I think you just remove the nsslapd-rootpw attribute in cn=config -
that will disallow BINDs as the directory manager. I suppose you
could save the value somewhere so you can enable it as needed.
In addition to what Rich has said here and previously:
It sounds like you are planning to actually use the cn=Directory
Manager account for normal administrative operations, this is not
adviseable for the same reasons you would only su to root when you
absolutely have to. Creating admin accounts with various levels of
permission designed for the tasks they need to perform is a much better
solution, and then you *can* perform actions like disabling the admin
accounts and applying additional access control, resource limits, and
all the other good things an admin can do to a user. Whereas
cn=Directory Manager, like root, is a no holds barred, no access control
applied kind of guy, and should be allowed out only on the rarest of
occasions.
A G wrote:
> OK. how can I disable the "cn=Directory Administrator" account?
> Will I be able to enable easily so that in the normal operation it is
> disabled for the security purposes?
>
>
> On 1/25/06, *fedora-directory-users-request(a)redhat.com
> <mailto:fedora-directory-users-request@redhat.com>* <
> fedora-directory-users-request(a)redhat.com
> <mailto:fedora-directory-users-request@redhat.com>> wrote:
>
> Send Fedora-directory-users mailing list submissions to
> fedora-directory-users(a)redhat.com
> <mailto:fedora-directory-users@redhat.com>
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> or, via email, send a message with subject or body 'help' to
> fedora-directory-users-request(a)redhat.com
> <mailto:fedora-directory-users-request@redhat.com>
>
> You can reach the person managing the list at
> fedora-directory-users-owner(a)redhat.com
> <mailto:fedora-directory-users-owner@redhat.com>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Fedora-directory-users digest..."
>
>
> Today's Topics:
>
> 1. How to enable "cn=Directory Administrator" to login
> from only
> specified hosts (G?khan Afacan)
> 2. How to lock/unlock "cn=Directory Administrator" user account?
> (G?khan Afacan)
> 3. Re: How to enable "cn=Directory Administrator" to login from
> only specified hosts (Richard Megginson)
> 4. Re: How to lock/unlock "cn=Directory Administrator" user
> account? (Richard Megginson)
> 5. How to enable "cn=Directory Administrator" to login
> from only
> specified hosts (A G)
> 6. How to lock/unlock "cn=Directory Administrator" user account?
> (A G)
>
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 25 Jan 2006 17:44:31 +0200
> From: G?khan Afacan <gokhan.afacan(a)gmail.com
> <mailto:gokhan.afacan@gmail.com>>
> Subject: [Fedora-directory-users] How to enable "cn=Directory
> Administrator" to login from only specified hosts
> To: fedora-directory-users(a)redhat.com
> <mailto:fedora-directory-users@redhat.com>
> Message-ID:
> <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc(a)mail.gmail.com
>
> <mailto:2393d5a10601250744m7c2e0643mea5ee25a5658d4fc@mail.gmail.com>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello,
> How can I enable "cn=Directory Administrator" to login from only
> specified hosts?
> I mean that cn=Directory Administrator user can only logon only
> from 10.1.3.110 <
http://10.1.3.110>.
> How can I do that?
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 25 Jan 2006 17:46:03 +0200
> From: G?khan Afacan < gokhan.afacan(a)gmail.com
> <mailto:gokhan.afacan@gmail.com>>
> Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory
> Administrator" user account?
> To: fedora-directory-users(a)redhat.com
> <mailto:fedora-directory-users@redhat.com>
> Message-ID:
> <2393d5a10601250746hfae7d11t8526098605735d8d(a)mail.gmail.com
> <mailto:2393d5a10601250746hfae7d11t8526098605735d8d@mail.gmail.com>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> How can I lock and unlock the user cn=Directory Administrator user
> account?
>
>
> On 1/25/06, Gökhan Afacan <gokhan.afacan(a)gmail.com
> <mailto:gokhan.afacan@gmail.com>> wrote:
> > Hello,
> > How can I enable "cn=Directory Administrator" to login from only
> > specified hosts?
> > I mean that cn=Directory Administrator user can only logon only
> from 10.1.3.110 <
http://10.1.3.110> .
> > How can I do that?
> >
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 25 Jan 2006 09:13:30 -0700
> From: Richard Megginson <rmeggins(a)redhat.com
> <mailto:rmeggins@redhat.com>>
> Subject: Re: [Fedora-directory-users] How to enable "cn=Directory
> Administrator" to login from only specified hosts
> To: "General discussion list for the Fedora Directory server
> project."
> <fedora-directory-users(a)redhat.com
> <mailto:fedora-directory-users@redhat.com>>
> Message-ID: <43D7A3AA.2000208(a)redhat.com
> <mailto:43D7A3AA.2000208@redhat.com>>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Gökhan Afacan wrote:
>
> >Hello,
> >How can I enable "cn=Directory Administrator" to login from only
> >specified hosts?
> >
> >
> I don't think that is possible.
>
> >I mean that cn=Directory Administrator user can only logon only
> from 10.1.3.110 <
http://10.1.3.110>.
> >How can I do that?
> >
> >
> I don't think you can do that. If you are worried about Directory
> Manager access, you can create another account (like the console
> admin
> account) that has administrator privileges, then you can set up
> ACIs for
> that user, then you can disable the directory manager account.
>
> >--
> >Fedora-directory-users mailing list
> > Fedora-directory-users(a)redhat.com
> <mailto:Fedora-directory-users@redhat.com>
> >https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3178 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
>
>
https://www.redhat.com/archives/fedora-directory-users/attachments/200601...
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 25 Jan 2006 09:14:11 -0700
> From: Richard Megginson < rmeggins(a)redhat.com
> <mailto:rmeggins@redhat.com>>
> Subject: Re: [Fedora-directory-users] How to
> lock/unlock "cn=Directory
> Administrator" user account?
> To: "General discussion list for the Fedora Directory server
> project."
> <fedora-directory-users(a)redhat.com
> <mailto:fedora-directory-users@redhat.com>>
> Message-ID: <43D7A3D3.2050004(a)redhat.com
> <mailto:43D7A3D3.2050004@redhat.com>>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Gökhan Afacan wrote:
>
> >How can I lock and unlock the user cn=Directory Administrator
> user account?
> >
> >
> You cannot do that. You can disable the directory manager
> account, but
> you cannot lock and unlock it as if it were a "normal" user account.
>
> >
> >On 1/25/06, Gökhan Afacan <gokhan.afacan(a)gmail.com
> <mailto:gokhan.afacan@gmail.com>> wrote:
> >
> >
> >>Hello,
> >>How can I enable "cn=Directory Administrator" to login from
only
> >>specified hosts?
> >>I mean that cn=Directory Administrator user can only logon only
> from 10.1.3.110 <
http://10.1.3.110>.
> >>How can I do that?
> >>
> >>
> >>
> >
> >--
> >Fedora-directory-users mailing list
> >Fedora-directory-users(a)redhat.com
> <mailto:Fedora-directory-users@redhat.com>
> >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3178 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
>
>
https://www.redhat.com/archives/fedora-directory-users/attachments/200601...
>
>
>
<
https://www.redhat.com/archives/fedora-directory-users/attachments/200601...
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 25 Jan 2006 18:25:51 +0200
> From: A G <cino11(a)gmail.com <mailto:cino11@gmail.com>>
> Subject: [Fedora-directory-users] How to enable "cn=Directory
> Administrator" to login from only specified hosts
> To: fedora-directory-users(a)redhat.com
> <mailto:fedora-directory-users@redhat.com>
> Message-ID: < 408162380601250825y4e966611p(a)mail.gmail.com
> <mailto:408162380601250825y4e966611p@mail.gmail.com>>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
> How can I enable "cn=Directory Administrator" to login from only
> specified hosts?
> I mean that cn=Directory Administrator user can only logon only from
> 10.1.3.110 <
http://10.1.3.110>.
> How can I do that?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
>
>
https://www.redhat.com/archives/fedora-directory-users/attachments/200601...
>
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 25 Jan 2006 18:26:20 +0200
> From: A G <cino11(a)gmail.com <mailto:cino11@gmail.com>>
> Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory
> Administrator" user account?
> To: fedora-directory-users(a)redhat.com
> <mailto:fedora-directory-users@redhat.com>
> Message-ID: < 408162380601250826r5dca4666q(a)mail.gmail.com
> <mailto:408162380601250826r5dca4666q@mail.gmail.com>>
> Content-Type: text/plain; charset="iso-8859-1"
>
> How can I lock and unlock the user cn=Directory Administrator user
> account?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
>
>
https://www.redhat.com/archives/fedora-directory-users/attachments/200601...
>
>
>
<
https://www.redhat.com/archives/fedora-directory-users/attachments/200601...
>
>
> ------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> <mailto:Fedora-directory-users@redhat.com>
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> End of Fedora-directory-users Digest, Vol 8, Issue 40
> *****************************************************
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users