IBM Security Directory Server overview

Edit online

Security Directory Server implements the Internet Engineering Task Force (IETF) LDAP V3 specifications. It also includes enhancements added by IBM® in functional and performance areas.

This version uses DB2® as the backing store to provide per LDAP operation transaction integrity, high performance operations, and online backup and restore capability. IBM Security Directory Server interoperates with the IETF LDAP V3 based clients.

Major features:
  • A dynamically extensible directory schema - Administrators can define new attributes and object classes to enhance the directory schema. Changes can be made to the directory schema, too, which are subject to consistency checks. Users can dynamically modify the schema content without restarting the directory server. Because the schema itself is part of the directory, schema update operations are done through standard LDAP APIs. Major functions that are provided by the LDAPv3 dynamic extensible schema:
    • Searchable schema information through LDAP APIs
    • Dynamic schema changes through LDAP APIs
    • Server Root DSE
  • Native Language Support – An IBM Security Directory Server supports the UTF-8 (Universal Character Set Transformation Format) character set. This Unicode (or UCS) Transformation Format is an 8-bit encoding form that is designed for ease of use with existing ASCII-based systems. IBM Security Directory Server also supports data in multiple languages, and allows users to store, retrieve, and manage information in a native language code page.
  • Replication – This feature makes more copies of the directory available, improving performance, and reliability of the directory service. Replication topologies also support forwarding and gateway servers.
  • Security features – IBM Security Directory Server provides a rich set of security features.
    Identification and authentication
    Identification and authentication are used to determine the identity of the LDAP clients; that is, verifying that users are who they say they are. A user name and password are a basic authentication scheme. This user identity is used for determining access rights and for user accountability.
    Simple Authentication and Security Layer (SASL)
    This support provides for more authentication mechanisms. For more information, see Using Web Administration and DIGEST-MD5 configuration.
    The Secure Sockets Layer (SSL) and Transaction Layer Security (TLS)
    This support provides encryption of data and authentication using X.509v3 public-key certificates. A server can be configured to run with or without SSL or TLS support or both. For more information, see Secure Sockets Layer and Transaction Layer Security.
    Access control
    After users are authenticated, it must be determined whether they have authorization or permission to do the requested operation on the specific object. Authorization is often based on access control lists (ACLs). An ACL is a list of authorizations that can be attached to objects and attributes in the directory. An ACL lists what type of access each user or a group of users is allowed or denied. To make ACLs shorter and more manageable, users with the same access rights are often put into groups or the ACLs are filtered. The directory administrator can manage access control by specifying the access rights to objects for individual users or groups. Users can do operations under different access rights by using proxied authorization. For proxied authorization, the user assumes the proxied identity and the ACL restrictions for the proxied identity. For more information, see Access Control Lists.
    Auditing
    IBM Security Directory Server can audit security-relevant events, such as user authentication and modification to the directory tree. The audit function provides a means for accountability by generating audit records that contain the time, user identity, and more information about the operation. The directory administrator manages the behavior of the audit function, such as selection of auditable events. The administrator also manages the audit review and clearing of audit files. For more information, see Server audit log settings.
    Security roles
    IBM Security Directory Server supports five different security roles.
    Primary directory administrator
    The Primary directory administrator is associated with a specific user account. There is only one Primary directory administrator account for the LDAP server. The Primary directory administrator has full rights to manage the LDAP server. The Primary directory administrator is created during product installation and configuration. The Primary directory administrator consists of a user ID and a password and predefined authorization to manipulate the entire directory. The Primary directory administrator creates the user security role. This LDAP entry that has a specific distinguished name (DN), user password, and other attributes that represent the particular user. The Primary directory administrator also defines the level of authorization the user will have over entries.
    Administrative group members
    Administrative group members are users that are assigned a subset of administrative privileges. The administrative group is a way for the directory administrator to delegate a limited set of administrative tasks. Tasks can be delegated to one or more individual user accounts. Server administrative group members are explicitly assigned various roles that define the tasks that a group member is authorized to do. These administrative roles include such specialized roles as Password Administrator and Server Start/Stop Administrator. For more information, see Administrative group creation.
    Global administrative group members
    The global administrative group is a way for the directory administrator to delegate administrative rights in a distributed environment to the database backend. Global administrative group members are users that are assigned with the same set of privileges as the administrative group. They have access to entries in the database backend. Global administrative group members can access the directory server backend. Global administrative group members do not have access to the audit log. The audit log can be used by local administrators to monitor global administrative group member activity.
    The global administrative group members have no access rights to data or operations that are related to the configuration settings of the directory server. The configuration setting of the directory server is commonly called the configuration backend. All global administrative group members have the same set of privileges.
    Note: Global administrative group members have the authority to send the administrative control.
    LDAP user
    LDAP users are users whose privileges are determined by ACLs. Each LDAP user is identified with an LDAP entry that contains the authentication and authorization information for that user. The authentication and authorization information might also allow the user to query and update other entries. Depending on the type of authentication that is used and if user credentials are validated, users can access any of the attributes of entries where they have permissions.
    Master server DN
    The master server DN is a role that is used by replication. The role can update the entries under a replica's or a forwarding replica's replication context to which the DN is defined as a master server DN. The master server DN can create a replication context entry on a replica or forwarding replica. It can create a replication context if the DN is defined as the master server DN to that specific replication context or as a general master server DN.

    By sending a AES bind control, a master serverDN can send AES encrypted data to a replica.

    The following points about the master server DN are important:
    • There can be several master server DNs defined in a server's configuration file. There is an ibm-slapdReplication object that can contain a default or general ibm-slapdMasterDN, and there can be multiple ibm-slapdSupplier objects, each defining an ibm-slapdMasterDN for a specific replication context, that is, limited to a specific subtree. The administration password policy applies to them all.
    • Any of those master server DNs can bind to the directory.
    • Any of those master server DNs have access to update the ibm-slapdSuffix attribute of the entry 
      cn=Directory, cn=RDBM Backends, cn=IBM Directory, 
	cn=schemas, cn=Configuration
      in a server's configuration file. A master server DN does not have read or write access to any other entries in the configuration file.
    • No master server DN has access to any other part of the configuration file.
    • The general master server DN or the master server DN for the cn=IBMPOLICIES context can make updates to the schema.
    • The master server DN for a specific context has full read and write access to all entries within that context.
    • The general master server DN has full read and write access to all entries within all contexts.
    Password policy
    The password policy feature that is provided by IBM Security Directory Server allows the administrator to define the policy that is used for administrator and user passwords. The administrator places restrictions on passwords by specifying rules for syntax, validation, and lockout in the password policy. The administrator password policy configuration is stored in the configuration backend and can be modified only by the primary administrator. The user password policy configuration is stored within the LDAP tree and can be modified by the primary administrator or a member of the administrative group. The attribute values can be changed only when binding as administrator to IBM Security Directory Server. Security Directory Server provides three types of password policies: individual, group, and global password policies. For more information, see Password policy settings.
    Password encryption
    IBM Security Directory Server helps prevent unauthorized access to user passwords.

    The administrator can configure the server to encrypt userPassword attribute values in either a one-way encrypting format or a two-way encrypting format.

    One-way encrypting formats:
    • crypt
    • MD5
    • PBKDF2 (PBKDF2-SHA1, PBKDF2-SHA224, PBKDF2-SHA256, PBKDF2-SHA384, and PBKDF2-SHA512)
    • SHA-1
    • Salted SHA-1
    • SHA-2 (SHA 224, SHA 256, SHA 384, and SHA 512)
    • Salted SHA-2 (SSHA 224, SSHA 256, SSHA 384, and SSHA 512)

    You cannot configure the PBKDF2 algorithm with the Web Administration Tool. Configure this algorithm with the standard ldap modify operation.

    After the server is configured, new passwords or modified passwords are encrypted. They are encrypted before they are stored in the directory database.

    When you specify a password, you must avoid using the > character and leading character and the < character as the end character in a password. If these characters are specified in a password, it might be incorrectly encrypted or stored and might result in authentication failures.

    For applications that require retrieval of clear passwords, such as middle-tier authentication agents, the directory administrator needs to configure the server to perform either a two-way encrypting or no encryption on user passwords.

    Two-way encrypting format:
    • AES
    When you configure the server using Web Administration, you can select one of the following encryption options:
    None
    No encryption. Passwords are stored in the clear text format.
    crypt
    Passwords are encrypted by the UNIX crypt encrypting algorithm before they are stored in the directory.
    MD5
    Passwords are encrypted by the MD5 Message Digest algorithm before they are stored in the directory.
    PBKDF2
    Passwords are encrypted by the PBKDF2 family ofencrypting algorithm before they are stored in the directory. The following list describes the supported encryption schemes under the PBKDF2 family of encryption algorithms:
    • PBKDF2-SHA1
    • PBKDF2-SHA224
    • PBKDF2-SHA256
    • PBKDF2-SHA384
    • PBKDF2-SHA512
    Note: You cannot configure the PBKDF2 algorithm with the Web Administration Tool. Configure this algorithm with the standard ldap modify operation.
    SHA-1
    Passwords are encrypted by the SHA-1 encrypting algorithm before they are stored in the directory.
    Salted SHA-1
    Passwords are encrypted by the Salted SHA-1 encrypting algorithm before they are stored in the directory.
    SHA-2
    Passwords are encrypted by the SHA-2 family of encrypting algorithm before they are stored in the directory. The supported encryption schemes under the SHA-2 family of encryption algorithm are:
    • SHA-224
    • SHA-256
    • SHA-384
    • SHA-512
    Salted SHA-2
    Passwords are encrypted by the Salted SHA-2 family of encrypting algorithm before they are stored in the directory. Supported encryption schemes under the Salted SHA-2 family of encryption algorithm:
    • SSHA-224
    • SSHA-256
    • SSHA-384
    • SSHA-512
    AES128
    Passwords are encrypted by the AES128 algorithm before they are stored in the directory. They are retrieved as part of an entry in the original clear format.
    AES192
    Passwords are encrypted by the AES192 algorithm before they are stored in the directory. They are retrieved as part of an entry in the original clear format.
    AES256
    Passwords are encrypted by the AES256 algorithm before they are stored in the directory. They are retrieved as part of an entry in the original clear format.
    The default option is AES256. A change is registered in a password encryption directive of the server configuration file: 
    ibm-SlapdPwEncryption: AES256
    The server configuration file is in: 
    <instance_directory>\etc\ibmslapd.conf
    Note:
    1. If the UNIX crypt method is used, only the first eight characters are effective.
    2. A one-way encrypted password can be used for password matching but it cannot be decrypted. During user login, the login password is encrypted and compared with the stored version for matching verification.
  • Change log – Records changes that are made to the LDAP data. They are logged in a separate database in the LDAP server to support meta-directories or client queries to monitor directory updates.
  • Dynamic configuration – Changes using LDAP APIs provides the capability to bind to a directory and issue a single extended operation along with any data that makes up the extended operation value. It supports the standard host, port, SSL, and authentication options used by all of the LDAP client utilities. In addition, a set of options is defined to specify the operation to be performed and the arguments for each extended operation.
  • Web Administration Tool – A graphical user interface (GUI) that can be used to administer and configure IBM Security Directory Server. The administration and configuration functions enable the administrator to do the following actions:
    • Perform the initial setup of the directory
    • Change configuration parameters and options
    • Manage the daily operations of the directory, such as adding or editing objects, object classes, attributes, and entries.
  • Proxy server – A Proxy server sits at the front end of a distributed directory. It provides efficient routing of user requests and improves performance in certain situations, and provides a unified directory view to the client. It can also be used at the front end of a server cluster for providing fail over and load balancing.
  • administration server (idsdiradm) – Enables remote management of an instance of IBM Security Directory Server.It must be installed on the machine where IBM Security Directory Server is installed and must be running continuously.
  • Configuration only mode – Gives an administrator remote access to the server even when errors are encountered during startup. The server does not depend on the successful initialization of the database back end. An administrator can use an LDAP protocol to query and update the configuration for the server.
  • Attribute uniqueness controls – Can be configured to ensure that specified attributes always have unique values within a directory on a single directory server.
  • Language tags – Enables the directory to associate natural language codes with values held in a directory. It also enables clients to query the directory for values that meet certain natural language requirements.
  • Sorting on searches – Sorts the entries that are found by the search using the first 240 bytes of the specified attribute values.
  • Paged results – Provides paging capabilities for LDAP clients that want to receive just a subset of search results (a page) instead of the entire list.
  • Transactions – Enable an application to group a set of entry updates together in one transaction.
  • Multiple instances – Enables a user to have more than one directory instance on a server.
  • Referrals – Allows directories to be distributed across multiple LDAP servers where each single server can contain only a subset of the whole directory data.
  • Attribute encryption - Enables local administrative group members who are assigned DirDataAdmin and SchemaAdmin roles to specify attributes that are to be encrypted in the directory database using a subset of the encryption schemes supported for password information. For more information, see Encrypted attributes
  • Pass-through authentication - A mechanism using which if a client attempts to bind to a directory server and if the user credential is not available locally, then the server attempts to verify the credential from another external directory server or a pass-through server on behalf of the client. For more information, see Pass-through authentication.
  • SNMP for server management - The SNMP agent can be used with the IBM Security Directory Integrator assembly line. It can monitor and report the performance and wellness information of the directory server.
  • LDAPSync - A tool for synchronizing users and groups between LDAP directories and IBM Security Directory Server. This feature is available from Version 6.3.1 onwards. LDAPSync replaces Active Directory synchronization, which is deprecated from Version 6.3.1 onwards.