Using password policies, the UnboundID Directory Server can record the entry’s last logon time and last logon IP address from which a connection authenticated.
The password policy has ‘properties’ named:
last-login-time-attributelast-login-time-formatlast-login-ip-address-attribute
which specify the name of the attribute used to record the last authentication time, the format of the timestamp used for the last authentication time attribute, and IP address from which the last authentication occurred, respectively. For demonstration purposes, the DN uid=user.0,ou=People,dc=example,dc=com is used.
When not specified, the names (or types, if you prefer) of the attributes in the entry default to:
| attribute name | attribute purpose |
| ds-pwp-last-login-time | The last time the entry authenticated |
| ds-pwp-last-login-ip-address | The IP address from which the entry last authenticated |
The ds-pwp-last-login-time and ds-pwp-last-login-ip-address attributes are Directory Strings, are single-valued, and are operational attributes (they must be requested by name, or use ‘+’ as an attribute name in the list of requested attributes).
Create a password policy
dsconfig create-password-policy \ --policy-name "Demonstration Password Policy" \ --set password-attribute:userpassword \ --set "default-password-storage-scheme:Salted SHA-1" \ --set force-change-on-add:true \ --set force-change-on-reset:true \ --set "password-generator:Random Password Generator" \ --set last-login-ip-address-attribute:ds-pwp-last-login-ip-address \ --set "last-login-time-format:yyyyMMddHHmmss.SSS'Z'" \ --set password-history-count:5 \ --set "password-history-duration:4 w 2 d"
Add a reference to the new password policy to a user’s entry:
ldapmodify -h localhost -p 1389 \ -D 'cn=directory manager' -j ~/.pwdFile dn: uid=user.0,ou=people,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=Demonstration Password Policy,cn=Password Policies,cn=config # Processing MODIFY request for uid=user.0,ou=people,dc=example,dc=com # MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com
Authenticate using ldapsearch:
ldapsearch -j ~/.pwdFile \ -D 'uid=user.0,ou=people,dc=example,dc=com' \ -h localhost -p 1389 \ -b 'uid=user.0,ou=people,dc=example,dc=com' \ -s base '(&)' 1.1
After authenticating using ldapsearch, retrieve the ds-pwp-last-login-time and ds-pwp-last-login-ip-address attributes from the entry:
ldapsearch -j ~/.pwdFile \ -D 'cn=directory manager' -h localhost -p 1389 \ -b 'uid=user.0,ou=people,dc=example,dc=com' \ -s base '(&)' \ ds-pwp-last-login-time ds-pwp-last-login-ip-address dn: uid=user.0, ou=People, dc=example, dc=com ds-pwp-last-login-time: 20111106230306Z ds-pwp-last-login-ip-address: 127.0.0.1
Note: ensure that load-balancers pass the original source IP address to the directory servers.
All Entries Are subject to a password policy
Entries can have an attribute 'ds-pwp-password-policy-dn' which specifies a policy to use for that entry. If no such attribute is found in the entry, the default password policy is used for the entry. In this way, all entries in the directory server database are subject to a password policy – a critical factor in many modern security audits.
Secure Password Policy
The 3.2 version of the directory server has a Secure password Policy which is extremely paranoid. This Secure Password Policy is not the default, but it can be made the default password policy or used as a template for new password policies that are customized to the organization’s specific requirements.
Updates
- 06-Nov-2011: Added examples of creating password policy and assigning it to a user’s entry.
Diaries, Triumphs, Failures, and Rants 