18.15. Setting Access Controls on Directory Manager
Having an unconstrained administrative user makes sense from a maintenance perspective. The Directory Manager requires a high level of access in order to perform maintenance tasks and to response to incidents.
However, because of the power of the Directory Manager user, a certain level of access control may be advisable to prevent unauthorized access or attacks from being performed as the root user.
Regular access control rules are applied to the directory tree, the Directory Manager is not a regular user entry, so no (regular) ACIs can be applied to the Directory Manager user. ACIs are applied through a special plug-in configuration entry.
18.15.1. About Access Controls on the Directory Manager Account
Normal access control rules do not apply to the Directory Manager user. The privileges of the Directory Manager user are hard-coded in Directory Server and cannot be used in a bind rule.
Access controls for Directory Manager are implemented through the RootDN Access Control Plug-in. This plug-in applies to the Directory Server configuration, and therefore can apply some access control rules to the Directory Manager entry.
The plug-in does not define a standard ACL. Some information is already implied, including the target (the Directory Manager entry) and the allowed rights (all of them). The purpose of the RootDN Access Control Plug-in is not to restrict what the Directory Manager can do; the purpose is to provide a level of security by limiting who can log in as Directory Manager (even with valid credentials) based on their location or time.
For this reason, the ACI for the Directory Manager only sets bind rules:
- Time-based access controls for time ranges, such as 8a.m. to 5p.m. (0800 to 1700), and day-of-week access controls, so access is only allowed on explicitly defined days. This is analogous to Section 18.11.2.5, “Defining Access at a Specific Day of the Week” and Section 18.11.2.6, “Defining Access at a Specific Time of Day”.
- IP address rules, where only specified IP addresses, domains, or subnets are explicitly allowed or denied. This is analogous to Section 18.11.2.2, “Defining Access from Specific IP Addresses or Ranges”.
- Host access rules, where only specified host names, domain names, or subdomains are explicitly allowed or denied. This is analogous to Section 18.11.2.3, “Defining Access from a Specific Host or Domain”.
As with other access control rules, deny rules supercede allow rules.
Important
Make sure that the Directory Manager always has the approproate level of access allowed. The Directory Manager may need to perform maintenance operations in off-hours (when user load is light) or to respond to failures. In that case, setting stringent time or day-based access control rules could prevent the Directory Manager from being able to adequately manage the directory.
18.15.2. Configuring the RootDN Access Control Plug-in
Root DN access control rules are disabled by default. Enable the
RootDN Access Control
plug-in, and then set the appropriate access control rules.
Note
There is only one access control rule set for the Directory Manager, in the plug-in entry, and it applies to all access to the entire directory.
- Enable the
RootDN Access Control
plug-in:# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin root-dn enable Plugin 'RootDN Access Control' enabled ...
- Set the bind rules for the access control instruction. For example:
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin root-dn set --open-time=0600 --close-time=2100 --allow-host="*.example.com" --deny-host="*.remote.example.com"
You can set the following parameters:--open-time
and--close-time
for time-based access controls.--days-allowed
for day-based access controls.--allow-host
,--deny-host
,--allow-ip
, and--deny-ip
for host-based access controls. These are all multi-valued attributes and you can use wild cards to allow or deny IP ranges or domains.Important
Deny rules have a higher priority then allow rules. For example, if the--allow-host
parameter is set to*.example.com
, and--deny-host
is set to*.front-office.example.com
, access from all hosts in thefront-office.example.com
subdomain as Directory Manager is prevented.
- Restart Directory Server:
# dsctl instance_name restart