[Fedora-directory-users] Limiting Directory Manager (nsslapd-rootdn) by source host (e.g. 127.0.0.1)?
Rich Megginson
rmeggins at redhat.com
Wed Aug 6 13:29:37 UTC 2008
Aleksander Adamowski wrote:
> Hi!
>
> The Direcroty Manager account (the one whose DN is specified in
> dse.ldif as nsslapd-rootdn) is a dangerously privileged account.
>
> Access control does not apply to this user and compromising its DN and
> password gives full control over the directory server.
>
> Therefore, it would be desirable to limit this user's bind access
> based on some additional criteria, in addition to the knowledge of the
> password.
>
> Limits based on the source host (e.g. localhost) and time of day (e.g.
> only work hours) would be very useful.
>
> Is there a way to limit Directory Manager binds based on those
> criteria in Fedora Directory Server?
No. But please file a bug so we can track this issue.
>
>
> Note that in OpenLDAP this is possible using the following ACL:
>
> access to dn.base="cn=Manager,o=Example"
> by peername.regex=127\.0\.0\.1 auth
> by users none
> by anonymous none
>
> This ACL however requires creating a concrete LDAP entry that
> corresponds to rootdn, setting a userPassword in taht entry, and
> leaving the rootpw in OpenLDAP configuration undefined.
> This way the concrete userPassword is used when binding and is subject
> to that ACL which only allows access from connections that origin from
> 127.0.0.1.
>
> More details in this post on OpenLDAP mailing list:
> http://www.openldap.org/lists/openldap-software/200711/msg00342.html
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20080806/615a6657/attachment.bin>
More information about the 389-users
mailing list