[389-users] General LDAP security
Chris Phillips
chris at untrepid.com
Tue Jun 16 19:13:39 UTC 2009
http://www.mail-archive.com/fedora-directory-users@redhat.com/msg09428.html
On Tue, Jun 16, 2009 at 7:29 PM, John A. Sullivan III <
jsullivan at opensourcedevel.com> wrote:
> In briefest summary, we create a separate user who has rights to see but
> not change the commonly needed fields for as much of the DIT as is
> needed for the various servers, e.g., some may need to see the entire
> tree whereas other may only need a small subset. The ACI's are in that
> large post. We then use this user as the binddn in ldap.conf. We never
> use cn=Directory Manager and always remove anonymous browsing. In fact,
> we also change the cn for both Directory Manager and the admin user just
> to further obscure the setup. Hope this helps - John
John, (and anyone else of course...)
I read your mail that you referred to...
http://www.mail-archive.com/fedora-directory-users@redhat.com/msg09428.html
and don't really see an answer to the question, or more honestly, the very
similar question I was about to ask before I saw this.
That was how to have a full administrative user that is not Directory
Manager. I'm working in a very high profile confidential project and to our
shame are still using this account for pretty much everything of note
(despite my protestations from day 1, I assure you!!) including the IDM
console which is our main tool for managing data in it. I've tried to work
out the most formal and effective way to make my own normal user account
able to do whatever Directory Manager can do with the console but without
luck. I expect it's an awful lot simpler than I think it is. In line with
doing it "right" there's a Directory Administrators (or nearly that) group
which I tried adding users to but no change was seen, and I'd think there's
a difference between the access within the main directory and the Admin
server config in o=NetscapeRoot. Is there an ACI that already exists and
such?
Also looking at your notes, it seems there may be better ways to manage a
single directory (2 multimasters and 6 replicas) like bypassing the initial
Admin section and going straight to the directory itself?
Also if I do make my user account able to log in, would I then be faced with
putting in the entire DN every single time? can I alias it etc..? Ideally
I'd not want a dedicated account, unless there's some real logic in not
using the account - something I can imagine...
Any pointers, especially those which are simple, elegant and non-invasive,
would be *very* much appreciated.
Thanks
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090616/297c84cf/attachment.htm>
More information about the Fedora-directory-users
mailing list