From a992a24275ef5f8f87c4783c64a9a9839b054f67 Mon Sep 17 00:00:00 2001
From: Matthew Swift <matthew.swift@forgerock.com>
Date: Wed, 28 Sep 2011 12:59:37 +0000
Subject: [PATCH] Issue OPENDJ-262: Implement pass through authentication (PTA)
---
opends/resource/schema/02-config.ldif | 28 ++++++++
opends/src/admin/defn/org/opends/server/admin/std/LDAPPassThroughAuthenticationPolicyConfiguration.xml | 130 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 156 insertions(+), 2 deletions(-)
diff --git a/opends/resource/schema/02-config.ldif b/opends/resource/schema/02-config.ldif
index 267278a..2459f8a 100644
--- a/opends/resource/schema/02-config.ldif
+++ b/opends/resource/schema/02-config.ldif
@@ -2631,6 +2631,26 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
X-ORIGIN 'OpenDJ Directory Server' )
+attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.23
+ NAME 'ds-cfg-use-password-caching'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE
+ X-ORIGIN 'OpenDJ Directory Server' )
+attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.24
+ NAME 'ds-cfg-cached-password-storage-scheme'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+ SINGLE-VALUE
+ X-ORIGIN 'OpenDJ Directory Server' )
+attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.25
+ NAME 'ds-cfg-cached-password-min-age'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE
+ X-ORIGIN 'OpenDJ Directory Server' )
+attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.26
+ NAME 'ds-cfg-cached-password-max-age'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE
+ X-ORIGIN 'OpenDJ Directory Server' )
objectClasses: ( 1.3.6.1.4.1.26027.1.2.1
NAME 'ds-cfg-access-control-handler'
SUP top
@@ -4377,7 +4397,8 @@
STRUCTURAL
MUST ( ds-cfg-java-class $
ds-cfg-primary-remote-ldap-server $
- ds-cfg-mapping-policy )
+ ds-cfg-mapping-policy $
+ ds-cfg-use-password-caching )
MAY ( ds-cfg-secondary-remote-ldap-server $
ds-cfg-mapped-attribute $
ds-cfg-mapped-search-bind-dn $
@@ -4392,5 +4413,8 @@
ds-cfg-use-tcp-keep-alive $
ds-cfg-use-tcp-no-delay $
ds-cfg-ssl-protocol $
- ds-cfg-ssl-cipher-suite )
+ ds-cfg-ssl-cipher-suite $
+ ds-cfg-cached-password-storage-scheme $
+ ds-cfg-cached-password-min-age $
+ ds-cfg-cached-password-max-age )
X-ORIGIN 'OpenDJ Directory Server' )
diff --git a/opends/src/admin/defn/org/opends/server/admin/std/LDAPPassThroughAuthenticationPolicyConfiguration.xml b/opends/src/admin/defn/org/opends/server/admin/std/LDAPPassThroughAuthenticationPolicyConfiguration.xml
index 53fa9ee..c44e062 100644
--- a/opends/src/admin/defn/org/opends/server/admin/std/LDAPPassThroughAuthenticationPolicyConfiguration.xml
+++ b/opends/src/admin/defn/org/opends/server/admin/std/LDAPPassThroughAuthenticationPolicyConfiguration.xml
@@ -91,6 +91,19 @@
</adm:condition>
</adm:constraint>
+ <adm:constraint>
+ <adm:synopsis>
+ The cached password storage scheme must be specified when password
+ caching is enabled.
+ </adm:synopsis>
+ <adm:condition>
+ <adm:implies>
+ <adm:contains property="use-password-caching" value="true" />
+ <adm:is-present property="cached-password-storage-scheme" />
+ </adm:implies>
+ </adm:condition>
+ </adm:constraint>
+
<adm:profile name="ldap">
<ldap:object-class>
<ldap:name>ds-cfg-ldap-pass-through-authentication-policy</ldap:name>
@@ -565,4 +578,121 @@
</adm:profile>
</adm:property>
+ <adm:property name="use-password-caching" mandatory="true">
+ <adm:synopsis>
+ Indicates whether passwords should be cached locally within the user's
+ entry.
+ </adm:synopsis>
+ <adm:default-behavior>
+ <adm:defined>
+ <adm:value>false</adm:value>
+ </adm:defined>
+ </adm:default-behavior>
+ <adm:syntax>
+ <adm:boolean />
+ </adm:syntax>
+ <adm:profile name="ldap">
+ <ldap:attribute>
+ <ldap:name>ds-cfg-use-password-caching</ldap:name>
+ </ldap:attribute>
+ </adm:profile>
+ </adm:property>
+
+ <adm:property name="cached-password-storage-scheme">
+ <adm:synopsis>
+ Specifies the name of a password storage scheme which should be used
+ for encoding cached passwords.
+ </adm:synopsis>
+ <adm:description>
+ Changing the password storage scheme will cause all existing cached
+ passwords to be discarded.
+ </adm:description>
+ <adm:default-behavior>
+ <adm:undefined/>
+ </adm:default-behavior>
+ <adm:syntax>
+ <adm:aggregation relation-name="password-storage-scheme"
+ parent-path="/">
+ <adm:constraint>
+ <adm:synopsis>
+ The referenced password storage schemes must be enabled.
+ </adm:synopsis>
+ <adm:target-is-enabled-condition>
+ <adm:contains property="enabled" value="true" />
+ </adm:target-is-enabled-condition>
+ </adm:constraint>
+ </adm:aggregation>
+ </adm:syntax>
+ <adm:profile name="ldap">
+ <ldap:attribute>
+ <ldap:name>ds-cfg-cached-password-storage-scheme</ldap:name>
+ </ldap:attribute>
+ </adm:profile>
+ </adm:property>
+
+ <adm:property name="cached-password-min-age">
+ <adm:synopsis>
+ Specifies the minimum length of time that a locally cached password must
+ be used for authentication.
+ </adm:synopsis>
+ <adm:description>
+ This property should be used in order to control the rate at which failed
+ authentication attempts are forwarded to the remote LDAP server and, as
+ a consequence, reduce the impact of a denial of service attack.
+
+ An authentication attempt which fails because the provided password does
+ not match the locally cached password will be retried against the remote
+ LDAP service only if the cached password is older than the
+ minimum age.
+
+ Increasing the minimum age increases the period a user will have to wait
+ before being able to authenticate using a new password.
+ </adm:description>
+ <adm:default-behavior>
+ <adm:defined>
+ <adm:value>10 seconds</adm:value>
+ </adm:defined>
+ </adm:default-behavior>
+ <adm:syntax>
+ <adm:duration base-unit="s"/>
+ </adm:syntax>
+ <adm:profile name="ldap">
+ <ldap:attribute>
+ <ldap:name>ds-cfg-cached-password-min-age</ldap:name>
+ </ldap:attribute>
+ </adm:profile>
+ </adm:property>
+
+ <adm:property name="cached-password-max-age">
+ <adm:synopsis>
+ Specifies the maximum length of time that a locally cached password may
+ be used for authentication before it is refreshed from the remote LDAP
+ service.
+ </adm:synopsis>
+ <adm:description>
+ This property represents a cache timeout. Increasing the timeout period
+ decreases the frequency that bind operations are delegated to the
+ remote LDAP service, but increases the risk of users authenticating
+ using stale passwords.
+
+ Note that authentication attempts which fail because the provided password
+ does not match the locally cached password will always be retried against
+ the remote LDAP service, unless the cached password is newer than the
+ minimum age.
+ </adm:description>
+ <adm:default-behavior>
+ <adm:defined>
+ <adm:value>1 days</adm:value>
+ </adm:defined>
+ </adm:default-behavior>
+ <adm:syntax>
+ <adm:duration base-unit="s"/>
+ </adm:syntax>
+ <adm:profile name="ldap">
+ <ldap:attribute>
+ <ldap:name>ds-cfg-cached-password-max-age</ldap:name>
+ </ldap:attribute>
+ </adm:profile>
+ </adm:property>
+
</adm:managed-object>
--
Gitblit v1.10.0