Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
10. Managing Users and Groups With dsconfig
Managing Root User, Global Administrator, and Administrator Accounts
Working With Multiple Root Users
Root Users and the Privilege Subsystem
Managing Root Users With dsconfig
To View the Default Root User Privileges
To Edit the Default Root User Privileges
To Change a Root User's Password
To Change a Root User's Privileges
Setting Root User Resource Limits
To Change the Directory Manager's Password
To Reset and Generate a New Password for a User
Managing a User's Account Information
To View a User's Account Information
To View Account Status Information
Setting Resource Limits on a User Account
To Set Resource Limits on an Account
To Create a Static Group With groupOfNames
To Create a Static Group With groupOfUniqueNames
To Create a Static Group With groupOfEntries
To List All Members of a Static Group
To List All Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Group
To List All Members of a Dynamic Group
To List All Dynamic Groups of Which a User Is a Member
To Determine Whether a User Is a Member of a Dynamic Group
Defining Virtual Static Groups
To Create a Virtual Static Group
To List All Members of a Virtual Static Group
To List All Virtual-Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Virtual Static Group
Maintaining Referential Integrity
Overview of the Referential Integrity Plug-In
To Enable the Referential Integrity Plug-In
Simulating ODSEE Roles in an Oracle Unified Directory Server
To Determine Whether a User is a Member of a Role
To Alter Membership by Using the nsRoleDN Attribute
11. Managing Password Policies
Oracle Unified Directory provides a flexible Privilege Subsystem that allows you to configure root users, Global Administrators, and administrators for your server. You can configure multiple root users and assign different root privileges to each administrator. For administrative domains, you can also configure multiple Global Administrators to manage administrative domains in your network or in a replicated environment.
The topics in this section describe the management of multiple root users and the privilege subsystem. The topics also provide instructions on how to configure and maintain the various user accounts required to administer your server securely.
Before you start with the procedures outlined here, determine the following guidelines for your server:
Number of root users, their privileges, and resource limits, if any.
Number of administrators, their privileges, and resource limits, if any.
Guidelines for user accounts on your system.
Password policies for the server and for specific groups of users.
Oracle Unified Directory provides one default root DN or root user, "cn=Directory Manager". The default root DN is a user entry assigned with specialized privileges with full read and write access to all data in the server. Comparable to a Unix root user or superuser, the root DN can bypass access controls to carry out tasks on the server. The root user is defined below the "cn=Root DNs,cn=config" branch of the server at cn=Directory Manager,cn=Root DNs,cn=config.
The server supports multiple root users who have their own entries and their own set of credentials on the server. This allows you to assign privileges to a user who might need root access for a particular task but might not need the full set of root user privileges. With each entry, you can assign strong authentication such as the GSSAPI SASL mechanism, password policies, or add resource limits (if your schema allows it) to one root user while having a completely different configuration for another root user.
Root users differ from regular user entries in the following ways:
Configuration. Root users are the only user accounts that can exist in the server configuration (cn=config).
Privilege inheritance. Root users automatically inherit the set of default root user privileges. Regular users do not automatically receive any privileges unless explicitly granted. You can grant privileges using real, virtual root-privilege-name attributes, or both in the entry.
Lockdown mode. Root users are the only users who can cause the server to enter or leave lockdown mode and only over the loopback interface.
The Privilege Subsystem supports the configuration of multiple root users.
The Privilege Subsystem allows you to assign refined privileges to users who might require only a specific set of root user access privileges. Root users are automatically granted a set of privileges defined in the default-root-privilege-name attribute in the "cn=Root DNs,cn=config" subtree.
The Privilege Subsystem is independent from the Access Control Subsystem, but some operations might be subject to access controls.
The following set of privileges are automatically assigned to the root user.
|
The following privileges can be assigned to the root user.
|
Use the dsconfig command to manage root users. For more information, see Managing the Server Configuration With dsconfig.
The default root user has a number of privileges, which are stored as values of the default-root-privilege-name property.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ get-root-dn-prop Property : Value(s) ----------------------------:-------------------------------------------------- default-root-privilege-name : backend-backup, backend-restore, bypass-acl, : cancel-request, config-read, config-write, : disconnect-client, ldif-export, ldif-import, : modify-acl, password-reset, privilege-change, : server-restart, server-shutdown, : unindexed-search, update-schema
The easiest way to manage root user privileges is to use dsconfig in interactive mode. Interactive mode walks you through the root user configuration, and is therefore not documented here.
To add or remove privileges for the default root user, add or remove the values of the default-root-privilege-name property. This property can hold the following values:
backend-backup
backend-restore
bypass-acl
cancel-request
config-read
config-write
data-sync
disconnect-client
jmx-notify
jmx-read
jmx-write
ldif-export
ldif-import
modify-acl
password-reset
privilege-change
proxied-auth
server-restart
server-shutdown
unindexed-search
update-schema
This example adds the data-sync privilege to the default root user, by using dsconfig in non-interactive mode.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-root-dn-prop --add default-root-privilege-name:data-sync
Root users are stored below the entry cn=Root DNs,cn=config. To create a new root user, create the entry in LDIF and add it by using the ldapmodify command. Note that the cn=config suffix is available only through the administration connector, and must therefore be accessed over SSL, via the administration port.
Root users automatically inherit the set of default root user privileges on the server. For information about adding or removing privileges for a specific root user, see To Change a Root User's Privileges.
The following LDIF file represents a new root user named “Administration Manager”. The entry is saved in a file named add-root-user.ldif.
dn: cn=MyRootUser,cn=Root DNs,cn=config objectClass: inetOrgPerson objectClass: person objectClass: top objectClass: ds-cfg-root-dn-user objectClass: organizationalPerson userPassword: password cn: MyRootUser sn: MyRootUser ds-cfg-alternate-bind-dn: cn=MyRootUser givenName: Directory
$ ldapmodify -h localhost -p 4444 -D "cn=Directory Manager" -w password \ --useSSL --defaultAdd --filename "add-root-user.ldif" Processing ADD request for cn=MyRootUser,cn=Root DNs,cn=config ADD operation successful for DN cn=MyRootUser,cn=Root DNs,cn=config
$ ldapsearch -p 4444 -b "cn=root DNs,cn=config" -D "cn=directory manager" -w password \ --useSSL "objectclass=*" dn dn: cn=Root DNs,cn=config dn: cn=MyRootUser,cn=Root DNs,cn=config dn: cn=Directory Manager,cn=Root DNs,cn=config
$ ldappasswordmodify -h localhost -p 4444 -D "cn=MyRootUser" -w password \ --useSSL --newPasswordFile rootuser_pwd.txt The LDAP password modify operation was successful
If you want to have a different set of privileges for a specific root user, add the ds-privilege-name attribute to that root user's entry.
The following example gives the root user "cn=MyRootUser,cn=Root DNs,cn=config" the ability to use proxied authorization. The example removes the ability to change user privileges or access the configuration. The minus sign before the privilege indicates that the privilege is being removed rather than granted.
dn: cn=MyRootUser,cn=Root DNs,cn=config changetype: modify add: ds-privilege-name ds-privilege-name: proxied-auth ds-privilege-name: -config-read ds-privilege-name: -config-write
In this example, the root user "cn=MyRootUser,cn=Root DNs,cn=config" would inherit all privileges automatically granted to root users with the exception of the config-read and config-write privileges. The user would also be given the proxied-auth privilege.
You can set resource limits on the server for search operations by using the operational attributes on the client application that is binding to the server. The following resource limits are available:
Look-through limit. Specify the maximum number of entries that can be examined during a single search operation. Use the ds-rlim-lookthrough-limit operational attribute.
Size limit. Specify the maximum number of entries that can be returned in a single search operation. Use the ds-rlim-size-limit operational attribute.
Time limit. Specify the maximum length of time in seconds that the server can spend processing a search operation. Use the ds-rlim-time-limit operational attribute.
The following LDIF update statement sets resource limits for the new root user created in the previous section. This statement should be applied to the root user's entry.
dn: cn=MyRootUser,cn=Root DNs,cn=config changetype: modify add: ds-rlim-lookthrough-limit ds-rlim-lookthrough-limit: 1000 - add: ds-rlim-size-limit ds-rlim-size-limit: 500 - add: ds-rlim-time-limit ds-rlim-time-limit: 300
To set a particular resource limit to unlimited, set the value of the corresponding attribute to 0 (zero).
When you set up replication servers using the graphical installer or the dsreplication command, you are prompted to set a user name and password for the Global Administrator. The Global Administrator is responsible for managing and maintaining administrative server domains in replicated environments.
The Global Administrator exists in the cn=Administrators,cn=admin data subtree. To view the Global Administrator entry, run the following ldapsearch command:
$ ldapsearch -h localhost -p 4444 -D "cn=Directory Manager" -w password \ --useSSL -b "cn=Administrators,cn=admin data" -s sub "(objectclass=*)" dn: cn=Administrators,cn=admin data objectClass: top objectClass: groupofurls description: Group of identities which have full access. cn: Administrators memberURL: ldap:///cn=Administrators,cn=admin data??one?(objectclass=*) dn: cn=admin,cn=Administrators,cn=admin data objectClass: person objectClass: top userPassword: {SSHA}+ed1wbhcWjxtv2zJ6OHEA2TuE9n1qIJGnuR94w== description: The Administrator that can manage all the OUD instances. cn: admin sn: admin
An administrator generally has broader rights and permissions than most users. You can create a number of administrators, with different access controls and resource limits.
For this example, the administrator being added has uid=Admin.Lab.
Since the group of administrators should have only a few users, you can create a static group. For more information, see Defining Static Groups.
dn: cn=Administrators,ou=People,dc=example,dc=com objectClass: top objectClass: groupOfNames member: uid=Admin.Lab,ou=People,dc=example,dc=com cn: Administrator
For example, the following command would give the administrator the rights to perform backup and restore on the back end.
ldapmodify -h localhost -p 1389 -w password -D "cn=directory manager" dn: uid=Admin.Lab,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: backend-backup ds-privilege-name: backend-restore
The procedure is similar to setting the resource limits for a root user. See Setting Root User Resource Limits.
You can assign root user privileges to an administration or user.
For example, the command below changes the privileges for the administrator named Admin.Lab to have the same default privileges as a root user.
ldapmodify -h localhost -p 1389 -w password -D "cn=directory manager" dn: uid=Admin.Lab,cn=Administrators,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: bypass-acl ds-privilege-name: modify-acl ds-privilege-name: config-read ds-privilege-name: config-write ds-privilege-name: ldif-import ds-privilege-name: ldif-export ds-privilege-name: backend-backup ds-privilege-name: backend-restore ds-privilege-name: server-shutdown ds-privilege-name: server-restart ds-privilege-name: disconnect-client ds-privilege-name: cancel-request ds-privilege-name: password-reset ds-privilege-name: update-schema ds-privilege-name: privilege-change ds-privilege-name: unindexed-search
Note - The privileges on the access controls bypass-acl and modify-acl should only be assigned to a restricted number of people. Assigning the rights to bypass or modify access controls to inexperienced users can be risky.