This chapter describes the features of DSEE that secure identity to the highest degree possible. This chapter covers the following topics:
Directory Server enables you to use the host access control file hosts.allow and hosts.deny to specify the connection conditions to access the server. You can enable connection-based access control by using the dsconf command. Set the server property host-access-dir-path to the absolute path of the file system directory where the hosts.allow and hosts.deny files are located. See the server(5dsconf) and hosts_access(4) man pages for more information.
Connection-based access control can also be configured using ACIs. See ACI Bind Rules in Sun Java System Directory Server Enterprise Edition 6.0 Reference for background on ACI bind rules.
Directory Server Enterprise Edition implements a new password policy that provides the following new features:
A grace login limit, specified by the pwdGraceLoginLimit attribute. This attribute specifies the number of times that an expired password can be used to authenticate. If the attribute is not present or if it is set to 0, authentication will fail.
Safe password modification, specified by the pwdSafeModify attribute. This attribute specifies whether the existing password must be sent when changing a password. If the attribute is not present, the existing password does not need to be sent.
In addition, the new password policy provides two new controls, passwordPolicyRequest and passwordPolicyResponse. These controls enable LDAP clients to obtain the account status information on LDAP add, delete, modrdn, compare, and search operations. The following information is available, using the OID 1.3.6.1.4.1.42.2.27.8.5.1 in the search:
Period of time before the password expires
Number of grace login attempts remaining
The password has expired
The account is locked
The password must be changed after being reset
Password modifications are allowed
The user must supply his/her old password
The password quality (syntax) is insufficient
The password is too short
The password is too young
The password already exists in history
The DSCC provides a tab for managing the password policies. You can use this tab to add new policies, assign a policy to Directory Server users, delete password policies, and change the password policy compatibility mode. The following figure illustrates this tab.
When you define a new password policy, you use the New Password Policy wizard. It allows you to specify password change settings, expiration settings, and content settings. It also allows you to specify account lockout settings. The following figure illustrates step 2 of the New Password Policy wizard.
For migration purposes, the new password policy maintains compatibility with previous Directory Server versions by identifying a compatibility mode. The compatibility mode determines whether password policy attributes are handled as old attributes or new attributes, where old refers to any Directory Server 5 password policy attributes.
See New Password Policy in Sun Java System Directory Server Enterprise Edition 6.0 Migration Guide for details on migrating to the new password policy.
Directory Server prevents authentication with a null password. All non-anonymous binds must therefore specify a password to bind to the directory. Otherwise, Directory Server returns an authentication error, LDAP_INAPPROPRIATE_AUTH.
You can disable this feature by setting the server property require-bind-pwd-enabled to off using the dsconf set-server-prop command.
The following command-line sequence walks you through a demonstration of this feature.
The default value of the Require Bind on Authentication feature is on. Check this by using the following command:
# dsconf get-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled require-bind-pwd-enabled : on |
Authenticating with a null password results in the following error message:
# ldapsearch -D cn=altrootdn -w '' -p 20390 -b cn=config 'objectclass=*' dn ldap_simple_bind: Inappropriate authentication ldap_simple_bind: additional info: binds with a dn require a password |
Note that this feature does not block anonymous binds:
# ldapsearch -p 20390 -b cn=config 'objectclass=*' dn version: 1 dn: cn=SNMP,cn=config |
Disable this feature by setting it to off:
# dsconf set-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled:off # dsconf get-server-prop -p 20390 -w /tmp/.pwd-file require-bind-pwd-enabled require-bind-pwd-enabled : off |
This time authenticating with a null password succeeds:
# ldapsearch -D cn=altrootdn -w '' -p 20390 -b cn=config 'objectclass=*' dn version: 1 dn: cn=SNMP,cn=config |
For instructions on using the Directory Service Control Center to configure password policy, see the DSCC online help.
This new feature of Directory Server enables administrators to force regular system users to change their passwords after a password reset.
This feature is enabled by the pwd-must-change-enabled property. This property specifies whether a user must change the password when he first binds or after the password has been set or reset. The feature is disabled by default.
You can enable this feature by selecting the Password Reset checkbox in the DSCC as illustrated in the following figure.
To view the current policy for requiring password change after password reset, use the following command:
# dsconf get-server-prop -p 20390 pwd-must-change-enabled pwd-must-change-enabled : off
Enable the policy that requires changing the password after a reset as follows:
# dsconf set-server-prop -p 20390 pwd-must-change-enabled:on
See Chapter 7, Directory Server Password Policy, in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide for instructions on configuring password policy using command-line tools. For instructions on using the Directory Service Control Center to configure password policy, open the DSCC online help.
This version of DSEE enables global account lockout. When a user account is locked due to consecutive failures to bind, the user account is effectively locked across the entire collection of servers.
You can configure user account lockout using the DSCC as illustrated in the following figure.
Directory Server now replicates account lockout data stored when a client application fails to authenticate to the server. When used together with the Directory Proxy Server capability to route binds appropriately, global account lockout can prevent a client application from gaining more than the number of tries you specify before being locked out across an entire directory service topology.
For more information, see Preventing Authentication by Using Global Account Lockout in Sun Java System Directory Server Enterprise Edition 6.0 Deployment Planning Guide.
Directory Server can be managed by directory administrators, who belong to the group cn=Administrators,cn=config. These users are subject to a special global ACI that gives them complete access to the directory. The default administrator created with each instance is cn=admin,cn=Administrators,cn=config.
Because these users have real entries, you can add certificates to their entries. This means that the administrator entry you create can bind using an SSL certificate. Furthermore, the server locks the administrative user out after too many failed bind attempts.
Directory Server allows you to change expired passwords using the LDAP Password Modify Extended Operation specified in RFC 3062. The ldappasswd(1) command can be used to change expired passwords from the command line.
When you enable last login time tracking using the password policy attribute pwdKeepLastAuthTime(5dsat), Directory Server records the time of the last successful authentication in the operation attribute pwdLastAuthTime(5dsat) on the user entry.
Directory Server now supports enhanced auditing for updates performed using proxy authorization. The server can log the identity authorized to perform an operation, rather than the identity that authenticated to Directory Server. When you set useAuthzIdForAuditAttrs on cn=config to on, the server records the authorization ID in the creatorsName or modifiersName attribute during a write operation on an entry. By default, Directory Server records the authentication ID.
Directory Server ACI processing has been enhanced to improve performance when one or both of the following are true:
Numerous ACIs apply to regular user searches that retrieve all attributes on entries with large number of attributes
Access control processing involves DNs that the server must normalize
To read more about the features presented in this chapter, refer to the following documentation.
Feature |
Documentation |
---|---|
Configuring a password policy using the command line | |
Enabling global account lockout | |
Overview of the new password policy architecture |
New Password Policy in Sun Java System Directory Server Enterprise Edition 6.0 Migration Guide |
Migrating to the new password policy | |
Configuring connection-based access control with ACIs |
ACI Bind Rules in Sun Java System Directory Server Enterprise Edition 6.0 Reference |
For a hands-on demonstration of the features described in this chapter, use the scripts provided with the Evaluation Kit. The following table lists the scripts available to demonstrate each feature.
Feature |
Evaluation Script |
---|---|
Preventing binds with no password |
Demo_Required_Bind_DN.sh |
Changing the root DN password from the command line |
Demo_RootPW_Change.sh |
Adding access controls to a JDBC data view |
Demo_JDBC_RW_Control.sh |
Setting up a secure administrative account |
Demo_Secure_root_DN.sh |
Forcing a password reset for non-root users |
Demo_non-root-PW-reset.sh |