Working with privileges

In addition to the access control implementation, the server includes a privilege subsystem that you can use to control what users are allowed to do.

The privilege subsystem works in conjunction with the access control subsystem to only allow privileged operations that are permitted by the access control configuration. The user must also have all of the necessary privileges.

You can use privileges to grant normal users the ability to perform certain tasks that, in most other directories, would only be allowed for the root user. The capabilities given to root users in the server are all granted through privileges, so you can create a normal user account with the ability to perform the same actions as root users.

Administrators can also remove privileges from root users so that they are unable to perform certain types of operations. To restrict root users to only the tasks that they must perform, define multiple root users in the server with different sets of privileges.

Available privileges

The following privileges are defined in the server.

Privilege Description

audit-data-security

This privilege is required to initiate a data security audit on the server, which is invoked by the audit-data-security tool.

backend-backup

This privilege is required to initiate an online backup through the tasks interface. The server’s access control configuration must also allow the user to add the corresponding entry in the tasks backend.

backend-restore

This privilege is required to initiate an online restore through the tasks interface. The server’s access control configuration must also allow the user to add the corresponding entry in the tasks backend.

bypass-acl

This privilege allows a user to bypass access control evaluation. For a user with this privilege, any access control determination made by the server immediately returns that the operation is allowed.

This does not bypass privilege evaluation, so the user must have the appropriate set of additional privileges to be able to perform any privileged operation. For example, a user with the bypass-acl privilege but without the config-read privilege is not allowed to access the server configuration.

bypass-pw-policy

This privilege allows a user entry to bypass password policy evaluation. This privilege is intended for cases where external synchronization might require passwords that violate the password validation rules. The privilege is also evaluated for bind operations, meaning password restrictions are also bypassed when binding as a user who has this privilege.

bypass-read-acl

This privilege allows the associated user to bypass access control checks performed by the server for bind, search, and compare operations. Access control evaluation can still be enforced for other types of operations.

config-read

This privilege is required for a user to access the server configuration. Access control evaluation is still performed and can be used to restrict the set of configuration objects that the user is allowed to see.

config-write

This privilege is required for a user to alter the server configuration. The user must also have the config-read privilege. Access control evaluation is still performed and can be used to restrict the set of configuration objects that the user is allowed to alter.

disconnect-client

This privilege is required for a user to request that an existing client connection be terminated. The connection is terminated through the disconnect client task. The server’s access control configuration must also allow the user to add the corresponding entry to the tasks backend.

jmx-notify

This privilege is required for a user to subscribe to Java Management Extensions (JMX) notifications generated by the server. The user is also required to have the jmx-read privilege.

jmx-read

This privilege is required for a user to access any information provided by the server through the JMX.

jmx-write

This privilege is required for a user to update any information exposed by the server through the JMX. The user is also required to have the jmx-read privilege.

Currently, all of the information exposed by the server over JMX is read-only.

ldif-export

This privilege is required to initiate an online LDIF export through the tasks interface. The server’s access control configuration must also allow the user to add the corresponding entry in the Tasks backend. To allow access to the Tasks backend, you can set up a global access control instruction (ACI) that allows access to members of an Administrators group.

ldif-import

This privilege is required to initiate an online LDIF import through the tasks interface. The server’s access control configuration must also allow the user to add the corresponding entry in the Tasks backend. To allow access to the Tasks backend, configure the global ACI as described in the previous description of the ldif-export privilege.

lockdown-mode

This privilege allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode.

modify-acl

This privilege is required for a user to add, modify, or remove access control rules defined in the server. The server’s access control configuration must also allow the user to make the corresponding change to the aci operational attribute.

password-reset

This privilege is required for one user to be allowed to change another user’s password. This privilege is not required for a user to be allowed to change his or her own password. The user must also have the access control instruction privilege to write the userPassword attribute to the target entry.

privilege-change

This privilege is required for a user to change the set of privileges assigned to a user, including the set of privileges, which are automatically granted to root users. The server’s access control configuration must also allow the user to make the corresponding change to the ds-privilege-name operational attribute.

proxied-auth

This privilege is required for a user to request that an operation be performed with an alternate authorization identity. This privilege bears some security risk, because it allows users to inherit the level of access of any user, including root users and administrators. Consider restricting proxy users as described in the section Restricting proxy users.

server-restart

This privilege is required to initiate a server restart through the tasks interface. The server’s access control configuration must also allow the user to add the corresponding entry in the tasks backend.

server-shutdown

This privilege is required to initiate a server shutdown through the tasks interface. The server’s access control configuration must also allow the user to add the corresponding entry in the tasks backend.

soft-delete-read

This privilege is required for a user to access a soft-deleted-entry.

stream-values

This privilege is required for a user to perform a stream values extended operation, which obtains all entry distinguished names (DNs) and all values for one or more attributes for a specified portion of the directory information tree (DIT).

unindexed-search

This privilege is required for a user to be able to perform a search operation in which a reasonable set of candidate entries cannot be determined using the defined index and instead, a significant portion of the database needs to be traversed to identify matching entries. The server’s access control configuration must also allow the user to request the search.

update-schema

This privilege is required for a user to modify the server schema. The server’s access control configuration must allow the user to update the operational attributes that contain the schema elements.

Privileges automatically granted to root users

The special abilities that root users have are granted through privileges.

You can assign privileges to root users in two ways:

By default, root users can be granted a specified set of privileges.

You can create root users which are not automatically granted these privileges by including the ds-cfg-inherit-default-root-privileges attribute with a value of FALSE in the entries for those root users.

You can grant additional privileges to individual root users and remove some automatically-granted privileges from individual root users.

The default-root-privilege-name property of the root distinguished name (DN) configuration object controls the set of privileges that are automatically granted to root users. By default, these privileges include:

audit-data-security
backend-backup
backend-restore
bypass-acl
config-read
config-write
disconnect-client
ldif-export
lockdown-mode
manage-topology
metrics-read
modify-acl
password-reset
permit-get-password-policy-state-issues
privilege-change
server-restart
server-shutdown
soft-delete-read
stream-values
unindexed-search
update-schema

The privileges not granted to root users by default include:

bypass-pw-policy
bypass-read-acl
jmx-read
jmx-write
jmx-notify
permit-externally-processed-authentication
permit-proxied-mschapv2-details
proxied-auth

You can change the set of default root privileges to add or remove values as necessary. This requires the config-read, config-write, and privilege-change privileges, and either the bypass-acl privilege or sufficient permission granted by the access control configuration to change the server’s configuration.

Assigning additional privileges for administrators

Steps

To allow access to the Tasks backend, set up a global access control instruction (ACI) using dsconfig that allows access to members of an Administrators group.

Example:

$ dsconfig set-access-control-handler-prop \
  --add 'global-aci:(target="ldap:///cn=tasks")(targetattr="*||+")
        (version 3.0; acl "Access to the tasks backend for administrators";
         allow (all) groupdn="ldap:///
         cn=admins,ou=groups,dc=example,dc=com";)'

Assigning privileges to normal users and individual root users

You can grant privileges to normal users on an individual basis.

Add the ds-privilege-name operational attribute to the user’s entry with the names of the desired privileges. For example, the following change grants the proxied-auth privilege to the uid=proxy,dc=example,dc=com account.

dn: uid=proxy,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: proxied-auth

The user making this change must have the privilege-change privilege, and the server’s access control configuration must also allow the requester to write to the ds-privilege-name attribute in the target user’s entry.

You can use the same method to grant root users privileges that aren’t included in the set of default root privileges. You can also remove default root privileges from root users by prefixing the name of the privilege to remove with a minus sign. For example, the following change grants a root user the jmx-read privilege in addition to the set of default root privileges and removes the server-restart and server-shutdown privileges.

dn: cn=Sync Root User,cn=Root DNs,cn=config
changetype: modify
add: ds-privilege-name
ds-privilege-name: jmx-read
ds-privilege-name: -server-restart
ds-privilege-name: -server-shutdown

Because root user entries exist in the configuration, this update requires the config-read and config-write privileges in addition to the privilege-change privilege.

Disabling privileges

Although the privilege subsystem in the server is a powerful feature, it might break some applications if they expect to perform an operation requiring a privilege that they do not have.

In the majority of these cases, you can assign the necessary privilege manually to the account used by that application. However, if this workaround isn’t sufficient, or if you need to remove a particular privilege, such as allowing anyone to access information through Java Management Extensions (JMX) without requiring the jmx-read privilege, then you can disable privileges on an individual basis.

The disabled-privilege property in the global configuration object controls the set of disabled privileges. By default, no privileges are disabled. If a privilege is disabled, then the server behaves as if all users have that privilege.

PingDirectory