From commits-return-36418-apmail-directory-commits-archive=directory.apache.org@directory.apache.org Thu Apr 11 22:07:02 2013 Return-Path: X-Original-To: apmail-directory-commits-archive@www.apache.org Delivered-To: apmail-directory-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4D1D9F102 for ; Thu, 11 Apr 2013 22:07:02 +0000 (UTC) Received: (qmail 78903 invoked by uid 500); 11 Apr 2013 22:07:02 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 78865 invoked by uid 500); 11 Apr 2013 22:07:02 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 78857 invoked by uid 99); 11 Apr 2013 22:07:02 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Apr 2013 22:07:02 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Apr 2013 22:06:56 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id AB0FF238897A for ; Thu, 11 Apr 2013 22:06:34 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r858159 - in /websites/staging/directory/trunk/content: ./ apacheds/advanced-ug/ Date: Thu, 11 Apr 2013 22:06:34 -0000 To: commits@directory.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130411220634.AB0FF238897A@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: buildbot Date: Thu Apr 11 22:06:34 2013 New Revision: 858159 Log: Staging update by buildbot for directory Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2-authorization.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html Modified: websites/staging/directory/trunk/content/ (props changed) websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.html Propchange: websites/staging/directory/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Thu Apr 11 22:06:34 2013 @@ -1 +1 @@ -1466856 +1467113 Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html (original) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html Thu Apr 11 22:06:34 2013 @@ -194,6 +194,7 @@
  • 4.2.11 - Links and References
  • +
  • 4.3 Password Policy
  • Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.html (original) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.2.6-sasl-ntlm-authn.html Thu Apr 11 22:06:34 2013 @@ -130,7 +130,7 @@
    @@ -169,7 +169,7 @@
    Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2-authorization.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2-authorization.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2-authorization.html Thu Apr 11 22:06:34 2013 @@ -0,0 +1,242 @@ + + + + + 4.2 - Authorization — Apache Directory + + + + + + + + + + + + +
    + +
    +
    + + + +
    +
    + + + + + +

    4.2 - Authorization

    +

    ApacheDS uses an adaptation of the X.500 basic access control scheme in +combination with X.500 subentries to control access to entries and +attributes within the DIT. This document will show you how to enable the +basic access control mechanism and how to define access control information +to manage access to protected resources.

    +

    Chapter content

    + +

    Some Simple Examples

    +

    The ACIItem syntax is very expressive and that makes it extremely powerful +for specifying complex access control policies. However the syntax is not +very easy to grasp for beginners. For this reason we start with simple +examples that focus on different protection mechanisms offered by the +ACIItem syntax. We do this instead of specifying the grammar which is not +the best way to learn a language.

    +

    +Before you go any further... +Please don't go any further until you have read up on the use of +Subentries. Knowledge of subentries, subtreeSpecifications, administrative +areas, and administrative roles are required to properly digest the +following material. +

    +

    Before going on to these trails you might want to set up an Administrative +Area for managing access control via prescriptiveACI. Both subentryACI and +prescriptiveACI require the presence of an Administrative Point entry. For +more information and code examples see ACAreas.

    +

    ACI Trails

    +

    Here are some trails that resemble simple HOWTO guides. They're ordered +with the most pragmatic usage first. We will add to these trails over +time.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    TrailDescription
    EnableSearchForAllUsersEnabling access to browse and read all entries and their attributes by authenticated users.
    DenySubentryAccess (TBW)Protecting access to subentries themselves.
    AllowSelfPasswordModifyGranting users the rights needed to change their own passwords.
    GrantAddDelModToGroup (TBW)Granting add, delete, and modify permissions to a group of users.
    GrantModToEntry (TBW)Applying ACI to a single entry.
    + + + + + +
    +
    +
    + +
    + + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html Thu Apr 11 22:06:34 2013 @@ -0,0 +1,326 @@ + + + + + 4.3. Password Policy — Apache Directory + + + + + + + + + + + + +
    + +
    +
    + + + +
    +
    + + + + + +

    NavPrevText:4.2 - Authorization +NavUp: 4-authentication-and-authorization.html +NavPrevText: 4 - Authentication & Authorization +NavNext: 5-administration.html +NavNextTest: 5 - Administration +Notice: Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License.

    +

    4.3. Password Policy

    +

    The Password Policy is a RFC draft that has been designed for the very first version in 1999, and the latest version is from 2009. Although it's still a draft, and it's currently noted as inactive, it has been implemented by many existing LDAP servers.

    +

    ApacheDS implements the draft fully.

    +

    What is a password policy ?

    +

    As explained on wikipedia :

    +
    A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.
    +
    + + +

    Basically, the system, once activated, will enforce some rules and check the password strength. We will list the various options in this chapter.

    +

    How do we configure it ?

    +

    The PasswordPolicy can be configured in two ways. First of all, it's important to know that it's activated by default. let's see the default configuration first.

    +

    There is an entry contianing all the default values for the PasswordPolicy, under :

    +
    * ou=config
    +    * ads-directoryServiceId=<default>
    +        * ou=interceptors
    +            * ads-interceptorId=authenticationInterceptor
    +                * ou=passwordPolicies
    +
    + + +

    This entry contains the following values :

    +
    dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
    + terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
    +objectclass: top
    +objectclass: ads-base
    +objectclass: ads-passwordPolicy
    +ads-pwdattribute: userPassword
    +ads-pwdid: default
    +ads-enabled: TRUE
    +ads-pwdallowuserchange: TRUE
    +ads-pwdcheckquality: 1
    +ads-pwdexpirewarning: 600
    +ads-pwdfailurecountinterval: 30
    +ads-pwdgraceauthnlimit: 5
    +ads-pwdgraceexpire: 0
    +ads-pwdinhistory: 5
    +ads-pwdlockout: TRUE
    +ads-pwdlockoutduration: 0
    +ads-pwdmaxage: 0
    +ads-pwdmaxdelay: 0
    +ads-pwdmaxfailure: 5
    +ads-pwdmaxidle: 0
    +ads-pwdmaxlength: 0
    +ads-pwdminage: 0
    +ads-pwdmindelay: 0
    +ads-pwdminlength: 5
    +ads-pwdmustchange: FALSE
    +ads-pwdsafemodify: FALSE
    +
    + + +

    Disabling the PasswordPolicy

    +

    The PasswordPolicy is enabled by default. It's possible to disable it by setting the ads-enabled value to FALSE, with a server restart.

    +

    Password guessing limit

    +

    The idea is to protect the password against multiple guess attempts. The following rules are applied :

    +
    * a counter track the failed attemps, and block when it's reached
    +* an incremental delay is added after a failure before a new attempt can be done
    +* a global delay for all the failed attempt is used, when reached, the account is blocked
    +
    + + +

    When the account is locked, it can remain locked, or be unlocked after a grace period.

    +

    Attempts counter ()

    +

    +Attributes : ads-pwdLockout, ads-pwdmaxfailure +

    +

    Each failed attempt will be logged in the entry, in the pwdFailureTime Attribute (it will contain the date of the attempt). When the Attribute contains more values than the maximum number of failed attempts, the entry will be locked (the pwdAccountLockedTime Attribute will contain the date the entry has been locked).

    +

    +In order to activate this control the ads-pwdLockout parameter must be set to TRUE. +

    +

    The following table expose the various possible cases, with three failed attempts :

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ads-pwdmaxfailurepwdLockoutpwdFailureTimepwdAccountLockedTimeLockedComment
    3truedate1-NoFailure 1
    date1, date2-NoFailure 2
    date1, date2, date3date3YesFailure 3 : account locked
    3falsedate1-NoFailure 1
    date1, date2-NoFailure 2
    date1, date2, date3-NoFailure 3
    +

    As we can see, the account is locked only when we reach the number of failure, and the pwdLockout flag is TRUE.

    + + + + + +
    +
    +
    + +
    + + \ No newline at end of file