LDAP: Administrative users

Posted on July 31, 2013 by Terry Gardner

Introduction

In an UnboundID LDAP directory server, the “Root DN” (root user) accounts have an extensive set of privileges in the default distribution of the server products; therefore the root DN account(s) should not be used in normal operation except where a task can only be performed by an root user. The number of administrators with root user DNs and passwords should be as small as is practicable.

An “administrative account” or “administrative user” is a distinguished name which has access and privileges beyond those granted to other users. Typically, an administrative user has access to all attributes of all entries on the server, including the administrative sections of the server. Administrative accounts are superior to root DN accounts because they are replicated and because they can be restricted by privilege assignment. For example, an administrative user can be created that has the privilege of “backup”, but no other privileges. The UnboundID product suite uses this extremely flexible access and privilege mechanism instead of a simplistic brute force access control system.

Root user accounts are not replicated whereas administrator accounts created in a replicated backend can be used on each server in a replicated topology. This is a tremendous disadvantage of a Root DN.

LDIF for an Administrative User

User

Following is an example LDIF for an administrative account/user. This example uses the naming context c=us. The DN of this administrative user is cn=admin,c=us. It makes no difference what the DN of the administrative user is, as long as it is hosted in a replicated backend. The password is a horrible one, I trust you’ll use a password generator to generate a better one. The server will encrypt the password or create a cryptographic hash when the entry is added with ldapmodify. How the password is hashed or encrypted is decided by the password policy to which the user is subject.

The administrative user given below has a number of privileges that will prove useful when operating the server. For example, this administrative user has the privilege of reading and writing the configuration of the server – a must when tasked with operating the server. The UnboundID Directory Server supports “privileges” which are required to perform certain tasks and are a adjunct to access controls. Access controls must also exist as a complement to privileges. This is far more flexible model than the brute force model used in other directory servers.

dn: cn=admin,c=us
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: admin
sn: admin
userPassword: password
ds-privilege-name: backend-backup
ds-privilege-name: backend-restore
ds-privilege-name: config-read
ds-privilege-name: config-write
ds-privilege-name: jmx-notify
ds-privilege-name: jmx-read
ds-privilege-name: jmx-write
ds-privilege-name: ldif-export
ds-privilege-name: ldif-import
ds-privilege-name: lockdown-mode
ds-privilege-name: password-reset
ds-privilege-name: privilege-change
ds-privilege-name: soft-delete-read
ds-privilege-name: unindexed-search
ds-privilege-name: update-schema

Group

Next, create the LDIF change records for a group the members of which are administrative users. Grouping users together by type is an effective technique and makes creating access control easier. The DN of the group for administrators is give as cn=Directory Administrators,ou=groups,c=us, of course, this is an arbitrary name.

dn: ou=groups,c=us
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: groups
userPassword: password

dn: cn=Directory Administrators,ou=groups,c=us
changetype: add
objectClass: top
objectClass: groupOfUniqueNames
cn: Directory Administrators
uniqueMember: cn=admin,c=us

Access Controls

Create an LDIF change records containing access controls that are necessary for an administrative user. For the bind rule, use the DN of the group given above. This will cause the access controls created to apply to all members of the group. Only users requiring administrative access should be members of the group because the access controls grant access to all attributes of all entries. The controls listed are:

dn: c=us
changetype: modify
add: aci
aci: (targetattr="*||+")
 (version 3.0;
 acl "Access to all attributes by members of the Directory Administrators group.";
 allow(all) groupdn="ldap:///cn=directory administrators,ou=groups,c=us";)
aci: (targetcontrol="1.2.840.113556.1.4.319||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473")
 (version 3.0;
 acl "Access to selected controls for cn=admin,c=us";
 allow (read) groupdn="ldap:///cn=directory administrators,ou=groups,c=us";)

Next, the global access controls. These access controls allow administrative users to view entries in operational sections of the server. Use dsconfig to add these global access controls. The operational servers to which access is allowed are:

  • config – the configuration of this server
  • tasks – tasks that can be added to the server for execution
  • monitor – real-time operational data, for example, number of BIND operations performed
  • schema – The server schema in which are defined attribute types and object classes recognized by the server
  • alerts – administrative alerts generated by the server; these alerts are used by operators to respond to events associated with the operation and status of the server
dsconfig set-access-control-handler-prop \
 --add global-aci:'(target="ldap:///cn=config")(targetattr="*")(version 3.0; acl "Allow access to the config tree by cn=admin,c=us"; allow(all) groupdn="ldap:///cn=directory administrators,ou=groups,c=us";)' \
 --add global-aci:'(target="ldap:///cn=tasks")(targetattr="*")(version 3.0; acl "Allow access to the tasks tree by cn=admin,c=us"; allow(all) groupdn="ldap:///cn=directory administrators,ou=groups,c=us";)' \
 --add global-aci:'(target="ldap:///cn=monitor")(targetattr="*")(version 3.0; acl "Allow access to the monitor tree by cn=admin,c=us"; allow(all) groupdn="ldap:///cn=directory administrators,ou=groups,c=us";)' \
 --add global-aci:'(target="ldap:///cn=schema")(targetattr="*||+")(version 3.0; acl "Allow access to the schema tree by cn=admin,c=us"; allow(all) groupdn="ldap:///cn=directory administrators,ou=groups,c=us";)' \
 --add global-aci:'(target="ldap:///cn=alerts")(targetattr="*")(version 3.0; acl "Allow access to the alerts tree by cn=admin,c=us"; allow(all) groupdn="ldap:///cn=directory administrators,ou=groups,c=us";)'

About Terry Gardner

Terry Gardner was a leading directory services architect with experience with many large scale directory services installations and messaging server installations, and was a Subject Matter Expert in the field of Directory Services and Solaris (operating system) performance. Mr. Gardner also participated in the open-source software community. Mr. Gardner passed away in December, 2013.
This entry was posted in computing, LDAP, UnboundID and tagged , , , , . Bookmark the permalink.

Leave a comment