Monday Apr 07, 2008
PwdLastAuthTime and cn=proxyagent
You might be wondering what the cryptic title to this blog entry is, allow me to explain:.
Sun Directory Server 6 introduced a new attribute in password policies, PwdLastAuthTime, that stores the last time a user authenticated to the Directory.
ProxyAgent is the default user in the profile used by native-ldap clients configured for proxy authentication.
Thus suppose:
You have two or more Sun Directory servers in a multi-master replication configuration.
That the Directory servers are deployed as a naming service used by native-ldap clients ( for authentication etc.) configured for proxy-authentication
That you have configured a user-defined password policy to store PwdLastAuthTime.
The proxyAgent user object will authenticate to the Directory quite frequently to update the client profile etc. This proxy authentication is recorded by the Directory and in a replicated environment, you may notice your replication changelog file grows very quickly consuming disk-space. The documentation explicitly states “ Using this feature can affect performance. When you configure Directory Server to save pwdLastAuthTime timestamps, the server must perform an internal modify operation for each successful bind.
The solution to the problem of rapidly growing replication changelog files, is to apply a special password policy to the proxyagent user, not to record PwdLastAuthTime. See sample below:
LDIF file to create a custom password policy that logs PwdLastAuthTime and is assigned to all users by default
dn: cn=DirectorypwdPolicy,ou=ExamplePasswordPolicy,dc=visa,dc=com
changetype: add
objectclass: pwdPolicy
objectclass: sunPwdPolicy
objectclass: ldapsubentry
objectclass: top
cn: Example Password Policy
description: Example Password Policy
pwdAttribute: userPassword
pwdAllowUserChange: true
pwdGraceAuthNLimit: 0
pwdMustChange: False
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 2592000
pwdExpireWarning: 432000
pwdInHistory: 0
pwdSafeModify: true
pwdMaxFailure: 5
pwdFailureCountInterval: 0
pwdLockout: true
pwdLockoutDuration: 0
pwdIsLockoutPrioritized: true
pwdKeepLastAuthTime: true
passwordRootdnMayBypassModsChecks: on
passwordStorageScheme: SSHA
LDIF file to create a custom password policy that does not log PwdLastAuthTime
dn: cn=DirectorypwdPolicyPxyAgent,ou=ExamplePasswordPolicy,dc=Example,dc=com
changetype: add
objectclass: pwdPolicy
objectclass: sunPwdPolicy
objectclass: ldapsubentry
objectclass: top
cn: ExamplePassword Policy PxyAgent
description: Example Password Policy PxyAgent
pwdAttribute: userPassword
pwdAllowUserChange: true
pwdGraceAuthNLimit: 0
pwdMustChange: False
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 2592000
pwdExpireWarning: 432000
pwdInHistory: 0
pwdSafeModify: true
pwdMaxFailure: 5
pwdFailureCountInterval: 0
pwdLockout: false
pwdLockoutDuration: 0
pwdIsLockoutPrioritized: true
pwdKeepLastAuthTime: false
passwordRootdnMayBypassModsChecks: on
passwordStorageScheme: SSHA
LDIF file to assign the above password policy to the proxyagent user:
dn: cn=proxyagent,ou=profile,dc=example,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=DirectorypwdPolicyPxyAgent,ou=ExamplePasswordPolicy,dc=Example,dc=com
For this blog entry, I decided to list the references below, rather than creating hyperlinks in the text above and thus distracting myself from the main text. I hope the reader finds this easier to read as well.
References:
Sun Directory Server 6 password policies
Applying password policies to an individual user
Proxy authentication – see “Using Proxy Credentials”
Posted at 08:35AM Apr 07, 2008 by Jonathan Gershater in Identity & Directory Server |
