[389-users] General LDAP security

Richard Megginson rmeggins at redhat.com
Tue Jun 16 20:03:11 UTC 2009


----- "Chris Phillips" <chris at untrepid.com> wrote:

> http://www.mail-archive.com/fedora-directory-users@redhat.com/msg09428.html
> 
> 
> On Tue, Jun 16, 2009 at 7:29 PM, John A. Sullivan III <
> jsullivan at opensourcedevel.com > wrote:
> 
> 
> In briefest summary, we create a separate user who has rights to see
> but
> not change the commonly needed fields for as much of the DIT as is
> needed for the various servers, e.g., some may need to see the entire
> tree whereas other may only need a small subset. The ACI's are in that
> large post. We then use this user as the binddn in ldap.conf. We never
> use cn=Directory Manager and always remove anonymous browsing. In
> fact,
> we also change the cn for both Directory Manager and the admin user
> just
> to further obscure the setup. Hope this helps - John
> 
> John, (and anyone else of course...)
> 
> I read your mail that you referred to...
> http://www.mail-archive.com/fedora-directory-users@redhat.com/msg09428.html
> and don't really see an answer to the question, or more honestly, the
> very similar question I was about to ask before I saw this.
> 
> That was how to have a full administrative user that is not Directory
> Manager. I'm working in a very high profile confidential project and
> to our shame are still using this account for pretty much everything
> of note (despite my protestations from day 1, I assure you!!)
> including the IDM console which is our main tool for managing data in
> it. I've tried to work out the most formal and effective way to make
> my own normal user account able to do whatever Directory Manager can
> do with the console but without luck. I expect it's an awful lot
> simpler than I think it is. In line with doing it "right" there's a
> Directory Administrators (or nearly that) group which I tried adding
> users to but no change was seen, and I'd think there's a difference
> between the access within the main directory and the Admin server
> config in o=NetscapeRoot. Is there an ACI that already exists and
> such?

I would take a look at the ACIs that are created for the uid=admin user, the one created during setup-ds-admin.pl time.  That user is a close as you can get to directory manager.  The only thing we don't have an ACI for is the ability to create the root entry for a top level suffix (e.g. if you create a new suffix dc=example,dc=com, only the directory manager can use LDAP ADD to create that entry, which is what the console does).  You can work around this limitation by doing an import operation - create an ldif file which contains this entry, and do an import/ldif2db/database init with this file, as admin.

> 
> Also looking at your notes, it seems there may be better ways to
> manage a single directory (2 multimasters and 6 replicas) like
> bypassing the initial Admin section and going straight to the
> directory itself?
> 
> Also if I do make my user account able to log in, would I then be
> faced with putting in the entire DN every single time? can I alias it
> etc..? Ideally I'd not want a dedicated account, unless there's some
> real logic in not using the account - something I can imagine...

Authentication is supposed to lookup the user id first in o=NetscapeRoot (e.g. the default console admin) then in your default user&group suffix (e.g. dc=example,dc=com).

> 
> Any pointers, especially those which are simple, elegant and
> non-invasive, would be *very* much appreciated.
> 
> Thanks
> 
> Chris
> 
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users




More information about the Fedora-directory-users mailing list