Restrict admin privileges to necessary personnel only.
389-AC-003 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-AC-003 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | AC-6, AC-6(5) |
| DISA SRG | SRG-APP-000033 |
Rationale¶
Excess administrators multiply the paths through which an attacker or malicious insider can gain full control of the directory and every system that trusts it for authentication or authorization. Each unnecessary privileged account is a persistent attack surface: credential theft, phishing, or privilege abuse by any one of them can result in complete directory compromise, including mass account takeover, credential exfiltration, or service disruption. The built-in cn=Directory Manager super-user bypasses all ACI controls entirely, making its unconstrained use especially dangerous. NIST AC-6 and AC-6(5) mandate the principle of least privilege and require that privileged access be restricted to the minimum set of personnel with a documented operational need; DISA SRG-APP-000033 codifies this for covered application deployments. See also 389-IAM-001, which addresses RootDN restriction in detail.
Check¶
List members of administrative groups to verify only authorized personnel hold elevated privileges.
ldapsearch -x -o ldif-wrap=no -D "cn=Directory Manager" -W \
-b <suffix> \
"(|(cn=Directory Administrators)(objectClass=groupOfNames))" member
Remediation¶
Remove unnecessary members from administrative groups and constrain the super-user (see 389-IAM-001).
# Review admin/privileged group membership from the check, then remove unnecessary members:
ldapmodify -x -D "cn=Directory Manager" -W <<'EOF'
dn: cn=Directory Administrators,<suffix>
changetype: modify
delete: member
member: <unneeded-admin-dn>
EOF
# also constrain cn=Directory Manager via the RootDN Access Control plugin (see 389-IAM-001)
References¶
Implementation Notes¶
The exact DN of the administrative group varies by deployment; common names include cn=Directory Administrators,<suffix> and cn=Administrators,<suffix> - enumerate all groups and their ACIs with ldapsearch before making changes. Verify the list of current members, confirm each has a current business need, and remove stale or unnecessary entries one at a time using ldapmodify with delete: member. Refer to 389-IAM-001 to configure the RootDN Access Control plug-in, which restricts cn=Directory Manager to specific source hosts and time windows. Document the approved membership roster and review it on a scheduled cadence (quarterly at minimum).