Designing An Account Lockout Policy; Designing Access Control - Netscape DIRECTORY SERVER 6.1 - DEPLOYMENT Deployment Manual

Designing Access Control

Designing an Account Lockout Policy

Once you have established a password policy for your directory, you can protect
your user passwords from potential threats by configuring an account lockout
policy.
The lockout policy works in conjunction with the password policy to provide
further security. The account lockout feature protects against hackers who try to
break into the directory by repeatedly trying to guess a user's password. You can
set up your password policy so that a specific user is locked out of the directory
after a given number of failed attempts to bind.
Designing Access Control
Once you decide on one or more authentication schemes to establish the identity of
directory clients, you need to decide how to use the schemes to protect information
contained in your directory. Access control allows you to specify that certain
clients have access to particular information, while other clients do not.
You specify access control using one or more access control list (ACL). Your
directory's ACLs consist of a series of one or more access control information (ACI)
statements that either allow or deny permissions (such as read, write, search) and
compare to specified entries and their attributes.
Using the ACL, you can set permissions for the following:
• The entire directory
• A particular subtree of the directory
• Specific entries in the directory
• A specific set of entry attributes
• Any entry that matches a given LDAP search filter
In addition, you can set permissions for a specific user, for all users belonging to a
specific group, or for all users of the directory. Lastly, you can define access for a
network location such as an IP address or a DNS name.
146 Netscape Directory Server Deployment Guide • August 2002