0N/A<?
xml version="1.0" encoding="UTF-8"?>
0N/A ! This work is licensed under the Creative Commons 0N/A ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. 0N/A ! To view a copy of this license, visit 0N/A ! or send a letter to Creative Commons, 444 Castro Street, 0N/A ! Suite 900, Mountain View, California, 94041, USA. 0N/A ! You can also obtain a copy of the license at 0N/A ! See the License for the specific language governing permissions 0N/A ! and limitations under the License. 0N/A ! If applicable, add the following below this CCPL HEADER, with the fields 0N/A ! enclosed by brackets "[]" replaced with your own identifying information: 0N/A ! Portions Copyright [yyyy] [name of copyright owner] 0N/A ! Copyright 2011-2013 ForgeRock AS 0N/A<
chapter xml:
id='chap-account-lockout' 0N/A <
title>Implementing Account Lockout & Notification</
title>
0N/A <
para>OpenDJ directory server supports automatic account lockout.
0N/A The aim of account lockout is not to punish users who mistype their
0N/A passwords, but instead to protect the directory against attacks
0N/A in which the attacker attempts to guess a user password, repeatedly
0N/A attempting to bind until success is achieved.</
para>
0N/A <
para>Account lockout disables a user account after a specified
0N/A number of successive authentication failures. When you implement account
0N/A lockout, you can opt to have OpenDJ directory server unlock the account
0N/A again after a specified interval, or you can leave the account locked
0N/A until the password is reset.</
para>
0N/A <
para>When you configure account lockout as part of password policy, OpenDJ
0N/A locks an account after the specified number of consecutive authentication
0N/A failures. Account lockout is not transactional across a replication topology,
0N/A however. Under normal circumstances, replication nevertheless propagates
0N/A lockout quickly. If ever replication is delayed, an attacker with direct
0N/A access to multiple replicas could try to authenticate up to the specified
0N/A number of times on each replica before being locked out on all replicas.</
para>
0N/A <
para>This chapter shows you how to set up account lockout policies,
0N/A and how to intervene manually to lock and unlock accounts.</
para>
0N/A <
section xml:
id="configure-account-lockout">
0N/A <
title>Configuring Account Lockout</
title>
0N/A <
indexterm><
primary>Accounts</
primary><
secondary>Lockout</
secondary></
indexterm>
0N/A <
para>Account lockout is configured as part of password policy. This section
0N/A demonstrates configuring account lockout as part of the default password
0N/A policy. Users are allowed three consecutive failures before being locked out
0N/A for five minutes. Failures themselves also expire after five minutes.</
para>
0N/A <
para>Change the default password policy to activate lockout using the
0N/A <
command>dsconfig</
command> command. As the password policy is part of
0N/A the server configuration, you must manually apply the changes to each
0N/A replica in a replication topology.</
para>
0N/A set-password-policy-prop
0N/A --bindDN "cn=Directory Manager"
0N/A --bindPassword password
0N/A --policy-name "Default Password Policy"
0N/A --set lockout-failure-count:3
0N/A --set lockout-duration:5m
0N/A --set lockout-failure-expiration-interval:5m
<
para>Users having the default password policy are then locked out after
three failed attempts in succession.</
para>
--bindDN "uid=bjensen,ou=people,dc=example,dc=com"
--baseDN dc=example,dc=com
dn: uid=bjensen,ou=People,dc=example,dc=com
mail: bjensen@example.com
--bindDN "uid=bjensen,ou=people,dc=example,dc=com"
--baseDN dc=example,dc=com
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)
--bindDN "uid=bjensen,ou=people,dc=example,dc=com"
--baseDN dc=example,dc=com
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)
--bindDN "uid=bjensen,ou=people,dc=example,dc=com"
--baseDN dc=example,dc=com
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)
--bindDN "uid=bjensen,ou=people,dc=example,dc=com"
--baseDN dc=example,dc=com
The simple bind attempt failed
Result Code: 49 (Invalid Credentials)</
screen>
<
section xml:
id="manage-accounts">
<
title>Managing Accounts Manually</
title>
<
para>This section covers disabling and enabling accounts by using the
<
command>manage-account</
command> command. Password reset is covered in
the chapter on performing LDAP operations.</
para>
<
para>For the following examples, the directory admin user, Kirsten Vaughan,
has <
literal>ds-privilege-name: password-reset</
literal>, and the following
ACI on <
literal>ou=People,dc=example,dc=com</
literal>.</
para>
<
literallayout class="monospaced">(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
version 3.0;acl "Admins can run amok"; allow(all) groupdn =
"ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)</
literallayout>
<
procedure xml:
id="disable-account">
<
title>To Disable an Account</
title>
<
indexterm><
primary>Accounts</
primary><
secondary>Disabling</
secondary></
indexterm>
<
para>Set the account status to disabled with the
<
command>manage-account</
command> command.</
para>
--bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
--targetDN uid=bjensen,ou=people,dc=example,dc=com
Account Is Disabled: true</
screen>
<
procedure xml:
id="reactivate-account">
<
title>To Activate a Disabled Account</
title>
<
indexterm><
primary>Accounts</
primary><
secondary>Activating</
secondary></
indexterm>
<
para>Clear the disabled status using the <
command>manage-account</
command>
clear-account-is-disabled
--bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
--targetDN uid=bjensen,ou=people,dc=example,dc=com
Account Is Disabled: false</
screen>
<
section xml:
id="account-status-notification">
<
title>Managing Account Status Notification</
title>
<
primary>Accounts</
primary>
<
secondary>Status notifications</
secondary>
<
para>OpenDJ can send mail about account status changes. OpenDJ needs an
SMTP server to send messages, and needs templates for the mail it sends.
By default, message templates are in English, under
<
para>OpenDJ generates notifications only when OpenDJ writes to an entry or
evaluates a user entry for authentication. OpenDJ generates account enabled
and account disabled notifications when the user account is enabled or
disabled with the <
command>manage-account</
command> command, which writes
to the entry. OpenDJ generates password expiration notifications when a
user tries to bind.</
para>
<
para>For example, if you set up OpenDJ to send a notification about password
expiration, that notification gets triggered when the user authenticates
during the password expiration warning interval. OpenDJ does not
automatically scan entries to send password expiry notifications. OpenDJ does
implement controls that you can pass in an LDAP search to determine whether a
user's password is about to expire. See the appendix on
<
link xlink:
href="admin-guide#appendix-controls" Controls</
citetitle></
link> for a list. You can send notifications then
based on the results of your search.</
para>
<
procedure xml:
id="mail-account-status-notifications">
<
title>To Mail Users About Account Status</
title>
<
para>The following steps demonstrate how to set up notifications. Whether
OpenDJ sends notifications depends on the settings in the password policy,
and on account activity as described above.</
para>
<
para>Identify the SMTP server to which OpenDJ sends messages.</
para>
set-global-configuration-prop
--bindDN "cn=Directory Manager"
<
para>Set up OpenDJ to be able to mail users about account status.</
para>
set-account-status-notification-handler-prop
--bindDN "cn=Directory Manager"
--handler-name "SMTP Handler"
--set email-address-attribute-type:mail
<
para>Notice that OpenDJ finds the user's mail address on the attribute
on the user's entry, specified by
<
literal>email-address-attribute-type</
literal>.</
para>
<
para>You can also configure the <
literal>message-subject</
literal> and
<
literal>message-template-file</
literal> properties. Try interactive
mode if you plan to do so.</
para>
<
para>You find templates for messages by default under the
<
filename>
config/
messages</
filename> directory. You can edit the templates
to suit your purposes.</
para>
<
para>Adjust applicable password policies to use the account status
notification handler you configured.</
para>
--bindDN "cn=Directory Manager"
--policy-name "Default Password Policy"
--set account-status-notification-handler:"SMTP Handler"
<
variablelist xml:
id="about-message-templates">
<
title>About Notification Message Templates</
title>
<
primary>Accounts</
primary>
<
secondary>Customizing notification messages</
secondary>
to suit your purposes, you can use the following tokens to have OpenDJ
update the message text dynamically.</
para>
<
term><
literal>%%notification-type%%</
literal></
term>
<
para>This token is replaced with the name of the account status
notification type for the notification.</
para>
<
term><
literal>%%notification-message%%</
literal></
term>
<
para>This token is replaced with the message for the account status
<
term><
literal>%%notification-user-dn%%</
literal></
term>
<
para>This token is replaced with the string representation of the DN for
the user that is the target of the account status notification.</
para>
<
term><
literal>%%notification-user-attr:<
replaceable>attrname</
replaceable>%%</
literal></
term>
<
para>This token is replaced with the value of the attribute specified by
<
replaceable>attrname</
replaceable> from the user's entry. If the
specified attribute has multiple values, then OpenDJ uses the first value
encountered. If the specified attribute does not have any values, then
OpenDJ replaces it with an emtpy string.</
para>
<
term><
literal>%%notification-property:<
replaceable>propname</
replaceable>%%</
literal></
term>
<
para>This token is replaced with the value of the specified notification
property from the account status notification. If the specified property
has multiple values, then OpenDJ uses the first value encountered. If the
specified property does not have any values, then OpenDJ replaces it with
an emtpy string. Valid <
replaceable>propname</
replaceable> values include
<
listitem><
para><
literal>account-unlock-time</
literal></
para></
listitem>
<
listitem><
para><
literal>new-password</
literal></
para></
listitem>
<
listitem><
para><
literal>old-password</
literal></
para></
listitem>
<
listitem><
para><
literal>password-expiration-time</
literal></
para></
listitem>
<
listitem><
para><
literal>password-policy-dn</
literal></
para></
listitem>
<
listitem><
para><
literal>seconds-until-expiration</
literal></
para></
listitem>
<
listitem><
para><
literal>seconds-until-unlock</
literal></
para></
listitem>
<
listitem><
para><
literal>time-until-expiration</
literal></
para></
listitem>
<
listitem><
para><
literal>time-until-unlock</
literal></
para></
listitem>