13.11. Setting Access Controls on Directory Manager
13.11.1. About Access Controls on the Directory Manager Account
dse.ldiffile, not in the regular user database, and so ACI targets (Section 13.3.2, “Defining Targets”) which are based on an entry within a subtree do not include the Directory Manager.
- Time-based access controls for time ranges, such as 8a.m. to 5p.m. (0800 to 1700), and day-of-week access controls, so access is only allowed on explicitly defined days. This is analogous to Section 13.4.9, “Defining Access at a Specific Time of Day or Day of Week”.
- IP address rules, where only specified IP addresses, domains, or subnets are explicitly allowed or denied. This is analogous to Section 13.4.6, “Defining Access from a Specific IP Address”.
- Host access rules, where only specified host names, domain names, or subdomains are explicitly allowed or denied. This is analogous to Section 13.4.7, “Defining Access from a Specific Domain”.
13.11.2. Configuring the RootDN Access Control Plug-in
- Enable the RootDN Access Control Plug-in by setting the
on. For example:
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=RootDN Access Control Plug-in,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
- Set the bind rules for the access control instruction.
rootdn-close-timefor time-based access controls.
rootdn-days-allowedfor day-based access controls.
rootdn-deny-ipfor host-based access controls. These are all multi-valued attributes.Deny rules supercede allow rules. For example, if
rootdn-allow-hostattribute is set to
*.example.com, and the
rootdn-deny-hostattribute is set to
*.front-office.example.com, anything in the
front-office.example.comsubdomain is prevented from logging in as Directory Manager, even though the larger
example.comdomain is allowed.Wild cards can be used to allow IP ranges or full domains.
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=RootDN Access Control Plug-in,cn=plugins,cn=config changetype: modify add: rootdn-open-time rootdn-open-time: 0600 - add: rootdn-close-time rootdn-close-time: 2100 - add: rootdn-allow-host rootdn-allow-host: *.example.com - add: rootdn-deny-host rootdn-allow-host: *.remote.example.com
- Restart the Directory Server to load the new plug-in configuration.
service dirsrv restart instance_name