Simple password authentication offers an easy way of authenticating users. In password authentication, the user must supply a password for each server, and the administrator must keep track of the name and password for each user, typically on separate servers.
Figure 5–1 shows the steps involved in authenticating a client by using a name and password. The figure assumes the following points.
The user has already decided to trust the system, either without authentication, or on the basis of server authentication via SSL.
The user has requested a resource controlled by the server.
The server requires client authentication before permitting access to the requested resource.
In Figure 5–1, password authentication is performed in the following steps.
The user enters a name and password.
For the LDAP bind to Directory Server, the client application must bind with a Distinguished Name. Therefore the client application may use the name entered by the user to retrieve the DN.
The client sends the DN and password across the network.
The server determines whether the password sent from the client matches the password stored for the entry with the DN sent from the client.
If so, the server accepts the credentials as evidence authenticating the user identity.
The server determines whether the identified user is permitted to access the requested resource.
If so, the server allows the client to access the resource.
A password policy is a set of rules that govern how passwords are administered in a system. Directory Server supports multiple password policies. The password policy can be configured to suit the security requirements of your deployment.
Instances of Directory Server are created with a default password policy.
Directory Server provides the following password policies.
The default password policy is defined in the configuration entry cn=PasswordPolicy,cn=config. The default password policy applies to all accounts in the directory except for the directory manager.
The parameters of the default policy can be modified to override the default settings. However, because the default password policy is part of the configuration for the instance, modifications to the default password policy cannot be replicated.
A password policy can be configured for an individual user or for set of users by using the CoS and roles features. However, specialized password policies can not be applied to static groups.
A specialized password policy is defined in a subentry in the directory tree. Like the default password policy, the specialized password policy uses the pwdPolicy object class. For example, the following entry defines a specialized password policy:
dn: cn=TempPolicy,dc=example,dc=com objectClass: top objectClass: pwdPolicy objectClass: LDAPsubentry cn: TempPolicy pwdCheckQuality: 2 pwdLockout: on pwdLockoutDuration: 300 pwdMaxFailure: 3 pwdMustChange: on
A specialized password policy can be assigned to a single user account or can be assigned to a set of users by using roles. For example, in the following entry the password policy defined in cn=TempPolicy,dc=example,dc=com is assigned to the pwdPolicySubentry attribute of the user entry:
dn: uid=dmiller,ou=people,dc=example,dc=com objectClasaccess controls: person objectClass: top sn: miller cn: david userPassword: secret12 pwdPolicySubentry: cn=TempPolicy,dc=example,dc=com
When referenced by a user entry, a specialized password policy overrides the default password policy.
Because specialized password policies are defined the directory data, they can be replicated.
For information about how to configure password policy, see Chapter 7, Directory Server Password Policy, in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
For information about the attributes used to configure password policies, see the pwpolicy(5dssd) man page.