directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1467113 - in /directory/site/trunk/content/apacheds/advanced-ug: 4-authentication-and-authorization.mdtext 4.1.2.6-sasl-ntlm-authn.mdtext 4.2-authorization.mdtext 4.3-password-policy.mdtext
Date Thu, 11 Apr 2013 22:06:28 GMT
Author: elecharny
Date: Thu Apr 11 22:06:28 2013
New Revision: 1467113

URL: http://svn.apache.org/r1467113
Log:
Added a chapter for the PasswordPolicy configuration

Added:
    directory/site/trunk/content/apacheds/advanced-ug/4.2-authorization.mdtext
      - copied, changed from r1465547, directory/site/trunk/content/apacheds/advanced-ug/4.5-authorization.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext
Modified:
    directory/site/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.mdtext

Modified: directory/site/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.mdtext?rev=1467113&r1=1467112&r2=1467113&view=diff
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.mdtext
(original)
+++ directory/site/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.mdtext
Thu Apr 11 22:06:28 2013
@@ -64,4 +64,5 @@ Notice: Licensed to the Apache Software 
     * [4.2.9 - Migration from other LDAP Servers](4.2.9-migration-from-other-ldap-servers.html)
     * [4.2.10 - ACI grammar](4.2.10-aci-grammar.html)
     * [4.2.11 - Links and References](4.2.11-links-and-references.html)
+* [4.3 Password Policy](4.3-password-policy.html)
 

Modified: directory/site/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.mdtext?rev=1467113&r1=1467112&r2=1467113&view=diff
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.mdtext (original)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.mdtext Thu Apr
11 22:06:28 2013
@@ -3,7 +3,7 @@ NavPrev: 4.1.2.5-sasl-external-authn.htm
 NavPrevText: 4.1.2.6 - SASL EXTERNAL Authentication
 NavUp: 4.1.2-sasl-authn.html
 NavUpText: 4.1.2 - SASL Authentication
-NavNext: 4.1.3-kerberos-authn.htlm
+NavNext: 4.1.3-kerberos-authn.html
 NavNextText: 4.1.3 - Kerberos authentication
 
 Notice: Licensed to the Apache Software Foundation (ASF) under one

Copied: directory/site/trunk/content/apacheds/advanced-ug/4.2-authorization.mdtext (from r1465547,
directory/site/trunk/content/apacheds/advanced-ug/4.5-authorization.mdtext)
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.2-authorization.mdtext?p2=directory/site/trunk/content/apacheds/advanced-ug/4.2-authorization.mdtext&p1=directory/site/trunk/content/apacheds/advanced-ug/4.5-authorization.mdtext&r1=1465547&r2=1467113&rev=1467113&view=diff
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5-authorization.mdtext (original)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.2-authorization.mdtext Thu Apr 11
22:06:28 2013
@@ -1,10 +1,10 @@
-Title: 4.5. Authorization
-NavPrev: 3-admin-model.html
-NavPrevText: 3 - Administrative Model
-NavUp: 3-admin-model.html
-NavUpText: 3 - Administrative Model
-NavNext: 3.2-operations-on-an-administrativepoint.html
-NavNextText: 3.2 Operations on an a Administrative Point
+Title: 4.2 - Authorization
+NavPrev: 4.1-authentication.html
+NavPrevText: 4.1 - Authentication
+NavUp: 4-authentication-and-authorization.html
+NavPrevText: 4 - Authentication & Authorization
+NavNext: 4.3-password-policy.html
+NavNextText: 4.3 Password Policy
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
@@ -21,8 +21,8 @@ Notice: Licensed to the Apache Software 
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.
-{scrollbar}
 
+# 4.2 - Authorization
 ApacheDS uses an adaptation of the X.500 basic access control scheme in
 combination with X.500 subentries to control access to entries and
 attributes within the DIT. This document will show you how to enable the

Added: directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext?rev=1467113&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext Thu Apr 11
22:06:28 2013
@@ -0,0 +1,122 @@
+Title: 4.3. Password Policy
+NavPrev: 4.2-authorization.html
+NavPrevText:4.2 - Authorization
+NavUp: 4-authentication-and-authorization.html
+NavPrevText: 4 - Authentication & Authorization
+NavNext: 5-administration.html
+NavNextTest: 5 - Administration
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+# 4.3. Password Policy
+
+The **Password Policy** is a **RFC** draft that has been designed for the very first version
in 1999, and the latest version is from 2009. Although it's still a draft, and it's currently
noted as inactive, it has been implemented by many existing **LDAP** servers.
+
+**ApacheDS** implements the draft fully.
+
+## What is a password policy ?
+
+As explained on [wikipedia](http://en.wikipedia.org/wiki/Password_policy) :
+
+	:::Text
+	A password policy is a set of rules designed to enhance computer security by encouraging
users to employ strong passwords and use them properly.
+
+Basically, the system, once activated, will enforce some rules and check the password strength.
We will list the various options in this chapter.
+
+## How do we configure it ?
+
+The _PasswordPolicy_ can be configured in two ways. First of all, it's important to know
that it's activated by default. let's see the default configuration first.
+
+There is an entry contianing all the default values for the _PasswordPolicy_, under :
+
+	* ou=config
+		* ads-directoryServiceId=<default>
+			* ou=interceptors
+				* ads-interceptorId=authenticationInterceptor
+					* ou=passwordPolicies
+
+This entry contains the following values :
+
+	:::Text
+	dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
+	 terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
+	objectclass: top
+	objectclass: ads-base
+	objectclass: ads-passwordPolicy
+	ads-pwdattribute: userPassword
+	ads-pwdid: default
+	ads-enabled: TRUE
+	ads-pwdallowuserchange: TRUE
+	ads-pwdcheckquality: 1
+	ads-pwdexpirewarning: 600
+	ads-pwdfailurecountinterval: 30
+	ads-pwdgraceauthnlimit: 5
+	ads-pwdgraceexpire: 0
+	ads-pwdinhistory: 5
+	ads-pwdlockout: TRUE
+	ads-pwdlockoutduration: 0
+	ads-pwdmaxage: 0
+	ads-pwdmaxdelay: 0
+	ads-pwdmaxfailure: 5
+	ads-pwdmaxidle: 0
+	ads-pwdmaxlength: 0
+	ads-pwdminage: 0
+	ads-pwdmindelay: 0
+	ads-pwdminlength: 5
+	ads-pwdmustchange: FALSE
+	ads-pwdsafemodify: FALSE
+
+
+#### Disabling the PasswordPolicy
+
+The _PasswordPolicy_ is enabled by default. It's possible to disable it by setting the _ads-enabled_
value to FALSE, with a server restart.
+
+### Password guessing limit
+
+The idea is to protect the password against multiple guess attempts. The following rules
are applied :
+
+	* a counter track the failed attemps, and block when it's reached
+	* an incremental delay is added after a failure before a new attempt can be done
+	* a global delay for all the failed attempt is used, when reached, the account is blocked
+	
+When the account is locked, it can remain locked, or be unlocked after a grace period.
+
+#### Attempts counter ()
+
+<DIV class="warn" markdown="1">
+Attributes : ads-pwdLockout, ads-pwdmaxfailure
+</DIV>
+
+Each failed attempt will be logged in the entry, in the _pwdFailureTime_ Attribute (it will
contain the date of the attempt). When the Attribute contains more values than the maximum
number of failed attempts, the entry will be locked (the _pwdAccountLockedTime_ Attribute
will contain the date the entry has been locked).
+
+<DIV class="warn" markdown="1">
+In order to activate this control the ads-pwdLockout parameter must be set to TRUE.
+</DIV>
+
+The following table expose the various possible cases, with three failed attempts : 
+
+| _ads-pwdmaxfailure_ | _pwdLockout_ | _pwdFailureTime_ | _pwdAccountLockedTime_ | Locked
| Comment |
+|---|---|---|---|---|---|
+| 3 | true | date1 | - | No | Failure 1 |
+|  |  | date1, date2 | - | No | Failure 2 |
+|  |  | date1, date2, date3 | date3 | Yes | Failure 3 : account locked |
+| 3 | false | date1 | - | No | Failure 1 |
+|  |  | date1, date2 | - | No | Failure 2 |
+|  |  | date1, date2, date3 | - | No | Failure 3 |
+
+As we can see, the account is locked only when we reach the number of failure, and the _pwdLockout_
flag is TRUE.
+



Mime
View raw message