18.14. Setting Access Controls on Directory Manager
18.14.1. About Access Controls on the Directory Manager Account
- Time-based access controls for time ranges, such as 8a.m. to 5p.m. (0800 to 1700), and day-of-week access controls, so access is only allowed on explicitly defined days. This is analogous to Section 220.127.116.11, “Defining Access at a Specific Day of the Week” and Section 18.104.22.168, “Defining Access at a Specific Time of Day”.
- IP address rules, where only specified IP addresses, domains, or subnets are explicitly allowed or denied. This is analogous to Section 22.214.171.124, “Defining Access from Specific IP Addresses or Ranges”.
- Host access rules, where only specified host names, domain names, or subdomains are explicitly allowed or denied. This is analogous to Section 126.96.36.199, “Defining Access from a Specific Host or Domain”.
18.14.2. Configuring the RootDN Access Control Plug-in
RootDN Access Controlplug-in, and then set the appropriate access control rules.
- Enable the
RootDN Access Controlplug-in:
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin root-dn enable Plugin 'RootDN Access Control' enabled ...
- Set the bind rules for the access control instruction. For example:
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin root-dn set --open-time=0600 --close-time=2100 --allow-host="*.example.com" --deny-host="*.remote.example.com"You can set the following parameters:
--close-timefor time-based access controls.
--days-allowedfor day-based access controls.
--deny-ipfor host-based access controls. These are all multi-valued attributes and you can use wild cards to allow or deny IP ranges or domains.
ImportantDeny rules have a higher priority then allow rules. For example, if the
--allow-hostparameter is set to
--deny-hostis set to
*.front-office.example.com, access from all hosts in the
front-office.example.comsubdomain as Directory Manager is prevented.
- Restart Directory Server:
# dsctl instance_name restart