Enforce additional controls for privileged accounts (admins).
389-IAM-001 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-IAM-001 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | AC-2, AC-6, AC-6(5) |
| DISA SRG | SRG-APP-000148, SRG-APP-000023 |
Rationale¶
The cn=Directory Manager account is the unconditional super-user of 389DS: it bypasses all ACIs by design, giving whoever possesses its credentials unrestricted read, write, and delete access to every entry, attribute, and configuration object in the directory. Unlike normal directory accounts there is no ACI mechanism that can restrict its permissions - host and time restrictions through the RootDN Access Control plugin are the only built-in layer of defence. An attacker who obtains this credential outside of business hours or from an unexpected network location can silently exfiltrate the entire user base, reset passwords, or implant backdoor accounts before detection. Restricting binds to specific administrative hosts (jump servers, management VLANs) and defined maintenance windows substantially reduces the attacker's opportunity window and raises the likelihood that anomalous bind attempts surface in audit logs. This control directly supports AC-2 (Account Management), AC-6 (Least Privilege), and AC-6(5) (Privileged Accounts) by ensuring that the most powerful credential in the deployment has the tightest access envelope possible.
Check¶
Inspect the RootDN Access Control plugin configuration to confirm host, IP, time-of-day, and day-of-week restrictions are applied to Directory Manager binds.
dsconf <instance> plugin root-dn show
Remediation¶
Enable the RootDN Access Control plugin and configure host/time restrictions that limit when and where cn=Directory Manager can bind.
dsconf <instance> plugin root-dn set --allow-host "<admin_host>" --open-time 0700 --close-time 1800 --days-allowed "Mon, Tue, Wed, Thu, Fri"
dsconf <instance> plugin root-dn enable
dsctl <instance> restart
References¶
Implementation Notes¶
The RootDN Access Control plugin rules are inactive until the plugin itself is explicitly enabled (dsconf <instance> plugin root-dn enable). Before enabling, verify that the --allow-host or --allow-ip values cover every administrative path (jump-host, management subnet, etc.) you require. An overly narrow allowlist will lock even the Directory Manager out, and recovery requires stopping the server and reconfiguring with direct filesystem access.
Time values are 4-digit 24-hour strings (e.g., 0700, 1800). Use --allow-ip instead of --allow-host if DNS is not reliably resolvable from the LDAP server. Pair with 389-AC-003 (anonymous bind restrictions) to ensure the host controls are not circumvented via unauthenticated access paths.