SSO account schema
- Former user (Deleted)
Owned by Former user (Deleted)
User account specific settings
The user account in the external directory has the following new settings:
| Setting | Description |
|---|---|
| ubiloginAccountControl: cant-change-credentials | If multi valued attribute "ubiloginAccountControl" is added with value "cant-change-credentials", the user can not change his/her password from UAS. |
| ubiloginAccountControl: dont-expire-credentials | If multi valued attribute "ubiloginAccountControl" is added with value "dont-expire-credentials", the user's password will not expire and setting "policy.password.max-age" is ignored. |
| ubiloginPasswordLastSet: 0 | If attribute "ubiloginPasswordLastSet" is set to value "0", then the user has to change password at next login. |
| ubiloginNotBefore: | The time before which the user account is disabled and can not be used. Timestamp is given in milliseconds after Epoch. |
| ubiloginNotOnOrAfter: | The time after which the user account is disabled and can not be used. Timestamp is given in milliseconds after Epoch. |
| ubiloginEnabled: | The account can be disabled by setting this attribute value to "FALSE". Default value is "TRUE". |
| ubiloginBadLogonCount: | The systems keeps count of bad logons in this attribute. If this count exceeds the value in setting policy.lockout.threshold, the user account is locked. The administrator may cancel this locking by setting this attribute value to 0. |
Updating the External Directory Schema
The external directory needs a schema update that will install a new auxiliary class "ubiloginAccount" to directory. The user objects used with external directory password policies have to include this class.
How the schema is updated depends on the specific LDAP server. Ubisecure distributes schema files for AD LDS (Adam) and OpenLDAP. Other LDAP directories may use the OpenLDAP schema file in as an example.
- On AD LDS, import the file
adam.ubilogin-account.schema. - On OpenLDAP, import the file
openldap.ubilogin-account.schema.
The user objects then should be updated to include this new auxiliary class.
Listing 1. Schema update from file openldap.ubilogin-account.schema
# $Id$
# Attributes
attributetype (
1.3.6.1.4.1.14761.1.13
NAME 'ubiloginEnabled'
DESC 'The enabled status of this object'
EQUALITY booleanMatch
SINGLE-VALUE
SYNTAX '1.3.6.1.4.1.1466.115.121.1.7' )
attributetype (
1.3.6.1.4.1.14761.1.19
NAME 'ubiloginLastLogonTime'
DESC 'Timestamp of last succesful authentication'
EQUALITY numericStringMatch
ORDERING numericStringOrderingMatch
SINGLE-VALUE
SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
attributetype (
1.3.6.1.4.1.14761.1.20
NAME 'ubiloginBadLogonTime'
DESC 'Timestamp of last failed authentication'
EQUALITY numericStringMatch
ORDERING numericStringOrderingMatch
SINGLE-VALUE
SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
attributetype (
1.3.6.1.4.1.14761.1.21
NAME 'ubiloginBadLogonCount'
DESC 'Number of failed authentications since last succesful authentication'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SINGLE-VALUE
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' )
attributetype (
1.3.6.1.4.1.14761.1.22
NAME 'ubiloginPasswordLastSet'
DESC 'Timestamp when these credentials were last set'
EQUALITY numericStringMatch
ORDERING numericStringOrderingMatch
SINGLE-VALUE
SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
attributetype (
1.3.6.1.4.1.14761.1.45
NAME 'ubiloginNotBefore'
DESC 'Beginning of the validity period'
EQUALITY numericStringMatch
ORDERING numericStringOrderingMatch
SINGLE-VALUE
SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
attributetype (
1.3.6.1.4.1.14761.1.46
NAME 'ubiloginNotOnOrAfter'
DESC 'End of the validity period'
EQUALITY numericStringMatch
ORDERING numericStringOrderingMatch
SINGLE-VALUE
SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
attributetype (
1.3.6.1.4.1.14761.1.55
NAME 'ubiloginAccountControl'
DESC 'Account control flags'
EQUALITY caseExactMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
attributetype (
1.3.6.1.4.1.14761.1.56
NAME 'ubiloginPasswordHistory'
DESC 'Credentials history'
EQUALITY caseExactMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
# Classes
objectclass (
1.3.6.1.4.1.14761.2.23
NAME 'ubiloginAccount'
DESC 'Ubilogin Account'
SUP top
AUXILIARY
MAY ( ubiloginBadLogonCount $
ubiloginBadLogonTime $
ubiloginLastLogonTime $
ubiloginEnabled $
ubiloginNotBefore $
ubiloginNotOnOrAfter $
ubiloginAccountControl $
ubiloginPasswordLastSet $
ubiloginPasswordHistory ) )