Re: [389-users] General LDAP security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



http://www.mail-archive.com/fedora-directory-users@xxxxxxxxxx/msg09428.html

On Tue, Jun 16, 2009 at 7:29 PM, John A. Sullivan III <jsullivan@xxxxxxxxxxxxxxxxxxx> wrote:
In briefest summary, we create a separate user who has rights to see but
not change the commonly needed fields for as much of the DIT as is
needed for the various servers, e.g., some may need to see the entire
tree whereas other may only need a small subset.  The ACI's are in that
large post.  We then use this user as the binddn in ldap.conf.  We never
use cn=Directory Manager and always remove anonymous browsing.  In fact,
we also change the cn for both Directory Manager and the admin user just
to further obscure the setup.  Hope this helps - John

John, (and anyone else of course...)

I read your mail that you referred to...
http://www.mail-archive.com/fedora-directory-users@xxxxxxxxxx/msg09428.html
and don't really see an answer to the question, or more honestly, the very similar question I was about to ask before I saw this.

That was how to have a full administrative user that is not Directory Manager. I'm working in a very high profile confidential project and to our shame are still using this account for pretty much everything of note (despite my protestations from day 1, I assure you!!) including the IDM console which is our main tool for managing data in it. I've tried to work out the most formal and effective way to make my own normal user account able to do whatever Directory Manager can do with the console but without luck. I expect it's an awful lot simpler than I think it is. In line with doing it "right" there's a Directory Administrators (or nearly that) group which I tried adding users to but no change was seen, and I'd think there's a difference between the access within the main directory and the Admin server config in o=NetscapeRoot. Is there an ACI that already exists and such?

Also looking at your notes, it seems there may be better ways to manage a single directory (2 multimasters and 6 replicas) like bypassing the initial Admin section and going straight to the directory itself?

Also if I do make my user account able to log in, would I then be faced with putting in the entire DN every single time? can I alias it etc..? Ideally I'd not want a dedicated account, unless there's some real logic in not using the account - something I can imagine...

Any pointers, especially those which are simple, elegant and non-invasive, would be *very* much appreciated.

Thanks

Chris
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux