Chapter 7
User Account Management
When a user connects to your directory server, first the user is authenticated. Then, the directory can grant access rights and resource limits to the user depending upon the identity established during authentication.
This chapter describes tasks for user account management, including configuring the password and account lockout policy for your directory, denying groups of users access to the directory, and limiting system resources available to users depending upon their bind DNs.
This chapter contains the following sections:
Managing the Password Policy
A password policy minimizes the risks of using passwords by enforcing the following:
Once you have established a password policy for your directory, you can protect your user passwords from potential threads by configuring an account lockout policy. Account lockout protects against hackers who try to break into the directory by repeatedly guessing a user's password.
This section provides information about configuring your password and account lockout policies. It includes the following procedures:
Configuring the Password Policy
The password policy you configure applies to all users within the directory except for the Directory Manager. Your password policy is comprised of the following information:
Password add and modify information. The password information includes password syntax and password history details.
Bind information. The bind information includes tracking bind failures and password aging attributes.
This section describes the following procedures for configuring your password policy:
After configuring your password policy, we recommend that you configure an account lockout policy. For more information about configuring an account lockout policy, refer to "Configuring the Account Lockout Policy".
Configuring the Password Policy Using the Console
To set up or modify the password policy for your Directory Server:
On the Directory Server Console, select the Configuration tab and then the Data node.
Select the Passwords tab in the right pane.
-
This tab contains the password policy for the Directory Server.
You can specify that users must change their password the first time they log on by selecting the "User must change password after reset" checkbox.
-
If you select this checkbox, only the Directory Manager is authorized to reset the users's password (using the field described in step 9). A regular administrative user cannot force the user to update their password.
To specify that users can change their own passwords, select the "User may change password" checkbox.
You can specify that users cannot change their password for a specific time by entering the number of days in the "Allow changes in X day(s)" text box.
To configure the server to maintain a history list of passwords used by each user, select the "Keep password history" checkbox. Specify the number of passwords you want the server to keep for each user in the "Remember X passwords" text box.
If you do not want user passwords to expire, select the "Password never expires" radio button.
If you want users to have to change their passwords periodically, select the "Password expires after X days" radio button and then enter the number of days that a user password is valid.
If you have turned selected the "Password expire after X days" radio button, you need to specify how long before the password expires to send a warning to the user.In the "Send Warning X Days Before Password Expires" text enter the number of days before password expiration to send a warning.
If you want the server to check the syntax of a user password to make sure it meets the minimum requirements set by the password policy, select the "Check Password Syntax" checkbox. Then, specify the minimum acceptable password length in the "Password Minimum Length" text box.
Specify what encryption method you want the server to use when storing passwords from the "Password Encryption" pull-down menu.
-
For detailed information about the encryption methods, refer to the passwordStorageScheme attribute in Table 7-1.
-
The "Password Encryption" menu might contain other encryption methods, as the directory dynamically creates the menu depending upon the existing encryption methods it finds in your directory.
When you have finished making changes to the password policy, click Save.
Configuring the Password Policy Using the Command-Line
This section describes the attributes you set to create a password policy for your server. Use ldapmodify to change these attributes in the cn=config entry.
The following table describes the attributes you can use to configure your password policy:
Table 7-1 Password Policy Attributes
|
Attribute Name
|
Definition
|
|
passwordMustChange
|
When on, this attribute requires users to change their passwords when they first login to the directory or after the password is reset by the Directory Manager. When on, the user is required to change their password even if user-defined passwords are disabled.
If you choose to set this attribute to off, passwords assigned by the Directory Manager should not follow any obvious convention and should be difficult to discover.
This attribute is off by default.
|
|
passwordChange
|
When on, this attribute indicates that users may change their own password. Choosing for users to set their own passwords runs the risk of users choosing passwords that are easy to remember.
However, setting good passwords for the user requires a significant administrative effort. In addition, providing passwords to users that are not meaningful to them runs the risk that users will write the password down somewhere that can be discovered.
This attribute is on by default.
|
|
passwordExp
|
When on, this attribute indicates that the user's password will expire after an interval given by the passwordMaxAge attribute. Making passwords expire helps protect your directory data because the longer a password is in use, the more likely it is to be discovered.
This attribute is off by default.
|
|
passwordMaxAge
|
This attribute indicates the number of seconds after which user passwords expire. To use this attribute, you must enable password expiration using the passwordExp attribute.
A common policy is to have passwords expire every 30 to 90 days. By default, the password maximum age is set to 8640000 seconds (100days).
|
|
passwordWarning
|
Indicates the number of seconds before a warning message is sent to users whose password is about to expire.
Depending on the LDAP client application, users may be prompted to change their password when the warning is sent. Both iPlanet Directory Express and the Directory Server Gateway provide this functionality.
By default, the directory sends the warning 86400 seconds (1day) before the password is about to expire. However, a password never expires until the warning message has been set. Therefore, if users don't bind to the Directory Server for longer than the passwordMaxAge, they will still get the warning message in time to change their password.
|
|
passwordCheckSyntax
|
When on, this attribute indicates that the password syntax will be checked by the server before the password is saved.
Password syntax checking ensures that the password string meets or exceeds the minimum password length requirements and that the string does not contain any "trivial" words. A trivial word is any value stored in the uid, cn, sn, givenName, ou, or mail attributes of the user's entry.
This attribute is off by default.
|
|
passwordMinLength
|
This attribute specifies the minimum number of characters that must be used in passwords. Shorter passwords are easier to crack.
You can require passwords that are 2 to 512 characters long. Generally, a length of 6 to 8 characters is long enough to be difficult to crack but short enough for users to remember without writing it down.
This attribute is set to 6 by default.
|
|
passwordMinAge
|
This attribute indicates the number of seconds that must pass before a user can change their password. Use this attribute in conjunction with the passwordInHistory attribute to discourage users from reusing old passwords.
For example, setting the minimum password age to 2 days prevents users from repeatedly changing their passwords during a single session to cycle through the password history and reuse an old password once it has been removed from the history list.
You can specify from 0 to 2147472000 seconds (24,855 days). A value of zero indicates that the user can change the password immediately.
The default value of this attribute is 0.
|
|
passwordHistory
|
This attribute indicates whether the directory stores a password history. When set to on, the directory stores the number of passwords you specify in the passwordInHistory attribute in a history. If a user attempts to reuse one of the password, the password will be rejected.
When you set this attribute to off, any passwords stored in the history remain there. When you set this attribute back to on, users will not be able to reuse the passwords recorded in the history before you disabled the attribute.
This attribute is off by default, meaning users can reuse old passwords.
|
|
passwordInHistory
|
This attribute indicates the number of passwords the directory stores in the history. You can store from 2 to 24 passwords in the history. This feature is not enabled unless the passwordHistory attribute is set to on.
This attribute is set to 6 by default.
|
|
passwordStorageScheme
|
This attribute specifies the type of encryption used to store Directory Server passwords. The following encryption types are supported by Directory Server:
SSHA (Salted Secure Hash Algorithm). This method is recommends as it is the most secure. This is the default method.
SHA ( Secure Hash Algorithm). A one-way hash algorithm that is the default encryption schema in Directory Server 4.x.
crypt.The UNIX crypt algorithm, provided for compatibility with UNIX passwords.
clear. This encryption type indicates that the password will appear in plain text.
Note that passwords stored using crypt, SHA, or SSHA formats cannot be used for secure login through SASL Digest MD5.
If you want to provide your own customized storage scheme, consult iPlanet Professional Services.
|
Setting User Passwords
An entry can be used to bind to the directory only if it has a userpassword attribute and if it has not been inactivated. Because user passwords are stored in the directory, you can use whatever LDAP operation you normally use to update the directory to set or reset the user passwords.
For information on creating and modifying directory entries, see Chapter 2 "Creating Directory Entries." For information on inactivating user accounts, refer to"Inactivating Users and Roles".
You can also use the Users and Groups area of the Administration Server or the Directory Server Gateway to set or reset user passwords. For information on how to use the Users and Groups area, see the online help that is available in the Administration Server. For information on how to use the Gateway to create or modify directory entries, see the online help that is available in the Gateway.
Configuring the Account Lockout Policy
The lockout policy works in conjunction with the password policy to provide further security. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. You can set up your password policy so that a specific user is locked out of the directory after a given number of failed attempts to bind.
Configuring the account lockout policy is described in the following sections:
Configuring the Account Lockout Policy Using the Console
To set up or modify the account lockout policy for your Directory Server:
On the Directory Server Console, select the Configuration tab and then the Data node.
Select the Account Lockout tab in the right pane.
To enable account lockout, select the "Accounts may be locked out" checkbox.
Enter the maximum number of allowed bind failures in the "Lockout account after X login failures" text box. The server locks out users who exceed the limit you specify here.
Enter the number of minutes you want the server to wait before resetting the bind failure counter to 0 in the "Reset failure counter after X minutes" text box.
Set the interval you want users to be locked out of the directory.
-
Select the Lockout Forever radio button to lock users out until their passwords have been reset by the administrator.
-
Set a specific lockout period by selecting the Lockout duration radio button and entering the time (in minutes) in the text box.
When you have finished making changes to the account lockout policy, click Save.
Configuring the Account Lockout Policy Using the Command Line
This section describes the attributes you set to create an account lockout policy to protect the passwords stored in your server. Use ldapmodify to change these attributes in the cn=config entry.
The following table describes the attributes you can use to configure your account lockout policy:
Table 7-2 Account Lockout Policy Attributes
|
Attribute Name
|
Definition
|
|
passwordLockout
|
This attribute indicates whether users are locked out of the directory after a given number of failed bind attempts. You set the number of failed bind attempts after which the user will be locked out using the passwordMaxFailure attribute.
You can lock users out for a specific time or until an administrator resets the password.
This attribute is set to off by default, meaning that users will not be locked out of the directory.
|
|
passwordMaxFailure
|
This attribute indicates the number of failed bind attempts after which a user will be locked out of the directory.
This attribute takes affect only if the passwordLockout attribute is set to on.
This attribute is set to 3 bind failures by default.
|
|
passwordLockoutDuration
|
This attribute indicates the time, in seconds, that users will be locked out of the directory. You can also specify that a user is lock out until their password is reset by an administrator using the passwordUnlock attribute.
By default, the user is locked out for 3600 second.
|
|
passwordResetFailureCount
|
This attribute specifies the time in seconds after which the password failure counter will be reset.
Each time an invalid password is sent from the user's account, the password failure counter is incremented. If the passwordLockout attribute is set to on, users will be locked out of the directory when the counter reaches the number of failures specified by the passwordMaxFailure attribute. The account is locked out for the interval specified in the passwordLockoutDuration attribute, after which time the failure counter is reset to zero (0).
Because the counter's purpose is to gauge when a hacker is trying to gain access to the system, the counter must continue for a period long enough to detect a hacker. However, if the counter was to increment indefinitely over days and weeks, valid users might be locked out inadvertently.
The reset password failure count attribute is set 600 seconds by default.
|
Managing the Password Policy in a Replicated Environment
Password and account lockout policies are enforced in a replicated environment as follows:
Some of the password policy information in your directory is replicated. The replicated attributes are:
passwordMinAge and passwordMaxAge
passwordExp
passwordWarning
However, the configuration information is kept locally and is not replicated. This information includes the password syntax and the history of password modifications. Account lockout counters and tiers are not replicated either.
When configuration a password policy in a replicated environment, consider the following points:
Warnings from the server of an impending password expiration will be issued by all replicas. This information is kept locally on each server, so if a user binds to several replicas in turn, they will be issued the same warning several times. In addition, if the user changes the password, it may take time for this information to filter to the replicas. If a user changes a password and then immediately rebind, they may find that the bind fails until the replica registers the changes.
You want the same bind behavior to occur on all servers, including masters and replicas. Make sure to create the same password policy configuration information on each server.
Account lockout counters many not work as expected in a multi-mastered environment.
Entries that are created for replication (for example, the server identities) need to have passwords that never expire. To make sure that these special users have passwords that do not expire, add the passwordExpirationTime attribute to the entry and give it a value of 20380119031407Z (the top of the valid range).
Inactivating Users and Roles
You can temporarily inactivate a single user account or a set of accounts. Once inactivated, a user cannot bind to the directory. The authentication operation will fail.
Users and roles are inactivated using the operational attribute nsAccountLock. When an entry contains the nsAccountLock attribute with a value of true, the server rejects the bind.
You use the same procedures for inactivating users and roles. However, when you inactivate a role, you are inactivating the members of the role and not the role entry itself. For more information about roles in general and how roles interact with access control in particular, refer to Chapter 5 "Advanced Entry Management."
The rest of this section describes the following procedures:
Inactivating User and Roles Using the Console
The following procedure describes inactivating a user or a role using the console:
In the Directory Server Console, select the Directory tab.
Browse the navigation tree in the left navigation pane and double-click the user or role you want to inactivate.
-
The Edit Entry dialog box appears.
-
You can also select Inactivate from the Object menu as a short cut.
Click Account in the left pane. The right pane states that the role or user is inactivated. Click Activate to activate the user or role.
Click OK to close the dialog box and save your changes.
-
Once inactivated, you can view the state of the object by selecting Inactivation State from the View menu. The icon of the object then appears in the right pane of the console with a red slash through it.
Inactivating User and Roles Using the Command Line
To inactivate a user account, use the ns-inactivate.pl script. The following example describes using the ns-inactivate.pl script to inactivate Joe Frasier's user account:
ns-inactivate.pl -D "Directory Manager" -w secretpwd -p 389 -h
siroe.com -I "uid=jfrasier,ou=people,dc=siroe,dc=com"
The following table describes the ns-inactivate.pl options used in the example:
|
Option Name
|
Description
|
|
-D
|
The DN of the directory administrator.
|
|
-w
|
The password of the directory administrator.
|
|
-p
|
Port used by the server.
|
|
-h
|
Name of the server on which the directory resides
|
|
-I
|
DN of the user account or role you want to inactivate.
|
For more information about running the ns-inactivate.pl script, refer to iPlanet Directory Server Configuration, Command, and File Reference.
Activating User and Roles Using the Console
The following procedure describes activating a user or a role using the console:
In the Directory Server Console, select the Directory tab.
Browse the navigation tree in the left navigation pane and double-click the user or role you want to activate.
-
The Edit Entry dialog box appears.
-
You can also select Activate from the Object menu as a short cut.
Click Account in the left pane. The right pane states that the role or user is activated. Click Activate to activate the user or role.
If the user or role is a member of another inactivated role, the console displays an option for viewing the inactivated roles. Click Show Inactivated Roles to view the list of roles to which the user or role belongs.
Click OK when you are finished.
-
Once reactivated, you can view the state of the object by selecting Inactivation State from the View menu. The icon of the role or user in the right pane of the console appears as normal. The red slash through the icon indicating it was inactive disappears.
Activating User and Roles Using the Command Line
To activate a user account, use the ns-activate.pl script. The following example describes using the ns-activate.pl script to activate Joe Frasier's user account:
ns-activate.pl -D "Directory Manager" -w secretpwd -p 389 -h
siroe.com -I "uid=jfrasier,ou=people,dc=siroe,dc=com"
The following table describes the ns-inactivate.pl options used in the example:
|
Option Name
|
Description
|
|
-D
|
The DN of the directory administrator.
|
|
-w
|
The password of the directory administrator.
|
|
-p
|
Port used by the server.
|
|
-h
|
Name of the server on which the directory resides
|
|
-I
|
DN of the user account or role you want to activate.
|
For more information about running the ns-activate.pl script, refer to iPlanet Directory Server Configuration, Command, and File Reference.
Setting Resource Limits Based on the Bind DN
You can control server limits for search operations using special operational attribute values on the client application binding to the directory. You can set the following search operation limits:
Look through limit. Specifies how many entries can be examined for a search operation.
Size limit. Specifies the maximum number of entries the server returns to a client application in response to a search operation.
Time limit. Specifies the maximum time the server spends processing a search operation.
Idle timeout. Specifies the time a connection to the server can be idle before the connection is dropped.
|
Note
|
The Directory Manager receives unlimited resources by default.
|
The resource limits you set for the client application takes precedence over the default resource limits you set for in the global server configuration.
This section gives procedures for the following:
Setting Resource Limits Using the Console
The following procedure describes setting resource limits for a user or a role using the console:
In the Directory Server Console, select the Directory tab.
Browse the navigation tree in the left navigation pane and double-click the user or role for which you want to set resource limits.
-
The Edit Entry dialog box appears.
Click Account in the left pane. The right pane contains the four limits you can set in the Resource Limits section.
-
Entering a value of -1 indicates no limit.
Click OK when you are finished.
Setting Resource Limits Using the Command Line
The following operational attributes can be set for each entry using the command-line. Use ldapmodify to add the following attributes to the entry:
|
Attribute
|
Description
|
|
nsLookThroughLimit
|
Specifies how many entries examined for a search operation. Specified as a number of entries. Giving this attribute a value of -1 indicates that there is no limit.
|
|
nsSizeLimit
|
Specifies the maximum number of entries the server returns to a client application in response to a search operation. Giving this attribute a value of -1 indicates that there is no limit.
|
|
nsTimeLimit
|
Specifies the maximum time the server spends processing a search operation. Giving this attribute a value of -1 indicates that there is no time limit.
|
|
nsIdleTimeout
|
Specifies the time a connection to the server can be idle, before the connection is dropped. The value is given in seconds. Giving this attribute a value of -1 indicate that there is no limit.
|
For example, you might set the size limit for an entry by performing an ldapmodify as follows:
ldapmodify -h myserver -p 389 -D "cn=directory manager" -w secretpwd
dn: uid=bjensen,ou=people,dc=siroe,dc=com
changetype: modify
add:nsSizeLimit
nsSizeLimit: 500
The ldapmodify statement adds the nsSizeLimit attribute to Babs Jensen's entry and gives it a search return size limit of 500 entries.