Account schema - SSO

User account specific settings

The user account in the external directory has the following new settings:

SettingDescription
ubiloginAccountControl: cant-change-credentialsIf multi valued attribute "ubiloginAccountControl" is added with value "cant-change-credentials", the user can not change his/her password from UAS.
ubiloginAccountControl: dont-expire-credentialsIf multi valued attribute "ubiloginAccountControl" is added with value "dont-expire-credentials", the user's password will not expire and setting "policy.password.max-age" is ignored.
ubiloginPasswordLastSet: 0If attribute "ubiloginPasswordLastSet" is set to value "0", then the user has to change password at next login.
ubiloginNotBefore:The time before which the user account is disabled and can not be used. Timestamp is given in milliseconds after Epoch.
ubiloginNotOnOrAfter:The time after which the user account is disabled and can not be used. Timestamp is given in milliseconds after Epoch.
ubiloginEnabled:The account can be disabled by setting this attribute value to "FALSE". Default value is "TRUE".
ubiloginBadLogonCount:The systems keeps count of bad logons in this attribute. If this count exceeds the value in setting policy.lockout.threshold, the user account is locked. The administrator may cancel this locking by setting this attribute value to 0.

Updating the External Directory Schema

The external directory needs a schema update that will install a new auxiliary class "ubiloginAccount" to directory. The user objects used with external directory password policies have to include this class.

How the schema is updated depends on the specific LDAP server. Ubisecure distributes schema files for AD LDS (Adam) and OpenLDAP. Other LDAP directories may use the OpenLDAP schema file in as an example.

  • On AD LDS, import the file adam.ubilogin-account.schema.
  • On OpenLDAP, import the file openldap.ubilogin-account.schema.

The user objects then should be updated to include this new auxiliary class.

Listing 1. Schema update from file openldap.ubilogin-account.schema
# $Id$
# Attributes
attributetype (
  1.3.6.1.4.1.14761.1.13
  NAME 'ubiloginEnabled'
  DESC 'The enabled status of this object'
  EQUALITY booleanMatch
  SINGLE-VALUE
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.7' )
attributetype (
  1.3.6.1.4.1.14761.1.19
  NAME 'ubiloginLastLogonTime'
  DESC 'Timestamp of last succesful authentication'
  EQUALITY numericStringMatch
  ORDERING numericStringOrderingMatch
  SINGLE-VALUE
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
attributetype (
  1.3.6.1.4.1.14761.1.20
  NAME 'ubiloginBadLogonTime'
  DESC 'Timestamp of last failed authentication'
  EQUALITY numericStringMatch
  ORDERING numericStringOrderingMatch
  SINGLE-VALUE
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
attributetype (
  1.3.6.1.4.1.14761.1.21
  NAME 'ubiloginBadLogonCount'
  DESC 'Number of failed authentications since last succesful authentication'
  EQUALITY integerMatch
  ORDERING integerOrderingMatch
  SINGLE-VALUE
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' )
attributetype (
  1.3.6.1.4.1.14761.1.22
  NAME 'ubiloginPasswordLastSet'
  DESC 'Timestamp when these credentials were last set'
  EQUALITY numericStringMatch
  ORDERING numericStringOrderingMatch
  SINGLE-VALUE
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
attributetype (
  1.3.6.1.4.1.14761.1.45
  NAME 'ubiloginNotBefore'
  DESC 'Beginning of the validity period'
  EQUALITY numericStringMatch
  ORDERING numericStringOrderingMatch
  SINGLE-VALUE
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
attributetype (
  1.3.6.1.4.1.14761.1.46
  NAME 'ubiloginNotOnOrAfter'
  DESC 'End of the validity period'
  EQUALITY numericStringMatch
  ORDERING numericStringOrderingMatch
  SINGLE-VALUE
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' )
attributetype (
  1.3.6.1.4.1.14761.1.55
  NAME 'ubiloginAccountControl'
  DESC 'Account control flags'
  EQUALITY caseExactMatch
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
attributetype (
  1.3.6.1.4.1.14761.1.56
  NAME 'ubiloginPasswordHistory'
  DESC 'Credentials history'
  EQUALITY caseExactMatch
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
# Classes
objectclass (
  1.3.6.1.4.1.14761.2.23
  NAME 'ubiloginAccount'
  DESC 'Ubilogin Account'
  SUP top
  AUXILIARY
  MAY ( ubiloginBadLogonCount $
    ubiloginBadLogonTime $
    ubiloginLastLogonTime $
    ubiloginEnabled $
    ubiloginNotBefore $
    ubiloginNotOnOrAfter $
    ubiloginAccountControl $
    ubiloginPasswordLastSet $
    ubiloginPasswordHistory ) )