Sun Java System Directory Server Enterprise Edition 6.3 Evaluation Guide

Chapter 5 Enhanced Security

This chapter describes the features of DSEE that secure identity to the highest degree possible. This chapter covers the following topics:

Connection-Based Access Control

Directory Server enables you to use the host access control file hosts.allow and hosts.deny to specify the connection conditions to access the server. You can enable connection-based access control by using the dsconf command. Set the server property host-access-dir-path to the absolute path of the file system directory where the hosts.allow and hosts.deny files are located. See the server(5dsconf) and hosts_access(4) man pages for more information.

Connection-based access control can also be configured using ACIs. See ACI Bind Rules in Sun Java System Directory Server Enterprise Edition 6.3 Reference for background on ACI bind rules.

New Password Policy

Directory Server Enterprise Edition implements a new password policy that provides the following new features:

In addition, the new password policy provides two new controls, passwordPolicyRequest and passwordPolicyResponse. These controls enable LDAP clients to obtain the account status information on LDAP add, delete, modrdn, compare, and search operations. The following information is available, using the OID 1.3.6.1.4.1.42.2.27.8.5.1 in the search:

Managing the Password Policy Using the DSCC

The DSCC provides a tab for managing the password policies. You can use this tab to add new policies, assign a policy to Directory Server users, delete password policies, and change the password policy compatibility mode. The following figure illustrates this tab.

Password Policy tab of the DSCC.

When you define a new password policy, you use the New Password Policy wizard. It allows you to specify password change settings, expiration settings, and content settings. It also allows you to specify account lockout settings. The following figure illustrates step 2 of the New Password Policy wizard.

New Password Policy wizard in the DSCC.

Migrating to the New Password Policy

For migration purposes, the new password policy maintains compatibility with previous Directory Server versions by identifying a compatibility mode. The compatibility mode determines whether password policy attributes are handled as old attributes or new attributes, where old refers to any Directory Server 5 password policy attributes.

See New Password Policy in Sun Java System Directory Server Enterprise Edition 6.3 Migration Guide for details on migrating to the new password policy.

Preventing Binds With No Password

Directory Server prevents authentication with a null password. All non-anonymous binds must therefore specify a password to bind to the directory. Otherwise, Directory Server returns an authentication error, LDAP_INAPPROPRIATE_AUTH.

You can disable this feature by setting the server property require-bind-pwd-enabled to off using the dsconf set-server-prop command.

The following command-line sequence walks you through a demonstration of this feature.

The default value of the Require Bind on Authentication feature is on. Check this by using the following command:


# dsconf get-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled
require-bind-pwd-enabled  :  on

Authenticating with a null password results in the following error message:


# ldapsearch -D cn=altrootdn -w '' -p 20390 -b cn=config 'objectclass=*' dn
ldap_simple_bind: Inappropriate authentication
ldap_simple_bind: additional info: binds with a dn require a password

Note that this feature does not block anonymous binds:


# ldapsearch -p 20390 -b cn=config 'objectclass=*' dn
version: 1
dn: cn=SNMP,cn=config

Disable this feature by setting it to off:


# dsconf set-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled:off
# dsconf get-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled
require-bind-pwd-enabled  :  off

This time authenticating with a null password succeeds:


# ldapsearch -D cn=altrootdn -w '' -p 20390 -b cn=config 'objectclass=*' dn
version: 1
dn: cn=SNMP,cn=config

For instructions on using the Directory Service Control Center to configure password policy, see the DSCC online help.

Forced Password Change After Reset

This new feature of Directory Server enables administrators to force regular system users to change their passwords after a password reset.

This feature is enabled by the pwd-must-change-enabled property. This property specifies whether a user must change the password when he first binds or after the password has been set or reset. The feature is disabled by default.

You can enable this feature by selecting the Password Reset checkbox in the DSCC as illustrated in the following figure.

Illustrates the Password change section of the Password
Policies tab in the DSCC.

To view the current policy for requiring password change after password reset, use the following command:

# dsconf get-server-prop -p 20390 pwd-must-change-enabled
pwd-must-change-enabled  :  off

Enable the policy that requires changing the password after a reset as follows:

# dsconf set-server-prop  -p 20390 pwd-must-change-enabled:on

See Chapter 8, Directory Server Password Policy, in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide for instructions on configuring password policy using command-line tools. For instructions on using the Directory Service Control Center to configure password policy, open the DSCC online help.

Global Account Lockout

This version of DSEE enables global account lockout. When a user account is locked due to consecutive failures to bind, the user account is effectively locked across the entire collection of servers.

You can configure user account lockout using the DSCC as illustrated in the following figure.

Account lockout configuration in the New Password Policy
wizard of the DSCC.

Directory Server now replicates account lockout data stored when a client application fails to authenticate to the server. When used together with the Directory Proxy Server capability to route binds appropriately, global account lockout can prevent a client application from gaining more than the number of tries you specify before being locked out across an entire directory service topology.

For more information, see Preventing Authentication by Using Global Account Lockout in Sun Java System Directory Server Enterprise Edition 6.3 Deployment Planning Guide.

Directory Manager Enhancements

Directory Server can be managed by directory administrators, who belong to the group cn=Administrators,cn=config. These users are subject to a special global ACI that gives them complete access to the directory. The default administrator created with each instance is cn=admin,cn=Administrators,cn=config.

Because these users have real entries, you can add certificates to their entries. This means that the administrator entry you create can bind using an SSL certificate. Furthermore, the server locks the administrative user out after too many failed bind attempts.

Simplified Password Updates With LDAP Extended Operations

Directory Server allows you to change expired passwords using the LDAP Password Modify Extended Operation specified in RFC 3062. The ldappasswd(1) command can be used to change expired passwords from the command line.

Tracking of Last Login Time

When you enable last login time tracking using the password policy attribute pwdKeepLastAuthTime(5dsat), Directory Server records the time of the last successful authentication in the operation attribute pwdLastAuthTime(5dsat) on the user entry.

Enhanced Auditing for Updates Performed Using Proxy Authorization

Directory Server now supports enhanced auditing for updates performed using proxy authorization. The server can log the identity authorized to perform an operation, rather than the identity that authenticated to Directory Server. When you set useAuthzIdForAuditAttrs on cn=config to on, the server records the authorization ID in the creatorsName or modifiersName attribute during a write operation on an entry. By default, Directory Server records the authentication ID.

ACI Performance Enhancements

Directory Server ACI processing has been enhanced to improve performance when one or both of the following are true:

Where to Go From Here

To read more about the features presented in this chapter, refer to the following documentation.

Feature

Documentation

Configuring a password policy using the command line 

Chapter 8, Directory Server Password Policy, in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide

Enabling global account lockout 

Preventing Authentication by Using Global Account Lockout in Sun Java System Directory Server Enterprise Edition 6.3 Deployment Planning Guide

Overview of the new password policy architecture 

New Password Policy in Sun Java System Directory Server Enterprise Edition 6.3 Migration Guide

Migrating to the new password policy 

Password Policy Configuration Attributes in Sun Java System Directory Server Enterprise Edition 6.3 Migration Guide

Configuring connection-based access control with ACIs 

ACI Bind Rules in Sun Java System Directory Server Enterprise Edition 6.3 Reference