Java Solaris Communities About Sun How to Buy My Sun Connection Cart United States Worldwide

BigAdmin System Administration Portal
Feature Article
Print-friendly VersionPrint-friendly Version

Sun Java System Directory Server 6.0 as an LDAP Naming Service: Part 4 -- Post-Configuration Tasks

Jonathan Gershater, Sun Microsystems, and Vineeth Katarki, Mascon Global Limited (MGL); October 2007 (Updated May 2008)

Article Contents

This article is presented in the following four parts:

Note: When you run the commands shown in the procedures of this article, replace COMPANY with a value that is appropriate for your environment.


Part 4 -- Post-Configuration Tasks

Part 4 provides information on additional tasks you must perform on the four servers (referred to here as "directory servers") on which you installed Sun Java System Directory Server 6.0 (hereafter referred to as "Directory Server").

Part 4 Contents


Recommendations for Directory Server Access Control

The control of access is integral to creating a secure directory. Directory Server Access Control Instructions (ACIs) determine which permissions are granted to users accessing the directory.

The following are recommendations for controlling access to the directory:

  • Anonymous access should not be permitted. All operations should require a bind.

    • Note: When initializing Solaris clients to a directory server for authentication and authorization, the ldapclient command might fail when anonymous access is not granted in the directory. Use the instructions in Setting Up ACIs for Anonymous Access During Solaris Client Setup to grant anonymous access when initializing new Solaris clients. Revert to disallowing anonymous access, as described in Setting Up ACIs for No Anonymous Access, when the client setup is complete.

  • Directory Server administration capabilities should be restricted to a group of selected users.
  • Regular users should be restricted to accessing their own entry in the directory and should not have the ability to access other user entries.
  • All users should have the ability to read, search, and compare their own attributes except for the userPassword attribute.
  • Users should be restricted from modifying their own attributes except for password and loginShell.
  • The proxy account used by Solaris clients should have the ability to read, compare, and search entries in the directory.

Setting Up ACIs for No Anonymous Access

To set up ACIs as previously recommended, use the following ldif output and commands.

Note: To temporarily allow anonymous access for Solaris client initialization, do not use the following ACIs. Instead, use the information in the Setting Up ACIs for Anonymous Access During Solaris Client Setup section.

# cat acis.ldif
dn: dc=COMPANY,dc=com
changetype: modify
replace: aci
aci: (target="ldap:///dc=COMPANY,dc=com") (targetattr="*")
  (version 3.0; acl "allow all Admin group"; allow (all)
  groupdn = "ldap:///cn=Directory Administrators,ou=Groups,
  dc=COMPANY,dc=com";)
aci: (target="ldap:///dc=COMPANY,dc=com") (targetattr !=
  "userPassword") (version 3.0; acl "allow self read search compare";
  allow(read,search,compare) userdn = "ldap:///self";)
aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory|
  |shadowLastChange||shadowMin||shadowMax||shadowWarning|
  |shadowInactive||shadowExpire||shadowFlag||memberUid")
  (version 3.0; acl LDAP_Naming_Services_deny_write_access; deny
  (write) userdn = "ldap:///self");
aci: (targetattr = "loginShell") (version 3.0;acl
  "LDAP_Naming_Services_allow_certain_changes"; allow (write)
  userdn = "ldap:///self";)
aci: (target="ldap:///dc=COMPANY,dc=com") (targetattr !=
  "userPassword") (version 3.0; acl "LDAP_Naming_Services_proxy_read";
  allow(read,search,compare) userdn =
  "ldap:///cn=proxyagent,ou=people,dc=COMPANY,dc=com";)

# ldapmodify -D "cn=Directory Manager" -w <password> -f
  acis.ldif

Setting Up ACIs for Anonymous Access During Solaris Client Setup

When initializing Solaris clients, Directory Server access control needs to be modified temporarily to allow anonymous access. Use the following ldif output and command to set up Directory Server to briefly allow anonymous access. Then revert to the access control settings described in Setting Up ACIs for No Anonymous Access.

# cat anonacis.ldif
dn: dc=COMPANY,dc=com
changetype: modify
replace: aci
aci: (target="ldap:///dc=COMPANY,dc=com") (targetattr="*")
  (version 3.0; acl "allow all Admin group"; allow (all) groupdn =
  "ldap:///cn=Directory Administrators,ou=Groups,dc=COMPANY,dc=com";)
aci: (target="ldap:///dc=COMPANY,dc=com") (targetattr != "userPassword")
  (version 3.0; acl "Anonymous read-search access"; allow
  (read,search,compare) (userdn = "ldap:///anyone");)
aci: (target="ldap:///dc=COMPANY,dc=com") (targetattr !=
  "userPassword") (version 3.0; acl "allow self read search compare";
  allow(read,search,compare) userdn = "ldap:///self";)
aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory|
  |shadowLastChange||shadowMin||shadowMax||shadowWarning|
  |shadowInactive||shadowExpire||shadowFlag||memberUid")
  (version 3.0; acl LDAP_Naming_Services_deny_write_access; deny
  (write) userdn = "ldap:///self");
aci: (targetattr = "loginShell") (version 3.0;acl
  "LDAP_Naming_Services_allow_certain_changes"; allow (write)
  userdn = "ldap:///self";)
aci: (target="ldap:///dc=COMPANY,dc=com") (targetattr !=
  "userPassword") (version 3.0; acl "LDAP_Naming_Services_proxy_read";
  allow(read,search,compare) userdn =
  "ldap:///cn=proxyagent,ou=people,dc=COMPANY,dc=com";)

# ldapmodify -D "cn=Directory Manager" -w <password> -f
  acis.ldif

Changing Directory Server Password Compatibility Mode

Use the following commands to change the password compatibility mode to DS6-mode:

# dsconf pwd-compat to-DS6-migration-mode
Certificate "CN=server1, CN=636, CN=Directory Server,
  O=Sun Microsystems" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse,
  "d" for more details: d
Issued to                        :  CN=server1, CN=636,
  CN=Directory Server, O=Sun Microsystems
Issued by                        :  CN=server1, CN=636,
  CN=Directory Server, O=Sun Microsystems
Valid from                       :  Mon Jul 02 18:19:15 GMT 2007
Expires on                       :  Tue Oct 02 18:19:15 GMT 2007
Serial Number                    :  86897bba

Certificate authentication type  :  RSA
Version Number                   :  3
Signature Algorithm              :  MD5withRSA
Signature Algorithm OID          :  1.2.840.113549.1.1.4

Public Key :
SunPKCS11-Solaris RSA public key, 1024 bits (id 6041136,
  session object)
  modulus: 1201140033050440873622914893869572523732486861655252453
    76038575821960150918592159554191795232415668431756269205253616
    35136507558785581173218946484219909493476056071926643238902404
    25948072657153570505623841303358713820181379250571271138936591
    65055434817450676894195553748813724944144707264215467526093715
    998409
  public exponent: 65537

Signature :
0000: 38 E6 E2 A8 84 47 6D 4C  BA A7 CF AB 90 A9 B3 5A
  8....GmL.......Z
0010: FB 26 36 07 2D 4D BC 5C  1A 8E 26 5E 39 49 5C 91
  .&6.-M.\..&^9I\.
0020: B5 FB 5D 51 91 AC 63 DA  13 3E E9 C4 DD D1 B3 BF
  ..]Q..c..>......
0030: A4 BD 52 39 19 BD 1A 92  2F 36 EC 67 29 0F 68 1B
  ..R9..../6.g).h.
0040: 3A 3E BA 86 D1 44 5C 80  10 FC BA 85 3E FA B7 B5
  :>...D\.....>...
0050: 07 82 4E 73 4D A2 9F D2  09 A4 E0 35 0A 79 AB DB
  ..NsM......5.y..
0060: 61 C2 D1 CF BF EB 3D 3E  C4 2F F5 90 E2 79 DB 04
  a.....=>./...y..
0070: 31 3A 52 37 B2 BD F7 CE  33 5D BB 32 FB 21 27 68
  1:R7....3].2.!'h

Type "Y" to accept, "y" to accept just once or "n" to refuse: Y
Enter "cn=Directory Manager" password:
## Beginning password policy compatibility changes.
## Password policy compatibility changes finished.

# dsconf pwd-compat to-DS6-mode

Tracking Last Login Time

If your requirements state that the lastLoginTime of users must be tracked, using the attribute pwdKeepLastAuthTime in the global password policy, then proceed as follows.

Enable tracking of last login time.

Set this attribute in the Global Password Policy: 

pwdKeepLastAuthTime: true

However, this can create a load on the servers. In particular the last login time of the ProxyAgent user will be tracked far more frequently than regular users. The result is that the replication changelog file can grow rapidly as it tracks last login time. To circumvent this problem, eliminate last login time tracking for the ProxyAgent user only as follows.

Create a special password policy, not to log last auth time, and assign this policy to the ProxyAgent user.

Create an LDIF file, pwdpolicypxyagent.ldif, containing the password policy for the ProxyAgent user. See the bold line below ensuring that last auth time is not logged. 

dn: cn=DirectorypwdPolicyPxyAgent1,ou=PasswordPolicy,dc=company,
dc=com
changetype: add
objectclass: pwdPolicy
objectclass: sunPwdPolicy
objectclass: ldapsubentry
objectclass: top
cn: Password Policy Proxy Agent
description: Password Policy Proxy Agent
pwdAttribute: userPassword
pwdAllowUserChange: true
pwdGraceAuthNLimit: 0
pwdMustChange: False
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 0
pwdExpireWarning: 432000
pwdInHistory: 0
pwdSafeModify: true
pwdMaxFailure: 5
pwdFailureCountInterval: 0
pwdLockout: false
pwdLockoutDuration: 0
pwdIsLockoutPrioritized: false
pwdKeepLastAuthTime: false
passwordRootdnMayBypassModsChecks: on
passwordStorageScheme: SSHA

Add the password policy to the Directory: 

ldapmodify  -D "cn=directory manager"  -f  
/export/home/pwdpolicypxyagent.ldif

Assign the policy to the ProxyAgent user, using this LDIF file, pxyagentpwd.ldif: 

dn: cn=proxyagent,ou=profile,dc=company,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=DirectorypwdPolicyPxyAgent,ou=PasswordPolicy,dc=company,
dc=com

ldapmodify  -D "cn=directory manager"  -f  
/export/home/pxyagentpwd.ldif

References

  • Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide: Chapter 8, Directory Server Password Policy
  • Sun Java System Directory Server Enterprise Edition 6.3 Man Page Reference: pwdKeepLastAuthTime(5dsat)

    • Updates

    May 2008: Added "Tracking Last Login Time" section.

    Discuss and comment on this resource in the BigAdmin Wiki

    Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.


    		BigAdmin
      
    »  Search the HCL
     
    BigAdmin Wiki
    Discuss and comment on this resource in the wiki.
     
    BigAdmin Subscriptions
    »   BigAdmin Newsletter
    »   BigAdmin Blog
    »   BigAdmin Wiki
    »   RSS Feeds
    BigAdmin Areas
    »   All Topics/Sections
    »   Articles and FAQs
    »   Blogs and Wikis
    »   Discussions
    »   Documentation
    »   Features
    »   HCL
    »   Multilingual
    »   Patches
    »   Products and Tech
    »   Resources
    »   Scripts
    »   Software/Tools
    »   Solaris 10 Apps
    »   ShellCmds
    »   Submit Content
    »   Suggestions
    »   SysAdmin Jobs
    »   SysAdmin Topics
    »   Tech Tips
    BigAdmin Sun Center
    »   Register Your System
    »   Solaris Developer Center
    »   Sun Support
    »  Sun Doc Highlights
    »  Sun Tech Days
    »   Sun Advisory Panel for System Admins
    »   Training and Certification
    BigAdmin Topics
    »   DST
    »   DTrace
    »   Interoperability
    »   Networking
    »   Predictive Self-Healing
    »   ZFS
    »  Zones
     
     
    Would you recommend this Sun site to a friend or colleague?
    Contact About Sun News & Events Employment Site Map Privacy Terms of Use Trademarks Copyright Sun Microsystems, Inc.