Designing Access Control - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

Hide thumbs Also See for DIRECTORY SERVER 8.1 - DEPLOYMENT:

Command reference manual (372 pages)

Configuration and command reference (292 pages)

Reference (228 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

page of 164

/ 164
Contents
Table of Contents
Bookmarks

Table of Contents

The lockout policy works in conjunction with the password policy to provide further security. The

account lockout feature protects against crackers who try to break into the directory by repeatedly

trying to guess a user's password. A specific user can be locked out of the directory after a given

number of failed attempts to bind.

8.6.4. Designing a Password Policy in a Replicated Environment

Password and account lockout policies are enforced in a replicated environment as follows:

• Password policies are enforced on the data master.

• Account lockout is enforced on all servers in the replication setup.

The password policy information in the directory, such as password age, the account lockout counter,

and the expiration warning counter, are all replicated. The configuration information, however, is

stored locally and is not replicated. This information includes the password syntax and the history of

password modifications.

When configuring a password policy in a replicated environment, consider the following points:

• All replicas issue warnings of an impending password expiration. This information is kept locally

on each server, so if a user binds to several replicas in turn, the user receives the same warning

several times. In addition, if the user changes the password, it may take time for this information to

filter through to the replicas. If a user changes a password and then immediately rebinds, the bind

may fail until the replica registers the changes.

• The same bind behavior should occur on all servers, including suppliers and replicas. Always create

the same password policy configuration information on each server.

• Account lockout counters may not work as expected in a multi-master environment.

8.7. Designing Access Control

After deciding on the authentication schemes to use to establish the identity of directory clients, decide

how to use those schemes to protect the information contained in the directory. Access control can

specify that certain clients have access to particular information, while other clients do not.

Access control is defined using one or more access control lists (ACLs). The directory's ACLs consist

of a series of one or more access control information (ACI) statements that either allow or deny

permissions (such as read, write, search, and compare) to specified entries and their attributes.

Using the ACL, permissions can be set at any level of the directory tree:

• The entire directory.

• A particular subtree of the directory.

• Specific entries in the directory.

• A specific set of entry attributes.

• Any entry that matches a given LDAP search filter.

Designing a Password Policy in a Replicated Environment

125

Table of Contents

Designing Access Control - Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT Deployment Manual

8.7. Designing Access Control

Related Manuals for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Related Content for Red Hat DIRECTORY SERVER 8.1 - DEPLOYMENT

Table of Contents