18.17. Setting Access Controls on Directory Manager
18.17.1. About Access Controls on the Directory Manager Account
dse.ldiffile, not in the regular user database, and so ACI targets (Section 18.11, “Defining Targets”) which are based on an entry within a subtree do not include the Directory Manager.
- Time-based access controls for time ranges, such as 8a.m. to 5p.m. (0800 to 1700), and day-of-week access controls, so access is only allowed on explicitly defined days. This is analogous to Section 22.214.171.124, “Defining Access at a Specific Day of the Week” and Section 126.96.36.199, “Defining Access at a Specific Time of Day”.
- IP address rules, where only specified IP addresses, domains, or subnets are explicitly allowed or denied. This is analogous to Section 188.8.131.52, “Defining Access from Specific IP Addresses or Ranges”.
- Host access rules, where only specified host names, domain names, or subdomains are explicitly allowed or denied. This is analogous to Section 184.108.40.206, “Defining Access from a Specific Host or Domain”.
18.17.2. Configuring the RootDN Access Control Plug-in
- Enable the RootDN Access Control Plug-in by setting the
on. For example:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=RootDN Access Control Plug-in,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
- Set the bind rules for the access control instruction.
rootdn-close-timefor time-based access controls.
rootdn-days-allowedfor day-based access controls.
rootdn-deny-ipfor host-based access controls. These are all multi-valued attributes.Deny rules supercede allow rules. For example, if
rootdn-allow-hostattribute is set to
*.example.com, and the
rootdn-deny-hostattribute is set to
*.front-office.example.com, anything in the
front-office.example.comsubdomain is prevented from logging in as Directory Manager, even though the larger
example.comdomain is allowed.Wild cards can be used to allow IP ranges or full domains.
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=RootDN Access Control Plug-in,cn=plugins,cn=config changetype: modify add: rootdn-open-time rootdn-open-time: 0600 - add: rootdn-close-time rootdn-close-time: 2100 - add: rootdn-allow-host rootdn-allow-host: *.example.com - add: rootdn-deny-host rootdn-allow-host: *.remote.example.com
- Restart the Directory Server to load the new plug-in configuration.
# systemctl restart dirsrv@instance