directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harakiri <harakiri...@yahoo.com>
Subject Re: admin user
Date Mon, 30 Jun 2008 17:53:24 GMT
Alternativly, you can already write an Interceptor which changes the lookup calls and disables
access for the admin user. 

The easiest solution would be something like this :

auth apache ds admin -> prohibit (should use custom one)

auth custom apache ds admin -> allow -> rewrite BIND username to real internal apache
ds admin before passing it to the nexus / acl checks

it works fine this way, i have written a custom auth using an interceptor this way

impl. the following methods in an interceptor:
lookup
unbind

and look for ServerDNConstants.ADMIN_SYSTEM_DN and simply rewrite it

there are a few catches to it - i.e. this interceptor needs to be the first in the chain of
directoryService.getInterceptors()

if you dont put it at the first item in the chain you probably have to set anonymous access
to true because the lookup/bind call is already handled by the default acl interceptor and
then simply do any acl checks in your interceptor

--- On Fri, 6/27/08, Emmanuel Lecharny <elecharny@apache.org> wrote:

> From: Emmanuel Lecharny <elecharny@apache.org>
> Subject: Re: admin user
> To: users@directory.apache.org
> Date: Friday, June 27, 2008, 4:23 AM
> Tanja Ertl wrote:
> > I would like to embedd ApacheDirectory in another
> application which has already this concept of a root user
> and I would like to be both the same.
> >   
> Makes sense.
> > I can change it in 1.0.x versions, right? 
> Sadly, not...
> > At least the name is configurable via the spring
> configuration, I didn't try it.
> >   
> The fact is that this uid=admin, ou=system appears in the
> Spring 
> configuration was a mistake, as it make users think they
> can change it. 
> This is the reason why its not any more present in the
> 1.5.2 
> configuration file.
> > Is it at least possible to change the password for the
> admin in 1.5.2?
> >   
> Yes. Just use Studio to change it.
> 
> FYI, we have already had many discussion about what should
> be done 
> regarding the admin user. I would say that defining a
> configurable admin 
> user make sense. I also would suggest that you fill a JIRA
> in order to 
> remind us to do it when we have a couple of days to deal
> with this issue.
> 
> Btw, why not considering creating another user which will
> be a kind of 
> admin ? The current admin is mainly used the first time you
> launch the 
> server, in order to be able to 'bootstrap' the
> server, and also for 
> internal manipulation of data. As soon as you have created
> a new user, 
> assigned it the correct access, then you will be all done.
> 
> 
> -- 
> --
> cordialement, regards,
> Emmanuel L├ęcharny
> www.iktek.com
> directory.apache.org


      

Mime
View raw message