Richard Megginson wrote:
I think you just remove the nsslapd-rootpw attribute in cn=config - that will disallow BINDs as the directory manager. I suppose you could save the value somewhere so you can enable it as needed.
In addition to what Rich has said here and previously:It sounds like you are planning to actually use the cn=Directory Manager account for normal administrative operations, this is not adviseable for the same reasons you would only su to root when you absolutely have to. Creating admin accounts with various levels of permission designed for the tasks they need to perform is a much better solution, and then you *can* perform actions like disabling the admin accounts and applying additional access control, resource limits, and all the other good things an admin can do to a user. Whereas cn=Directory Manager, like root, is a no holds barred, no access control applied kind of guy, and should be allowed out only on the rarest of occasions.
A G wrote:OK. how can I disable the "cn=Directory Administrator" account?Will I be able to enable easily so that in the normal operation it is disabled for the security purposes?On 1/25/06, *fedora-directory-users-request@xxxxxxxxxx <mailto:fedora-directory-users-request@xxxxxxxxxx>* < fedora-directory-users-request@xxxxxxxxxx <mailto:fedora-directory-users-request@xxxxxxxxxx>> wrote:Send Fedora-directory-users mailing list submissions to fedora-directory-users@xxxxxxxxxx <mailto:fedora-directory-users@xxxxxxxxxx> To subscribe or unsubscribe via the World Wide Web, visithttps://www.redhat.com/mailman/listinfo/fedora-directory-usersor, via email, send a message with subject or body 'help' to fedora-directory-users-request@xxxxxxxxxx <mailto:fedora-directory-users-request@xxxxxxxxxx> You can reach the person managing the list at fedora-directory-users-owner@xxxxxxxxxx <mailto:fedora-directory-users-owner@xxxxxxxxxx> When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..." Today's Topics: 1. How to enable "cn=Directory Administrator" to login from only specified hosts (G?khan Afacan) 2. How to lock/unlock "cn=Directory Administrator" user account? (G?khan Afacan) 3. Re: How to enable "cn=Directory Administrator" to login from only specified hosts (Richard Megginson) 4. Re: How to lock/unlock "cn=Directory Administrator" user account? (Richard Megginson) 5. How to enable "cn=Directory Administrator" to login from only specified hosts (A G) 6. How to lock/unlock "cn=Directory Administrator" user account? (A G)----------------------------------------------------------------------Message: 1 Date: Wed, 25 Jan 2006 17:44:31 +0200 From: G?khan Afacan <gokhan.afacan@xxxxxxxxx <mailto:gokhan.afacan@xxxxxxxxx>> Subject: How to enable "cn=Directory Administrator" to login from only specified hosts To: fedora-directory-users@xxxxxxxxxx <mailto:fedora-directory-users@xxxxxxxxxx> Message-ID: <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc@xxxxxxxxxxxxxx<mailto:2393d5a10601250744m7c2e0643mea5ee25a5658d4fc@xxxxxxxxxxxxxx>>Content-Type: text/plain; charset=ISO-8859-1 Hello, How can I enable "cn=Directory Administrator" to login from only specified hosts? I mean that cn=Directory Administrator user can only logon only from 10.1.3.110 <http://10.1.3.110>. How can I do that? ------------------------------ Message: 2 Date: Wed, 25 Jan 2006 17:46:03 +0200 From: G?khan Afacan < gokhan.afacan@xxxxxxxxx <mailto:gokhan.afacan@xxxxxxxxx>> Subject: How to lock/unlock "cn=Directory Administrator" user account? To: fedora-directory-users@xxxxxxxxxx <mailto:fedora-directory-users@xxxxxxxxxx> Message-ID: <2393d5a10601250746hfae7d11t8526098605735d8d@xxxxxxxxxxxxxx <mailto:2393d5a10601250746hfae7d11t8526098605735d8d@xxxxxxxxxxxxxx>> Content-Type: text/plain; charset=ISO-8859-1 How can I lock and unlock the user cn=Directory Administrator user account? On 1/25/06, Gökhan Afacan <gokhan.afacan@xxxxxxxxx <mailto:gokhan.afacan@xxxxxxxxx>> wrote: > Hello, > How can I enable "cn=Directory Administrator" to login from only > specified hosts? > I mean that cn=Directory Administrator user can only logon only from 10.1.3.110 <http://10.1.3.110> . > How can I do that? > ------------------------------ Message: 3 Date: Wed, 25 Jan 2006 09:13:30 -0700 From: Richard Megginson <rmeggins@xxxxxxxxxx <mailto:rmeggins@xxxxxxxxxx>> Subject: Re: How to enable "cn=Directory Administrator" to login from only specified hosts To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx <mailto:fedora-directory-users@xxxxxxxxxx>> Message-ID: <43D7A3AA.2000208@xxxxxxxxxx <mailto:43D7A3AA.2000208@xxxxxxxxxx>> Content-Type: text/plain; charset="iso-8859-1" Gökhan Afacan wrote: >Hello, >How can I enable "cn=Directory Administrator" to login from only >specified hosts? > > I don't think that is possible. >I mean that cn=Directory Administrator user can only logon only from 10.1.3.110 <http://10.1.3.110>. >How can I do that? > > I don't think you can do that. If you are worried about Directory Manager access, you can create another account (like the console admin account) that has administrator privileges, then you can set up ACIs for that user, then you can disable the directory manager account. >-- >Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx <mailto:Fedora-directory-users@xxxxxxxxxx> >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url :https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/ca03ba5e/smime.bin------------------------------ Message: 4 Date: Wed, 25 Jan 2006 09:14:11 -0700 From: Richard Megginson < rmeggins@xxxxxxxxxx <mailto:rmeggins@xxxxxxxxxx>> Subject: Re: How to lock/unlock "cn=Directory Administrator" user account? To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx <mailto:fedora-directory-users@xxxxxxxxxx>> Message-ID: <43D7A3D3.2050004@xxxxxxxxxx <mailto:43D7A3D3.2050004@xxxxxxxxxx>> Content-Type: text/plain; charset="iso-8859-1" Gökhan Afacan wrote: >How can I lock and unlock the user cn=Directory Administrator user account? > > You cannot do that. You can disable the directory manager account, but you cannot lock and unlock it as if it were a "normal" user account. > >On 1/25/06, Gökhan Afacan <gokhan.afacan@xxxxxxxxx <mailto:gokhan.afacan@xxxxxxxxx>> wrote: > > >>Hello, >>How can I enable "cn=Directory Administrator" to login from only >>specified hosts? >>I mean that cn=Directory Administrator user can only logon only from 10.1.3.110 <http://10.1.3.110>. >>How can I do that? >> >> >> > >-- >Fedora-directory-users mailing list >Fedora-directory-users@xxxxxxxxxx <mailto:Fedora-directory-users@xxxxxxxxxx> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url :https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/e067bfcc/smime.bin <https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/e067bfcc/smime.bin>------------------------------ Message: 5 Date: Wed, 25 Jan 2006 18:25:51 +0200 From: A G <cino11@xxxxxxxxx <mailto:cino11@xxxxxxxxx>> Subject: How to enable "cn=Directory Administrator" to login from only specified hosts To: fedora-directory-users@xxxxxxxxxx <mailto:fedora-directory-users@xxxxxxxxxx> Message-ID: < 408162380601250825y4e966611p@xxxxxxxxxxxxxx <mailto:408162380601250825y4e966611p@xxxxxxxxxxxxxx>> Content-Type: text/plain; charset="iso-8859-1" Hello, How can I enable "cn=Directory Administrator" to login from only specified hosts? I mean that cn=Directory Administrator user can only logon only from 10.1.3.110 <http://10.1.3.110>. How can I do that? -------------- next part -------------- An HTML attachment was scrubbed... URL:https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/0b354c42/attachment.html------------------------------ Message: 6 Date: Wed, 25 Jan 2006 18:26:20 +0200 From: A G <cino11@xxxxxxxxx <mailto:cino11@xxxxxxxxx>> Subject: How to lock/unlock "cn=Directory Administrator" user account? To: fedora-directory-users@xxxxxxxxxx <mailto:fedora-directory-users@xxxxxxxxxx> Message-ID: < 408162380601250826r5dca4666q@xxxxxxxxxxxxxx <mailto:408162380601250826r5dca4666q@xxxxxxxxxxxxxx>> Content-Type: text/plain; charset="iso-8859-1" How can I lock and unlock the user cn=Directory Administrator user account? -------------- next part -------------- An HTML attachment was scrubbed... URL:https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/1e6d0495/attachment.html <https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/1e6d0495/attachment.html>------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx <mailto:Fedora-directory-users@xxxxxxxxxx> https://www.redhat.com/mailman/listinfo/fedora-directory-users End of Fedora-directory-users Digest, Vol 8, Issue 40 ***************************************************** ------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Pete
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
