This chapter describes the features of DSEE that secure identity to the highest degree possible. This chapter covers the following topics:
Directory Server enables you to use the host access control file hosts.allow and hosts.deny to specify the connection conditions to access the server. You can enable connection-based access control by using the dsconf command. Set the server property host-access-dir-path to the absolute path of the file system directory where the hosts.allow and hosts.deny files are located. See the server(5dsconf) and hosts_access(4) man pages for more information.
Connection-based access control can also be configured using ACIs. See ACI Bind Rules in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition for background on ACI bind rules.
Directory Server Enterprise Edition password policy provides the following features:
A grace login limit, specified by the pwdGraceLoginLimit attribute. This attribute specifies the number of times that an expired password can be used to authenticate. If the attribute is not present or if it is set to 0, authentication will fail.
Safe password modification, specified by the pwdSafeModify attribute. This attribute specifies whether the existing password must be sent when changing a password. If the attribute is not present, the existing password does not need to be sent.
In addition, the password policy provides two controls, passwordPolicyRequest and passwordPolicyResponse. These controls enable LDAP clients to obtain the account status information on LDAP add, delete, modrdn, compare, and search operations. The following information is available, using the OID 220.127.116.11.18.104.22.168.22.214.171.124 in the search:
Period of time before the password expires
Number of grace login attempts remaining
The password has expired
The account is locked
The password must be changed after being reset
Password modifications are allowed
The user must supply his/her old password
The password quality (syntax) is insufficient
The password is too short
The password is too young
The password already exists in history
The DSCC provides a tab for managing the password policies. You can use this tab to add new policies, assign a policy to Directory Server users, delete password policies, and change the password policy compatibility mode. The following figure illustrates this tab.
When you define a new password policy, you use the New Password Policy wizard. It allows you to specify password change settings, expiration settings, and content settings. It also allows you to specify account lockout settings. The following figure illustrates step 2 of the New Password Policy wizard.
For migration purposes, the new password policy maintains compatibility with previous Directory Server versions by identifying a compatibility mode. The compatibility mode determines whether password policy attributes are handled as old attributes or new attributes, where old refers to any Directory Server 5.2 or 5.2.x password policy attributes.
See Password Policy in Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Directory Server Enterprise Edition for details on migrating to the new password policy.
This feature of Directory Server enables administrators to force regular system users to change their passwords after a password reset.
This feature is enabled by the pwd-must-change-enabled property. This property specifies whether a user must change the password when he first binds or after the password has been set or reset. The feature is disabled by default.
When a user account is locked due to consecutive failures to bind, the user account is effectively locked across the entire collection of servers.
You can configure user account lockout using the DSCC as illustrated in the following figure.
Directory Server now replicates account lockout data stored when a client application fails to authenticate to the server. When used together with the Directory Proxy Server capability to route binds appropriately, global account lockout can prevent a client application from gaining more than the number of tries you specify before being locked out across an entire directory service topology.
Directory Server can be managed by directory administrators, who belong to the group cn=Administrators,cn=config. These users are subject to a special global ACI that gives them complete access to the directory. The default administrator created with each instance is cn=admin,cn=Administrators,cn=config.
Because these users have real entries, you can add certificates to their entries. This means that the administrator entry you create can bind using an SSL certificate. Furthermore, the server locks the administrative user out after too many failed bind attempts.
Directory Server allows you to change expired passwords using the LDAP Password Modify Extended Operation specified in RFC 3062. The ldappasswd(1) command can be used to change expired passwords from the command line.
When you enable last login time tracking using the password policy attribute pwdKeepLastAuthTime(5dsat), Directory Server records the time of the last successful authentication in the operation attribute pwdLastAuthTime(5dsat) on the user entry.
Directory Server now supports enhanced auditing for updates performed using proxy authorization. The server can log the identity authorized to perform an operation, rather than the identity that authenticated to Directory Server. When you set useAuthzIdForAuditAttrs on cn=config to on, the server records the authorization ID in the creatorsName or modifiersName attribute during a write operation on an entry. By default, Directory Server records the authentication ID.
To read more about the features presented in this chapter, refer to the following documentation.
Configuring a password policy using the command line
Enabling global account lockout
Overview of the Directory Server Enterprise Edition password policy architecture
Migrating to the new password policy
Configuring connection-based access control with ACIs