Sun Java System Directory Server 6.0 as an LDAP Naming Service: Part 4 -- Post-Configuration Tasks

Submitted by Micky on Thu, 09/17/2009 - 12:35
tag(s) :

Article Contents

This article is presented in the following four parts:

  • Part 1 -- Installation and Configuration
  • Part 2 -- Client Configurations for the Solaris OS
  • Part 3 -- Client Configurations for Red Hat Linux and AIX
  • Part 4 -- Post-Configuration Tasks

Note: When you run the commands shown in the procedures of this article, replace COMPANY with a value that is appropriate for your environment.

 

Part 4 -- Post-Configuration Tasks

Part 4 provides information on additional tasks you must perform on the four servers (referred to here as "directory servers") on which you installed Sun Java System Directory Server 6.0 (hereafter referred to as "Directory Server").

Part 4 Contents

  • Recommendations for Directory Server Access Control
    • Setting Up ACIs for No Anonymous Access
    • Setting Up ACIs for Anonymous Access During Solaris Client Setup
  • Changing Directory Server Password Compatibility Mode
  • Tracking Last Login Time

 

Recommendations for Directory Server Access Control

The control of access is integral to creating a secure directory. Directory Server Access Control Instructions (ACIs) determine which permissions are granted to users accessing the directory.

The following are recommendations for controlling access to the directory:

  • Anonymous access should not be permitted. All operations should require a bind.

    • Note: When initializing Solaris clients to a directory server for authentication and authorization, the ldapclient command might fail when anonymous access is not granted in the directory. Use the instructions in Setting Up ACIs for Anonymous Access During Solaris Client Setup to grant anonymous access when initializing new Solaris clients. Revert to disallowing anonymous access, as described in Setting Up ACIs for No Anonymous Access, when the client setup is complete.

  • Directory Server administration capabilities should be restricted to a group of selected users.
  • Regular users should be restricted to accessing their own entry in the directory and should not have the ability to access other user entries.
  • All users should have the ability to read, search, and compare their own attributes except for the userPassword attribute.
  • Users should be restricted from modifying their own attributes except for password and loginShell.
  • The proxy account used by Solaris clients should have the ability to read, compare, and search entries in the directory.

Setting Up ACIs for No Anonymous Access

To set up ACIs as previously recommended, use the following ldif output and commands.

Note: To temporarily allow anonymous access for Solaris client initialization, do not use the following ACIs. Instead, use the information in the Setting Up ACIs for Anonymous Access During Solaris Client Setup section.

# cat acis.ldif
dn: dc=COMPANY,dc=com
changetype: modify
replace: aci
aci: (target="ldap:///dc=COMPANY,dc=com") (targetattr="*")
  (version 3.0; acl "allow all Admin group"; allow (all)
  groupdn = "ldap:///cn=Directory Administrators,ou=Groups,
  dc=COMPANY,dc=com";)
aci: (target="ldap:///dc=COMPANY,dc=com") (targetattr !=
  "userPassword") (version 3.0; acl "allow self read search compare";
  allow(read,search,compare) userdn = "ldap:///self";)
aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory|
  |shadowLastChange||shadowMin||shadowMax||shadowWarning|
  |shadowInactive||shadowExpire||shadowFlag||memberUid")
  (version 3.0; acl LDAP_Naming_Services_deny_write_access; deny
  (write) userdn = "ldap:///self");
aci: (targetattr = "loginShell") (version 3.0;acl
  "LDAP_Naming_Services_allow_certain_changes"; allow (write)
  userdn = "ldap:///self";)
aci: (target="ldap:///dc=COMPANY,dc=com") (targetattr !=
  "userPassword") (version 3.0; acl "LDAP_Naming_Services_proxy_read";
  allow(read,search,compare) userdn =
  "ldap:///cn=proxyagent,ou=people,dc=COMPANY,dc=com";)

# ldapmodify -D "cn=Directory Manager" -w <password> -f
  acis.ldif

Setting Up ACIs for Anonymous Access During Solaris Client Setup

When initializing Solaris clients, Directory Server access control needs to be modified to allow anonymous access. Use the following ldif output and command to set up Directory Server to allow anonymous access. Note that anonymous access across the entire Directory is not required; the access described below is sufficient. The ACIs below configure anonymous access for the baseDN (dc=company,dc=om) only, and the entire ou=profile container.

# more anonacis.ldif
 
dn:dc=company,dc=com
changetype:modify
replace:aci
aci: (target = ldap:///dc=company,dc=com) (targetscope = base) 
(targetattr=\"*\") (version 3.0; acl \"anonymousBaseDN\"; allow (read, 
compare, search) (userdn = \"ldap:///anyone\") ;)

dn:dc=company,dc=com
changetype:modify
replace:aci
aci: (target = ldap:///dc=company,dc=com) (targetscope = subtree) 
(targetattr=\"*\") (version 3.0; acl \"anonymousProfile\"; allow 
(read,compare,search) (userdn = \"ldap:///anyone\") ;)

# ldapmodify -D "cn=Directory Manager" -w <password> -f
  acis.ldif

Changing Directory Server Password Compatibility Mode

Use the following commands to change the password compatibility mode to DS6-mode:

# dsconf pwd-compat to-DS6-migration-mode
Certificate "CN=server1, CN=636, CN=Directory Server,
  O=Sun Microsystems" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse,
  "d" for more details: d
Issued to                        :  CN=server1, CN=636,
  CN=Directory Server, O=Sun Microsystems
Issued by                        :  CN=server1, CN=636,
  CN=Directory Server, O=Sun Microsystems
Valid from                       :  Mon Jul 02 18:19:15 GMT 2007
Expires on                       :  Tue Oct 02 18:19:15 GMT 2007
Serial Number                    :  86897bba

Certificate authentication type  :  RSA
Version Number                   :  3
Signature Algorithm              :  MD5withRSA
Signature Algorithm OID          :  1.2.840.113549.1.1.4

Public Key :
SunPKCS11-Solaris RSA public key, 1024 bits (id 6041136,
  session object)
  modulus: 1201140033050440873622914893869572523732486861655252453
    76038575821960150918592159554191795232415668431756269205253616
    35136507558785581173218946484219909493476056071926643238902404
    25948072657153570505623841303358713820181379250571271138936591
    65055434817450676894195553748813724944144707264215467526093715
    998409
  public exponent: 65537

Signature :
0000: 38 E6 E2 A8 84 47 6D 4C  BA A7 CF AB 90 A9 B3 5A
  8....GmL.......Z
0010: FB 26 36 07 2D 4D BC 5C  1A 8E 26 5E 39 49 5C 91
  .&6.-M.\..&^9I\.
0020: B5 FB 5D 51 91 AC 63 DA  13 3E E9 C4 DD D1 B3 BF
  ..]Q..c..>......
0030: A4 BD 52 39 19 BD 1A 92  2F 36 EC 67 29 0F 68 1B
  ..R9..../6.g).h.
0040: 3A 3E BA 86 D1 44 5C 80  10 FC BA 85 3E FA B7 B5
  :>...D\.....>...
0050: 07 82 4E 73 4D A2 9F D2  09 A4 E0 35 0A 79 AB DB
  ..NsM......5.y..
0060: 61 C2 D1 CF BF EB 3D 3E  C4 2F F5 90 E2 79 DB 04
  a.....=>./...y..
0070: 31 3A 52 37 B2 BD F7 CE  33 5D BB 32 FB 21 27 68
  1:R7....3].2.!'h

Type "Y" to accept, "y" to accept just once or "n" to refuse: Y
Enter "cn=Directory Manager" password:
## Beginning password policy compatibility changes.
## Password policy compatibility changes finished.

# dsconf pwd-compat to-DS6-mode

 

Tracking Last Login Time

If your requirements state that the lastLoginTime of users must be tracked, using the attribute pwdKeepLastAuthTime in the global password policy, then proceed as follows.

Enable tracking of last login time.

Set this attribute in the Global Password Policy:

pwdKeepLastAuthTime: true

However, this can create a load on the servers. In particular the last login time of the ProxyAgent user will be tracked far more frequently than regular users. The result is that the replication changelog file can grow rapidly as it tracks last login time. To circumvent this problem, eliminate last login time tracking for the ProxyAgent user only as follows.

Create a special password policy, not to log last auth time, and assign this policy to the ProxyAgent user.

Create an LDIF file, pwdpolicypxyagent.ldif, containing the password policy for the ProxyAgent user. See the bold line below ensuring that last auth time is not logged.

dn: cn=DirectorypwdPolicyPxyAgent1,ou=PasswordPolicy,dc=company,
dc=com
changetype: add
objectclass: pwdPolicy
objectclass: sunPwdPolicy
objectclass: ldapsubentry
objectclass: top
cn: Password Policy Proxy Agent
description: Password Policy Proxy Agent
pwdAttribute: userPassword
pwdAllowUserChange: true
pwdGraceAuthNLimit: 0
pwdMustChange: False
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 0
pwdExpireWarning: 432000
pwdInHistory: 0
pwdSafeModify: true
pwdMaxFailure: 5
pwdFailureCountInterval: 0
pwdLockout: false
pwdLockoutDuration: 0
pwdIsLockoutPrioritized: false
pwdKeepLastAuthTime: false
passwordRootdnMayBypassModsChecks: on
passwordStorageScheme: SSHA

Add the password policy to the Directory:

ldapmodify  -D "cn=directory manager"  -f  
/export/home/pwdpolicypxyagent.ldif

Assign the policy to the ProxyAgent user, using this LDIF file, pxyagentpwd.ldif:

dn: cn=proxyagent,ou=profile,dc=company,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=DirectorypwdPolicyPxyAgent,ou=PasswordPolicy,dc=company,
dc=com

ldapmodify  -D "cn=directory manager"  -f  
/export/home/pxyagentpwd.ldif
‹ "svc:/system/webconsole:console" Stuck After Patch/Upgrade (Running as local only on localhost only) Sun Java System Directory Server 6.0 as an LDAP Naming Service: Part 3 -- Client Configurations for Red Hat Linux and AIX ›