Aleksander Adamowski wrote: > Hi! > > The Direcroty Manager account (the one whose DN is specified in > dse.ldif as nsslapd-rootdn) is a dangerously privileged account. > > Access control does not apply to this user and compromising its DN and > password gives full control over the directory server. > > Therefore, it would be desirable to limit this user's bind access > based on some additional criteria, in addition to the knowledge of the > password. > > Limits based on the source host (e.g. localhost) and time of day (e.g. > only work hours) would be very useful. > > Is there a way to limit Directory Manager binds based on those > criteria in Fedora Directory Server? No. But please file a bug so we can track this issue. > > > Note that in OpenLDAP this is possible using the following ACL: > > access to dn.base="cn=Manager,o=Example" > by peername.regex=127\.0\.0\.1 auth > by users none > by anonymous none > > This ACL however requires creating a concrete LDAP entry that > corresponds to rootdn, setting a userPassword in taht entry, and > leaving the rootpw in OpenLDAP configuration undefined. > This way the concrete userPassword is used when binding and is subject > to that ACL which only allows access from connections that origin from > 127.0.0.1. > > More details in this post on OpenLDAP mailing list: > http://www.openldap.org/lists/openldap-software/200711/msg00342.html > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080806/615a6657/attachment.bin
