You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by Tanja Ertl <Ta...@avid.com> on 2008/06/27 08:26:07 UTC

admin user

Hi,

 

I'm currently using Apache Directory 1.5.2 and I would like to change
the default admin user "uid=admin,ou=system". Is there a way to do this?

 

Thanks, 

Tanja

RE: admin user

Posted by Tanja Ertl <Ta...@avid.com>.

Hi Emmanuel,

I have just created DIRSERVER-1191.

I tried to create another user and to give him the rights. I'm using ACI mechanism. For my own partition it works fine, but when I try to use this user in Studio, I can not browse the tree anymore, I see only the RootDSE, nothing more.
How can I grant permissions for this user on the system/schema tree? I tried to supply an administrativeRole and accessControlSubentry in the schema tree, but I got the error, that this is not allowed here.    

Thanks,
Tanja

-----Original Message-----
From: Emmanuel Lecharny [mailto:elecharny@gmail.com] On Behalf Of Emmanuel Lecharny
Sent: Friday, June 27, 2008 10:23 AM
To: users@directory.apache.org
Subject: Re: admin user

Tanja Ertl wrote:
> I would like to embedd ApacheDirectory in another application which has already this concept of a root user and I would like to be both the same.
>   
Makes sense.
> I can change it in 1.0.x versions, right? 
Sadly, not...
> At least the name is configurable via the spring configuration, I didn't try it.
>   
The fact is that this uid=admin, ou=system appears in the Spring 
configuration was a mistake, as it make users think they can change it. 
This is the reason why its not any more present in the 1.5.2 
configuration file.
> Is it at least possible to change the password for the admin in 1.5.2?
>   
Yes. Just use Studio to change it.

FYI, we have already had many discussion about what should be done 
regarding the admin user. I would say that defining a configurable admin 
user make sense. I also would suggest that you fill a JIRA in order to 
remind us to do it when we have a couple of days to deal with this issue.

Btw, why not considering creating another user which will be a kind of 
admin ? The current admin is mainly used the first time you launch the 
server, in order to be able to 'bootstrap' the server, and also for 
internal manipulation of data. As soon as you have created a new user, 
assigned it the correct access, then you will be all done.

-- 
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org

Re: admin user

Posted by Harakiri <ha...@yahoo.com>.

Alternativly, you can already write an Interceptor which changes the lookup calls and disables access for the admin user. 

The easiest solution would be something like this :

auth apache ds admin -> prohibit (should use custom one)

auth custom apache ds admin -> allow -> rewrite BIND username to real internal apache ds admin before passing it to the nexus / acl checks

it works fine this way, i have written a custom auth using an interceptor this way

impl. the following methods in an interceptor:
lookup
unbind

and look for ServerDNConstants.ADMIN_SYSTEM_DN and simply rewrite it

there are a few catches to it - i.e. this interceptor needs to be the first in the chain of directoryService.getInterceptors()

if you dont put it at the first item in the chain you probably have to set anonymous access to true because the lookup/bind call is already handled by the default acl interceptor and then simply do any acl checks in your interceptor

--- On Fri, 6/27/08, Emmanuel Lecharny <el...@apache.org> wrote:

> From: Emmanuel Lecharny <el...@apache.org>
> Subject: Re: admin user
> To: users@directory.apache.org
> Date: Friday, June 27, 2008, 4:23 AM
> Tanja Ertl wrote:
> > I would like to embedd ApacheDirectory in another
> application which has already this concept of a root user
> and I would like to be both the same.
> >   
> Makes sense.
> > I can change it in 1.0.x versions, right? 
> Sadly, not...
> > At least the name is configurable via the spring
> configuration, I didn't try it.
> >   
> The fact is that this uid=admin, ou=system appears in the
> Spring 
> configuration was a mistake, as it make users think they
> can change it. 
> This is the reason why its not any more present in the
> 1.5.2 
> configuration file.
> > Is it at least possible to change the password for the
> admin in 1.5.2?
> >   
> Yes. Just use Studio to change it.
> 
> FYI, we have already had many discussion about what should
> be done 
> regarding the admin user. I would say that defining a
> configurable admin 
> user make sense. I also would suggest that you fill a JIRA
> in order to 
> remind us to do it when we have a couple of days to deal
> with this issue.
> 
> Btw, why not considering creating another user which will
> be a kind of 
> admin ? The current admin is mainly used the first time you
> launch the 
> server, in order to be able to 'bootstrap' the
> server, and also for 
> internal manipulation of data. As soon as you have created
> a new user, 
> assigned it the correct access, then you will be all done.
> 
> 
> -- 
> --
> cordialement, regards,
> Emmanuel Lécharny
> www.iktek.com
> directory.apache.org

Re: admin user

Posted by Emmanuel Lecharny <el...@apache.org>.

Tanja Ertl wrote:
> I would like to embedd ApacheDirectory in another application which has already this concept of a root user and I would like to be both the same.
>   
Makes sense.
> I can change it in 1.0.x versions, right? 
Sadly, not...
> At least the name is configurable via the spring configuration, I didn't try it.
>   
The fact is that this uid=admin, ou=system appears in the Spring 
configuration was a mistake, as it make users think they can change it. 
This is the reason why its not any more present in the 1.5.2 
configuration file.
> Is it at least possible to change the password for the admin in 1.5.2?
>   
Yes. Just use Studio to change it.

FYI, we have already had many discussion about what should be done 
regarding the admin user. I would say that defining a configurable admin 
user make sense. I also would suggest that you fill a JIRA in order to 
remind us to do it when we have a couple of days to deal with this issue.

Btw, why not considering creating another user which will be a kind of 
admin ? The current admin is mainly used the first time you launch the 
server, in order to be able to 'bootstrap' the server, and also for 
internal manipulation of data. As soon as you have created a new user, 
assigned it the correct access, then you will be all done.

-- 
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org

RE: admin user

Posted by Tanja Ertl <Ta...@avid.com>.

I would like to embedd ApacheDirectory in another application which has already this concept of a root user and I would like to be both the same.

I can change it in 1.0.x versions, right? At least the name is configurable via the spring configuration, I didn't try it.
Is it at least possible to change the password for the admin in 1.5.2?

Thanks,
Tanja

-----Original Message-----
From: Emmanuel Lecharny [mailto:elecharny@gmail.com] On Behalf Of Emmanuel Lecharny
Sent: Friday, June 27, 2008 8:37 AM
To: users@directory.apache.org
Subject: Re: admin user

Tanja Ertl wrote:
> Hi,
>   
Hi,
>  
>
> I'm currently using Apache Directory 1.5.2 and I would like to change
> the default admin user "uid=admin,ou=system". Is there a way to do this?
>   
Currently, is hard-wired. So no, you can't. Consider it to be the very 
same than 'root' on unix or 'Administrator' on w$.

Any reason why you would like to change it ?

-- 
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org

Re: admin user

Posted by Emmanuel Lecharny <el...@apache.org>.

Tanja Ertl wrote:
> Hi,
>   
Hi,
>  
>
> I'm currently using Apache Directory 1.5.2 and I would like to change
> the default admin user "uid=admin,ou=system". Is there a way to do this?
>   
Currently, is hard-wired. So no, you can't. Consider it to be the very 
same than 'root' on unix or 'Administrator' on w$.

Any reason why you would like to change it ?

-- 
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org

Re: admin user

Posted by Alex Karasulu <ak...@apache.org>.

Create a new user with the DN you prefer and add that user to the
administrators group under ou=groups,ou=system.  That new user then becomes
a super user just like the uid=admin,ou=system user.

Then just set the admin password to something no one knows.  This way you
can have multiple admin users and can track which each one does.

If this does not work let me know.

Alex

On Fri, Jun 27, 2008 at 2:26 AM, Tanja Ertl <Ta...@avid.com> wrote:

> Hi,
>
>
>
> I'm currently using Apache Directory 1.5.2 and I would like to change
> the default admin user "uid=admin,ou=system". Is there a way to do this?
>
>
>
> Thanks,
>
> Tanja
>
>