4.17. RootDN Access Control Plug-in Attributes

The root DN, cn=Directory Manager, is a special user entry that is defined outside the normal user database. Normal access control rules are not applied to the root DN, but because of the powerful nature of the root user, it can be beneficial to apply some kind of access control rules to the root user.
The RootDN Access Control Plug-in sets normal access controls — host and IP address restrictions, time-of-day restrictions, and day of week restrictions — on the root user.
This plug-in is disabled by default.

4.17.1. rootdn-allow-host

This sets what hosts, by fully-qualified domain name, the root user is allowed to use to access the Directory Server. Any hosts not listed are implicitly denied.
Wild cards are allowed.
This attribute can be used multiple times to specify multiple hosts, domains, or subdomains.
Parameter Description
Entry DN cn=RootDN Access Control Plugin,cn=plugins,cn=config
Valid Range Any valid host name or domain, including asterisks (*) for wildcards
Default Value None
Syntax DirectoryString
Example rootdn-allow-host: *.example.com

4.17.2. rootdn-allow-ip

This sets what IP addresses, either IPv4 or IPv6, for machines the root user is allowed to use to access the Directory Server. Any IP addresses not listed are implicitly denied.
Wild cards are allowed.
This attribute can be used multiple times to specify multiple addresses, domains, or subnets.
Parameter Description
Entry DN cn=RootDN Access Control Plugin,cn=plugins,cn=config
Valid Range Any valid IPv4 or IPv6 address, including asterisks (*) for wildcards
Default Value None
Syntax DirectoryString
Example rootdn-allow-ip: 192.168.*.*

4.17.3. rootdn-close-time

This sets part of a time period or range when the root user is allowed to access the Directory Server. This sets when the time-based access ends, when the root user is no longer allowed to access the Directory Server.
This is used in conjunction with the rootdn-open-time attribute.
Parameter Description
Entry DN cn=RootDN Access Control Plugin,cn=plugins,cn=config
Valid Range Any valid time, in a 24-hour format
Default Value None
Syntax Integer
Example rootdn-close-time: 1700

4.17.4. rootdn-days-allowed

This gives a comma-separated list of what days the root user is allowed to use to access the Directory Server. Any days listed are implicitly denied. This can be used with rootdn-close-time and rootdn-open-time to combine time-based access and days-of-week or it can be used by itself (with all hours allowed on allowed days).
Parameter Description
Entry DN cn=RootDN Access Control Plugin,cn=plugins,cn=config
Valid Values
  • Sun
  • Mon
  • Tue
  • Wed
  • Thu
  • Fri
  • Sat
Default Value None
Syntax DirectoryString
Example rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri

4.17.5. rootdn-deny-ip

This sets what IP addresses, either IPv4 or IPv6, for machines the root user is not allowed to use to access the Directory Server. Any IP addresses not listed are implicitly allowed.

Note

Deny rules supercede allow rules, so if an IP address is listed in both the rootdn-allow-ip and rootdn-deny-ip attributes, it is denied access.
Wild cards are allowed.
This attribute can be used multiple times to specify multiple addresses, domains, or subnets.
Parameter Description
Entry DN cn=RootDN Access Control Plugin,cn=plugins,cn=config
Valid Range Any valid IPv4 or IPv6 address, including asterisks (*) for wildcards
Default Value None
Syntax DirectoryString
Example rootdn-deny-ip: 192.168.0.0

4.17.6. rootdn-open-time

This sets part of a time period or range when the root user is allowed to access the Directory Server. This sets when the time-based access begins.
This is used in conjunction with the rootdn-close-time attribute.
Parameter Description
Entry DN cn=RootDN Access Control Plugin,cn=plugins,cn=config
Valid Range Any valid time, in a 24-hour format
Default Value None
Syntax Integer
Example rootdn-open-time: 0800