[Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 8, Issue 40
Pete Rowley
prowley at redhat.com
Wed Jan 25 18:01:16 UTC 2006
Richard Megginson wrote:
> I think you just remove the nsslapd-rootpw attribute in cn=config -
> that will disallow BINDs as the directory manager. I suppose you
> could save the value somewhere so you can enable it as needed.
>
In addition to what Rich has said here and previously:
It sounds like you are planning to actually use the cn=Directory
Manager account for normal administrative operations, this is not
adviseable for the same reasons you would only su to root when you
absolutely have to. Creating admin accounts with various levels of
permission designed for the tasks they need to perform is a much better
solution, and then you *can* perform actions like disabling the admin
accounts and applying additional access control, resource limits, and
all the other good things an admin can do to a user. Whereas
cn=Directory Manager, like root, is a no holds barred, no access control
applied kind of guy, and should be allowed out only on the rarest of
occasions.
> A G wrote:
>
>> OK. how can I disable the "cn=Directory Administrator" account?
>> Will I be able to enable easily so that in the normal operation it is
>> disabled for the security purposes?
>>
>>
>> On 1/25/06, *fedora-directory-users-request at redhat.com
>> <mailto:fedora-directory-users-request at redhat.com>* <
>> fedora-directory-users-request at redhat.com
>> <mailto:fedora-directory-users-request at redhat.com>> wrote:
>>
>> Send Fedora-directory-users mailing list submissions to
>> fedora-directory-users at redhat.com
>> <mailto:fedora-directory-users at redhat.com>
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> or, via email, send a message with subject or body 'help' to
>> fedora-directory-users-request at redhat.com
>> <mailto:fedora-directory-users-request at redhat.com>
>>
>> You can reach the person managing the list at
>> fedora-directory-users-owner at redhat.com
>> <mailto:fedora-directory-users-owner at redhat.com>
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Fedora-directory-users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. How to enable "cn=Directory Administrator" to login
>> from only
>> specified hosts (G?khan Afacan)
>> 2. How to lock/unlock "cn=Directory Administrator" user account?
>> (G?khan Afacan)
>> 3. Re: How to enable "cn=Directory Administrator" to login from
>> only specified hosts (Richard Megginson)
>> 4. Re: How to lock/unlock "cn=Directory Administrator" user
>> account? (Richard Megginson)
>> 5. How to enable "cn=Directory Administrator" to login
>> from only
>> specified hosts (A G)
>> 6. How to lock/unlock "cn=Directory Administrator" user account?
>> (A G)
>>
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 25 Jan 2006 17:44:31 +0200
>> From: G?khan Afacan <gokhan.afacan at gmail.com
>> <mailto:gokhan.afacan at gmail.com>>
>> Subject: [Fedora-directory-users] How to enable "cn=Directory
>> Administrator" to login from only specified hosts
>> To: fedora-directory-users at redhat.com
>> <mailto:fedora-directory-users at redhat.com>
>> Message-ID:
>> <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc at mail.gmail.com
>>
>> <mailto:2393d5a10601250744m7c2e0643mea5ee25a5658d4fc at mail.gmail.com>>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Hello,
>> How can I enable "cn=Directory Administrator" to login from only
>> specified hosts?
>> I mean that cn=Directory Administrator user can only logon only
>> from 10.1.3.110 <http://10.1.3.110>.
>> How can I do that?
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Wed, 25 Jan 2006 17:46:03 +0200
>> From: G?khan Afacan < gokhan.afacan at gmail.com
>> <mailto:gokhan.afacan at gmail.com>>
>> Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory
>> Administrator" user account?
>> To: fedora-directory-users at redhat.com
>> <mailto:fedora-directory-users at redhat.com>
>> Message-ID:
>> <2393d5a10601250746hfae7d11t8526098605735d8d at mail.gmail.com
>> <mailto:2393d5a10601250746hfae7d11t8526098605735d8d at mail.gmail.com>>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> How can I lock and unlock the user cn=Directory Administrator user
>> account?
>>
>>
>> On 1/25/06, Gökhan Afacan <gokhan.afacan at gmail.com
>> <mailto:gokhan.afacan at gmail.com>> wrote:
>> > Hello,
>> > How can I enable "cn=Directory Administrator" to login from only
>> > specified hosts?
>> > I mean that cn=Directory Administrator user can only logon only
>> from 10.1.3.110 <http://10.1.3.110> .
>> > How can I do that?
>> >
>>
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Wed, 25 Jan 2006 09:13:30 -0700
>> From: Richard Megginson <rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>>
>> Subject: Re: [Fedora-directory-users] How to enable "cn=Directory
>> Administrator" to login from only specified hosts
>> To: "General discussion list for the Fedora Directory server
>> project."
>> <fedora-directory-users at redhat.com
>> <mailto:fedora-directory-users at redhat.com>>
>> Message-ID: <43D7A3AA.2000208 at redhat.com
>> <mailto:43D7A3AA.2000208 at redhat.com>>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Gökhan Afacan wrote:
>>
>> >Hello,
>> >How can I enable "cn=Directory Administrator" to login from only
>> >specified hosts?
>> >
>> >
>> I don't think that is possible.
>>
>> >I mean that cn=Directory Administrator user can only logon only
>> from 10.1.3.110 <http://10.1.3.110>.
>> >How can I do that?
>> >
>> >
>> I don't think you can do that. If you are worried about Directory
>> Manager access, you can create another account (like the console
>> admin
>> account) that has administrator privileges, then you can set up
>> ACIs for
>> that user, then you can disable the directory manager account.
>>
>> >--
>> >Fedora-directory-users mailing list
>> > Fedora-directory-users at redhat.com
>> <mailto:Fedora-directory-users at redhat.com>
>> >https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> >
>> >
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: smime.p7s
>> Type: application/x-pkcs7-signature
>> Size: 3178 bytes
>> Desc: S/MIME Cryptographic Signature
>> Url :
>>
>> https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/ca03ba5e/smime.bin
>>
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Wed, 25 Jan 2006 09:14:11 -0700
>> From: Richard Megginson < rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>>
>> Subject: Re: [Fedora-directory-users] How to
>> lock/unlock "cn=Directory
>> Administrator" user account?
>> To: "General discussion list for the Fedora Directory server
>> project."
>> <fedora-directory-users at redhat.com
>> <mailto:fedora-directory-users at redhat.com>>
>> Message-ID: <43D7A3D3.2050004 at redhat.com
>> <mailto:43D7A3D3.2050004 at redhat.com>>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Gökhan Afacan wrote:
>>
>> >How can I lock and unlock the user cn=Directory Administrator
>> user account?
>> >
>> >
>> You cannot do that. You can disable the directory manager
>> account, but
>> you cannot lock and unlock it as if it were a "normal" user account.
>>
>> >
>> >On 1/25/06, Gökhan Afacan <gokhan.afacan at gmail.com
>> <mailto:gokhan.afacan at gmail.com>> wrote:
>> >
>> >
>> >>Hello,
>> >>How can I enable "cn=Directory Administrator" to login from only
>> >>specified hosts?
>> >>I mean that cn=Directory Administrator user can only logon only
>> from 10.1.3.110 <http://10.1.3.110>.
>> >>How can I do that?
>> >>
>> >>
>> >>
>> >
>> >--
>> >Fedora-directory-users mailing list
>> >Fedora-directory-users at redhat.com
>> <mailto:Fedora-directory-users at redhat.com>
>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> >
>> >
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: smime.p7s
>> Type: application/x-pkcs7-signature
>> Size: 3178 bytes
>> Desc: S/MIME Cryptographic Signature
>> Url :
>>
>> https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/e067bfcc/smime.bin
>>
>>
>> <https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/e067bfcc/smime.bin>
>>
>>
>> ------------------------------
>>
>> Message: 5
>> Date: Wed, 25 Jan 2006 18:25:51 +0200
>> From: A G <cino11 at gmail.com <mailto:cino11 at gmail.com>>
>> Subject: [Fedora-directory-users] How to enable "cn=Directory
>> Administrator" to login from only specified hosts
>> To: fedora-directory-users at redhat.com
>> <mailto:fedora-directory-users at redhat.com>
>> Message-ID: < 408162380601250825y4e966611p at mail.gmail.com
>> <mailto:408162380601250825y4e966611p at mail.gmail.com>>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Hello,
>> How can I enable "cn=Directory Administrator" to login from only
>> specified hosts?
>> I mean that cn=Directory Administrator user can only logon only from
>> 10.1.3.110 <http://10.1.3.110>.
>> How can I do that?
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>>
>> https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/0b354c42/attachment.html
>>
>>
>>
>> ------------------------------
>>
>> Message: 6
>> Date: Wed, 25 Jan 2006 18:26:20 +0200
>> From: A G <cino11 at gmail.com <mailto:cino11 at gmail.com>>
>> Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory
>> Administrator" user account?
>> To: fedora-directory-users at redhat.com
>> <mailto:fedora-directory-users at redhat.com>
>> Message-ID: < 408162380601250826r5dca4666q at mail.gmail.com
>> <mailto:408162380601250826r5dca4666q at mail.gmail.com>>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> How can I lock and unlock the user cn=Directory Administrator user
>> account?
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>>
>> https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/1e6d0495/attachment.html
>>
>>
>> <https://www.redhat.com/archives/fedora-directory-users/attachments/20060125/1e6d0495/attachment.html>
>>
>>
>> ------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> <mailto:Fedora-directory-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>> End of Fedora-directory-users Digest, Vol 8, Issue 40
>> *****************************************************
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060125/a4a98b29/attachment.bin>
More information about the Fedora-directory-users
mailing list