18.15. Setting Access Controls on Directory Manager

Having an unconstrained administrative user makes sense from a maintenance perspective. The Directory Manager requires a high level of access in order to perform maintenance tasks and to response to incidents.
However, because of the power of the Directory Manager user, a certain level of access control may be advisable to prevent unauthorized access or attacks from being performed as the root user.
Regular access control rules are applied to the directory tree, the Directory Manager is not a regular user entry, so no (regular) ACIs can be applied to the Directory Manager user. ACIs are applied through a special plug-in configuration entry.

18.15.1. About Access Controls on the Directory Manager Account

Normal access control rules do not apply to the Directory Manager user. The privileges of the Directory Manager user are hard-coded in Directory Server and cannot be used in a bind rule.
Access controls for Directory Manager are implemented through the RootDN Access Control Plug-in. This plug-in applies to the Directory Server configuration, and therefore can apply some access control rules to the Directory Manager entry.
The plug-in does not define a standard ACL. Some information is already implied, including the target (the Directory Manager entry) and the allowed rights (all of them). The purpose of the RootDN Access Control Plug-in is not to restrict what the Directory Manager can do; the purpose is to provide a level of security by limiting who can log in as Directory Manager (even with valid credentials) based on their location or time.
For this reason, the ACI for the Directory Manager only sets bind rules:
As with other access control rules, deny rules supercede allow rules.

Important

Make sure that the Directory Manager always has the approproate level of access allowed. The Directory Manager may need to perform maintenance operations in off-hours (when user load is light) or to respond to failures. In that case, setting stringent time or day-based access control rules could prevent the Directory Manager from being able to adequately manage the directory.

18.15.2. Configuring the RootDN Access Control Plug-in

Root DN access control rules are disabled by default. Enable the RootDN Access Control plug-in, and then set the appropriate access control rules.

Note

There is only one access control rule set for the Directory Manager, in the plug-in entry, and it applies to all access to the entire directory.
  1. Enable the RootDN Access Control plug-in: 
    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin root-dn enable
Plugin 'RootDN Access Control' enabled
...
  2. Set the bind rules for the access control instruction. For example: 
    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin root-dn set --open-time=0600 --close-time=2100 --allow-host="*.example.com" --deny-host="*.remote.example.com"
    You can set the following parameters:
    • --open-time and --close-time for time-based access controls.
    • --days-allowed for day-based access controls.
    • --allow-host, --deny-host, --allow-ip, and --deny-ip for host-based access controls. These are all multi-valued attributes and you can use wild cards to allow or deny IP ranges or domains.

      Important

      Deny rules have a higher priority then allow rules. For example, if the --allow-host parameter is set to *.example.com, and --deny-host is set to *.front-office.example.com, access from all hosts in the front-office.example.com subdomain as Directory Manager is prevented.
  3. Restart Directory Server: 
    # dsctl instance_name restart