@example:/etc/ldap# ldapadd -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -f /etc/ldap/create_admin.ldif
+adding new entry "cn=admin,dc=example,dc=com"
+```
+Check the attributes of our new administrator user of our domain (parentDN)
+```
+root@example:/# ldapsearch -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w 1234 -b "cn=admin,dc=example,dc=com" "(objectclass=*)"
+# extended LDIF
+#
+# LDAPv3
+# base <cn=admin,dc=example,dc=com> with scope subtree
+# filter: (objectclass=*)
+# requesting: ALL
+#
+# admin, example.com
+dn: cn=admin,dc=example,dc=com
+objectClass: organizationalRole
+objectClass: simpleSecurityObject
+cn: admin
+userPassword:: e1NTSEF9eXhJZ1lUemN1UlJkbGVzamZXa0lONks5Ny84ak9yWkY=
+description: LDAP administrator
+...
+```
+That's all, our administrator user was properly done.
 
 ## _Users administrative tasks_