Loading...

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-9.8, rhel-10.2
Affects Version/s: rhel-10.1, rhel-9.7
Component/s: Documentation
Labels:

Severity:
None
Epic Link:
RHELDOCS-21192

AssignedTeam:
rhel-sst-ccs

Story Points:
5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Test Coverage:
None

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

this a request to add a "Directory Administrators" chapter.
in either the
user_management_and_authentication
or
securing_red_hat_directory_server
guides

we used to have a few mentions in RHDS-11's configuration_command_and_file_reference guide:

2.2.1.2.1. Access Control for Configuration Entries
https://docs.redhat.com/en/documentation/red_hat_directory_server/11/html/configuration_command_and_file_reference/file_locations_overview#Accessing_and_Modifying_Server_Configuration

but as the "Directory Administrators" topic was probably not in the right place, it has been reduced in

1.3. LDIF files
https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/configuration_and_schema_reference/file-locations-overview_config-schema-reference-title#ldif-files_file-locations-overview

there are some small mention about a demo LDIF file in

https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/planning_and_designing_directory_server

we may need to add a "Directory Administrators" chapter, providing some more information, regrouping the existing features that use dsidm, dsconf, ldapmodify:

RHDS has 3 related features available out of the box that relates to directory administrators:

backup task:
Chapter 10. Enabling members of a group to back up Directory Server and performing the backup as one of the group members
https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/securing_red_hat_directory_server/assembly_enabling-members-of-a-group-to-back-up-directory-server-and-performing-the-backup-as-one-of-the-group-members_securing-rhds

export task:
Chapter 11. Enabling members of a group to export data and performing the export as one of the group members
https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/securing_red_hat_directory_server/assembly_enabling-members-of-a-group-to-export-data-and-performing-the-export-as-one-of-the-group-members_securing-rhds

password administrator role
Chapter 7. Assigning password administrator permissions
https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/user_management_and_authentication/assembly_assigning-password-administrator-permissions

and adding a reference to the LDIF file example provided in a RHDS installation by the 389-ds-base package, showing what an ACI can be for a group of directory administrators, and how roles can be used:

/usr/share/dirsrv/data/Example-roles.ldif

( and /usr/share/dirsrv/data/Example-views.ldif )

dn: dc=example,dc=com
objectclass: top
objectclass: domain
dc: example
...
aci: (target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0; acl "allow all Admin role"; allow(all) roledn = "ldap:///cn=Directory Administrators,dc=example,dc=com"

...

dn: cn=Resource Limits COS,dc=example,dc=com
objectclass: top
objectclass: ldapSubEntry
objectclass: cosSuperDefinition
objectclass: cosClassicDefinition
cosTemplateDn: cn=Resource Limits COS,dc=example,dc=com
cosSpecifier: nsRole
cosAttribute: nsLookThroughLimit operational
cosAttribute: nsSizeLimit operational
cosAttribute: nsTimeLimit operational
cosAttribute: nsIdleTimeout operational
cn: Resource Limits COS

dn: cn="cn=Directory Administrators,dc=example,dc=com",cn=Resource Limits COS,dc=example,dc=com
objectclass: top
objectclass: ldapSubEntry
objectclass: cosTemplate
cn: cn=Directory Administrators,dc=example,dc=com
cosPriority: 0

Directory Administrators are not subject to any resource limits
nsLookThroughLimit: -1
nsSizeLimit: -1
nsTimeLimit: -1
nsIdleTimeout: -1

dn: cn=Directory Administrators,dc=example,dc=com
cn: Directory Administrators
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsSimpleRoleDefinition
objectclass: nsManagedRoleDefinition

...

dn: uid=rdaugherty, ou=People, dc=example,dc=com
cn: Robert Daugherty
sn: Daugherty
givenname: Robert
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Sunnyvale
uid: rdaugherty
mail: rdaugherty@example.com
telephonenumber: +1 408 555 1296
facsimiletelephonenumber: +1 408 555 1992
roomnumber: 0194
userpassword: apples
manager: uid=trigden, ou=People, dc=example,dc=com
nsRoleDN: cn=Directory Administrators,dc=example,dc=com

or we could even point to the fact RHEL IdM is much more feature rich than RHDS when it comes to administrator groups and management, RHEL IdM reference examples:

Chapter 29. Delegating permissions to user groups to manage users using IdM WebUI
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/delegating-permissions-to-user-groups-to-manage-users-using-idm-webui_managing-users-groups-hosts

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates