Show Table of Contents
4.17. RootDN Access Control Plug-in Attributes
The root DN, cn=Directory Manager, is a special user entry that is defined outside the normal user database. Normal access control rules are not applied to the root DN, but because of the powerful nature of the root user, it can be beneficial to apply some kind of access control rules to the root user.
The RootDN Access Control Plug-in sets normal access controls — host and IP address restrictions, time-of-day restrictions, and day of week restrictions — on the root user.
This plug-in is disabled by default.
4.17.1. rootdn-allow-host
This sets what hosts, by fully-qualified domain name, the root user is allowed to use to access the Directory Server. Any hosts not listed are implicitly denied.
Wild cards are allowed.
This attribute can be used multiple times to specify multiple hosts, domains, or subdomains.
Parameter | Description |
---|---|
Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
Valid Range | Any valid host name or domain, including asterisks (*) for wildcards |
Default Value | None |
Syntax | DirectoryString |
Example | rootdn-allow-host: *.example.com |
4.17.2. rootdn-allow-ip
This sets what IP addresses, either IPv4 or IPv6, for machines the root user is allowed to use to access the Directory Server. Any IP addresses not listed are implicitly denied.
Wild cards are allowed.
This attribute can be used multiple times to specify multiple addresses, domains, or subnets.
Parameter | Description |
---|---|
Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
Valid Range | Any valid IPv4 or IPv6 address, including asterisks (*) for wildcards |
Default Value | None |
Syntax | DirectoryString |
Example | rootdn-allow-ip: 192.168.*.* |
4.17.3. rootdn-close-time
This sets part of a time period or range when the root user is allowed to access the Directory Server. This sets when the time-based access ends, when the root user is no longer allowed to access the Directory Server.
This is used in conjunction with the
rootdn-open-time
attribute.
Parameter | Description |
---|---|
Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
Valid Range | Any valid time, in a 24-hour format |
Default Value | None |
Syntax | Integer |
Example | rootdn-close-time: 1700 |
4.17.4. rootdn-days-allowed
This gives a comma-separated list of what days the root user is allowed to use to access the Directory Server. Any days listed are implicitly denied. This can be used with
rootdn-close-time
and rootdn-open-time
to combine time-based access and days-of-week or it can be used by itself (with all hours allowed on allowed days).
Parameter | Description |
---|---|
Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
Valid Values |
|
Default Value | None |
Syntax | DirectoryString |
Example | rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri |
4.17.5. rootdn-deny-ip
This sets what IP addresses, either IPv4 or IPv6, for machines the root user is not allowed to use to access the Directory Server. Any IP addresses not listed are implicitly allowed.
Note
Deny rules supercede allow rules, so if an IP address is listed in both the
rootdn-allow-ip
and rootdn-deny-ip
attributes, it is denied access.
Wild cards are allowed.
This attribute can be used multiple times to specify multiple addresses, domains, or subnets.
Parameter | Description |
---|---|
Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
Valid Range | Any valid IPv4 or IPv6 address, including asterisks (*) for wildcards |
Default Value | None |
Syntax | DirectoryString |
Example | rootdn-deny-ip: 192.168.0.0 |
4.17.6. rootdn-open-time
This sets part of a time period or range when the root user is allowed to access the Directory Server. This sets when the time-based access begins.
This is used in conjunction with the
rootdn-close-time
attribute.
Parameter | Description |
---|---|
Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
Valid Range | Any valid time, in a 24-hour format |
Default Value | None |
Syntax | Integer |
Example | rootdn-open-time: 0800 |