Re: Re: Fedora-directory-users Digest, Vol 8, Issue 40

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Megginson wrote:

I think you just remove the nsslapd-rootpw attribute in cn=config - that will disallow BINDs as the directory manager. I suppose you could save the value somewhere so you can enable it as needed.

In addition to what Rich has said here and previously:

It sounds like you are planning to actually use the cn=Directory Manager account for normal administrative operations, this is not adviseable for the same reasons you would only su to root when you absolutely have to. Creating admin accounts with various levels of permission designed for the tasks they need to perform is a much better solution, and then you *can* perform actions like disabling the admin accounts and applying additional access control, resource limits, and all the other good things an admin can do to a user. Whereas cn=Directory Manager, like root, is a no holds barred, no access control applied kind of guy, and should be allowed out only on the rarest of occasions.

A G wrote:

OK. how can I disable the "cn=Directory  Administrator" account?
Will I be able to enable easily so that in the normal operation it is disabled for the security purposes?


On 1/25/06, *fedora-directory-users-request@xxxxxxxxxx <mailto:fedora-directory-users-request@xxxxxxxxxx>* < fedora-directory-users-request@xxxxxxxxxx <mailto:fedora-directory-users-request@xxxxxxxxxx>> wrote:

    Send Fedora-directory-users mailing list submissions to
            fedora-directory-users@xxxxxxxxxx
    <mailto:fedora-directory-users@xxxxxxxxxx>

    To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/fedora-directory-users
    or, via email, send a message with subject or body 'help' to
            fedora-directory-users-request@xxxxxxxxxx
    <mailto:fedora-directory-users-request@xxxxxxxxxx>

    You can reach the person managing the list at
            fedora-directory-users-owner@xxxxxxxxxx
    <mailto:fedora-directory-users-owner@xxxxxxxxxx>

    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of Fedora-directory-users digest..."


    Today's Topics:

       1. How to enable "cn=Directory Administrator"        to login
    from only
          specified hosts (G?khan Afacan)
       2. How to lock/unlock "cn=Directory  Administrator" user account?
          (G?khan Afacan)
       3. Re: How to enable "cn=Directory   Administrator" to login from
          only specified hosts (Richard Megginson)
       4. Re: How to lock/unlock    "cn=Directory   Administrator" user
          account? (Richard Megginson)
       5. How to enable "cn=Directory Administrator"        to login
    from only
          specified hosts (A G)
       6. How to lock/unlock "cn=Directory  Administrator" user account?
          (A G)


----------------------------------------------------------------------

    Message: 1
    Date: Wed, 25 Jan 2006 17:44:31 +0200
    From: G?khan Afacan <gokhan.afacan@xxxxxxxxx
    <mailto:gokhan.afacan@xxxxxxxxx>>
    Subject:  How to enable "cn=Directory
            Administrator"  to login from only specified hosts
    To: fedora-directory-users@xxxxxxxxxx
    <mailto:fedora-directory-users@xxxxxxxxxx>
    Message-ID:
            <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc@xxxxxxxxxxxxxx
<mailto:2393d5a10601250744m7c2e0643mea5ee25a5658d4fc@xxxxxxxxxxxxxx>>
    Content-Type: text/plain; charset=ISO-8859-1

    Hello,
    How can I enable "cn=Directory Administrator" to login from only
    specified hosts?
    I mean that cn=Directory Administrator user can only logon only
    from 10.1.3.110 <http://10.1.3.110>.
    How can I do that?



    ------------------------------

    Message: 2
    Date: Wed, 25 Jan 2006 17:46:03 +0200
    From: G?khan Afacan < gokhan.afacan@xxxxxxxxx
    <mailto:gokhan.afacan@xxxxxxxxx>>
    Subject:  How to lock/unlock "cn=Directory
            Administrator" user account?
    To: fedora-directory-users@xxxxxxxxxx
    <mailto:fedora-directory-users@xxxxxxxxxx>
    Message-ID:
            <2393d5a10601250746hfae7d11t8526098605735d8d@xxxxxxxxxxxxxx
    <mailto:2393d5a10601250746hfae7d11t8526098605735d8d@xxxxxxxxxxxxxx>>
    Content-Type: text/plain; charset=ISO-8859-1

    How can I lock and unlock the user cn=Directory Administrator user
    account?


    On 1/25/06, Gökhan Afacan <gokhan.afacan@xxxxxxxxx
    <mailto:gokhan.afacan@xxxxxxxxx>> wrote:
    > Hello,
    > How can I enable "cn=Directory Administrator" to login from only
    > specified hosts?
    > I mean that cn=Directory Administrator user can only logon only
    from 10.1.3.110 <http://10.1.3.110> .
    > How can I do that?
    >



    ------------------------------

    Message: 3
    Date: Wed, 25 Jan 2006 09:13:30 -0700
    From: Richard Megginson <rmeggins@xxxxxxxxxx
    <mailto:rmeggins@xxxxxxxxxx>>
    Subject: Re:  How to enable "cn=Directory
            Administrator" to login from only specified hosts
    To: "General discussion list for the Fedora Directory server
    project."
            <fedora-directory-users@xxxxxxxxxx
    <mailto:fedora-directory-users@xxxxxxxxxx>>
    Message-ID: <43D7A3AA.2000208@xxxxxxxxxx
    <mailto:43D7A3AA.2000208@xxxxxxxxxx>>
    Content-Type: text/plain; charset="iso-8859-1"

    Gökhan Afacan wrote:

    >Hello,
    >How can I enable "cn=Directory Administrator" to login from only
    >specified hosts?
    >
    >
    I don't think that is possible.

    >I mean that cn=Directory Administrator user can only logon only
    from 10.1.3.110 <http://10.1.3.110>.
    >How can I do that?
    >
    >
    I don't think you can do that.  If you are worried about Directory
    Manager access, you can create another account (like the console
    admin
    account) that has administrator privileges, then you can set up
    ACIs for
    that user, then you can disable the directory manager account.

    >--
    >Fedora-directory-users mailing list
    > Fedora-directory-users@xxxxxxxxxx
    <mailto:Fedora-directory-users@xxxxxxxxxx>
    >https://www.redhat.com/mailman/listinfo/fedora-directory-users
    >
    >
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: smime.p7s
    Type: application/x-pkcs7-signature
    Size: 3178 bytes
    Desc: S/MIME Cryptographic Signature
    Url :
https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/ca03ba5e/smime.bin

    ------------------------------

    Message: 4
    Date: Wed, 25 Jan 2006 09:14:11 -0700
    From: Richard Megginson < rmeggins@xxxxxxxxxx
    <mailto:rmeggins@xxxxxxxxxx>>
    Subject: Re:  How to
    lock/unlock        "cn=Directory
            Administrator" user account?
    To: "General discussion list for the Fedora Directory server
    project."
            <fedora-directory-users@xxxxxxxxxx
    <mailto:fedora-directory-users@xxxxxxxxxx>>
    Message-ID: <43D7A3D3.2050004@xxxxxxxxxx
    <mailto:43D7A3D3.2050004@xxxxxxxxxx>>
    Content-Type: text/plain; charset="iso-8859-1"

    Gökhan Afacan wrote:

    >How can I lock and unlock the user cn=Directory Administrator
    user account?
    >
    >
    You cannot do that.  You can disable the directory manager
    account, but
    you cannot lock and unlock it as if it were a "normal" user account.

    >
    >On 1/25/06, Gökhan Afacan <gokhan.afacan@xxxxxxxxx
    <mailto:gokhan.afacan@xxxxxxxxx>> wrote:
    >
    >
    >>Hello,
    >>How can I enable "cn=Directory Administrator" to login from only
    >>specified hosts?
    >>I mean that cn=Directory Administrator user can only logon only
    from 10.1.3.110 <http://10.1.3.110>.
    >>How can I do that?
    >>
    >>
    >>
    >
    >--
    >Fedora-directory-users mailing list
    >Fedora-directory-users@xxxxxxxxxx
    <mailto:Fedora-directory-users@xxxxxxxxxx>
    > https://www.redhat.com/mailman/listinfo/fedora-directory-users
    >
    >
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: smime.p7s
    Type: application/x-pkcs7-signature
    Size: 3178 bytes
    Desc: S/MIME Cryptographic Signature
    Url :
https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/e067bfcc/smime.bin <https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/e067bfcc/smime.bin>

    ------------------------------

    Message: 5
    Date: Wed, 25 Jan 2006 18:25:51 +0200
    From: A G <cino11@xxxxxxxxx <mailto:cino11@xxxxxxxxx>>
    Subject:  How to enable "cn=Directory
            Administrator"  to login from only specified hosts
    To: fedora-directory-users@xxxxxxxxxx
    <mailto:fedora-directory-users@xxxxxxxxxx>
    Message-ID: < 408162380601250825y4e966611p@xxxxxxxxxxxxxx
    <mailto:408162380601250825y4e966611p@xxxxxxxxxxxxxx>>
    Content-Type: text/plain; charset="iso-8859-1"

    Hello,
    How can I enable "cn=Directory Administrator" to login from only
    specified hosts?
    I mean that cn=Directory Administrator user can only logon only from
    10.1.3.110 <http://10.1.3.110>.
    How can I do that?
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL:
https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/0b354c42/attachment.html


    ------------------------------

    Message: 6
    Date: Wed, 25 Jan 2006 18:26:20 +0200
    From: A G <cino11@xxxxxxxxx <mailto:cino11@xxxxxxxxx>>
    Subject:  How to lock/unlock "cn=Directory
            Administrator" user account?
    To: fedora-directory-users@xxxxxxxxxx
    <mailto:fedora-directory-users@xxxxxxxxxx>
    Message-ID: < 408162380601250826r5dca4666q@xxxxxxxxxxxxxx
    <mailto:408162380601250826r5dca4666q@xxxxxxxxxxxxxx>>
    Content-Type: text/plain; charset="iso-8859-1"

    How can I lock and unlock the user cn=Directory Administrator user
    account?
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL:
https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/1e6d0495/attachment.html <https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/1e6d0495/attachment.html>

    ------------------------------

    --
    Fedora-directory-users mailing list
    Fedora-directory-users@xxxxxxxxxx
    <mailto:Fedora-directory-users@xxxxxxxxxx>
    https://www.redhat.com/mailman/listinfo/fedora-directory-users


    End of Fedora-directory-users Digest, Vol 8, Issue 40
    *****************************************************


------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Pete

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux