Securing the Server with lockdown mode
The PingDirectory server provides tools to enter and leave lockdown mode if the server requires a security lockdown.
About this task
In lockdown mode, only users with the lockdown-mode
privilege can perform operations Users who do not have the privilege are rejected. By default, root users have this privilege. You can give other administrators this privilege. Users with this privilege can configure lockdown mode as a recurring task.
Some configuration problems can lead to inadvertent exposure of sensitive information, such as an access control rule that cannot be properly parsed, and cause the server to place itself in lockdown mode. This ensures that an administrator can manually correct the problem. Lockdown mode does not persist across restarts.
Steps
-
To perform some administrative operations and ensure that other client requests are not allowed to access any data in the server, manually place the server into lockdown mode.
Result:
Any client request to the PingDirectory server in lockdown mode receives an
Unavailable
response. -
To take the PingDirectory server out of lockdown mode, use either of the following options:
-
Use the
leave-lockdown-mode
command. -
Restart the server.
-
-
To start a server in lockdown mode, use the
start-server
--lockdownMode
option.
Entering lockdown mode manually
Steps
-
To enter lockdown mode, run
enter-lockdown-mode
.Example:
$ bin/enter-lockdown-mode