Monday Apr 07, 2008

PwdLastAuthTime and cn=proxyagent

You might be wondering what the cryptic title to this blog entry is, allow me to explain:.

  • Sun Directory Server 6 introduced a new attribute in password policies, PwdLastAuthTime, that stores the last time a user authenticated to the Directory.

  • ProxyAgent is the default user in the profile used by native-ldap clients configured for proxy authentication.

Thus suppose:

  1. You have two or more Sun Directory servers in a multi-master replication configuration.

  2. That the Directory servers are deployed as a naming service used by native-ldap clients ( for authentication etc.) configured for proxy-authentication

  3. That you have configured a user-defined password policy to store PwdLastAuthTime.

The proxyAgent user object will authenticate to the Directory quite frequently to update the client profile etc. This proxy authentication is recorded by the Directory and in a replicated environment, you may notice your replication changelog file grows very quickly consuming disk-space. The documentation explicitly states “ Using this feature can affect performance. When you configure Directory Server to save pwdLastAuthTime timestamps, the server must perform an internal modify operation for each successful bind.

The solution to the problem of rapidly growing replication changelog files, is to apply a special password policy to the proxyagent user, not to record PwdLastAuthTime. See sample below:

LDIF file to create a custom password policy that logs PwdLastAuthTime and is assigned to all users by default

dn: cn=DirectorypwdPolicy,ou=ExamplePasswordPolicy,dc=visa,dc=com

changetype: add

objectclass: pwdPolicy

objectclass: sunPwdPolicy

objectclass: ldapsubentry

objectclass: top

cn: Example Password Policy

description: Example Password Policy

pwdAttribute: userPassword

pwdAllowUserChange: true

pwdGraceAuthNLimit: 0

pwdMustChange: False

pwdCheckQuality: 0

pwdMinAge: 0

pwdMaxAge: 2592000

pwdExpireWarning: 432000

pwdInHistory: 0

pwdSafeModify: true

pwdMaxFailure: 5

pwdFailureCountInterval: 0

pwdLockout: true

pwdLockoutDuration: 0

pwdIsLockoutPrioritized: true

pwdKeepLastAuthTime: true

passwordRootdnMayBypassModsChecks: on

passwordStorageScheme: SSHA

LDIF file to create a custom password policy that does not log PwdLastAuthTime

dn: cn=DirectorypwdPolicyPxyAgent,ou=ExamplePasswordPolicy,dc=Example,dc=com

changetype: add

objectclass: pwdPolicy

objectclass: sunPwdPolicy

objectclass: ldapsubentry

objectclass: top

cn: ExamplePassword Policy PxyAgent

description: Example Password Policy PxyAgent

pwdAttribute: userPassword

pwdAllowUserChange: true

pwdGraceAuthNLimit: 0

pwdMustChange: False

pwdCheckQuality: 0

pwdMinAge: 0

pwdMaxAge: 2592000

pwdExpireWarning: 432000

pwdInHistory: 0

pwdSafeModify: true

pwdMaxFailure: 5

pwdFailureCountInterval: 0

pwdLockout: false

pwdLockoutDuration: 0

pwdIsLockoutPrioritized: true

pwdKeepLastAuthTime: false

passwordRootdnMayBypassModsChecks: on

passwordStorageScheme: SSHA

LDIF file to assign the above password policy to the proxyagent user:

dn: cn=proxyagent,ou=profile,dc=example,dc=com

changetype: modify

add: pwdPolicySubentry

pwdPolicySubentry: cn=DirectorypwdPolicyPxyAgent,ou=ExamplePasswordPolicy,dc=Example,dc=com

For this blog entry, I decided to list the references below, rather than creating hyperlinks in the text above and thus distracting myself from the main text. I hope the reader finds this easier to read as well.

References:

Sun Directory Server 6 password policies

Applying password policies to an individual user

PwdLastAuthTime

LDAP as a naming service

Proxy authentication – see “Using Proxy Credentials”

About

Jonathan Gershater

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today