Browse Prior Art Database

Method of Replicating Password Policy Operational Attributes from Read-Only Replicas Disclosure Number: IPCOM000219073D
Publication Date: 2012-Jun-19
Document File: 4 page(s) / 34K

Publishing Venue

The Prior Art Database


In a master - replica directory environment, if an invalid bind attempt occurs on the Read-Only replica (referred to as RO replica henceforth), the invalid bind counter is not replicated to rest of the servers in the topology as RO replicas are not capable of replicating such updates to other servers in the topology. Hence if ‘m’ is the number of invalid attempts permitted by the password policy, the account will not be locked out in ‘m’ attempts in a master- RO replica topology when some of invalid bind attempts were made on RO replica(s). This is a security issue. Disclosed herewith is a method and system of replicating the invalid password attempt counters from RO replica to other servers in the topology so that password policy is uniformly enforced in the topology regardless of on which server the invalid bind attempt is performed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 35% of the total text.

Page 01 of 4

Method of Replicating Password Policy Operational Attributes from Read -Only Replicas

General background on directories

Lightweight Directory Access Protocol (LDAP) is an open industry standard defining a standard method for accessing and updating information in a directory. LDAP has gained wide acceptance as the directory access method of the Internet and is therefore also becoming strategic within corporate intranets. It is being supported by a growing number of software vendors and is being incorporated into a growing number of applications. For example, the two most popular Web browsers, Netscape Navigator/Communicator (Netscape and Netscape Navigator/Communicator are trademarks or registered trademarks of Netscape Communications Corporation) and Microsoft Internet Explorer (Microsoft Internet Explorer is a trademark and registered trademark of US Microsoft Corporation in the US and other countries), as well as application middleware, such as the WebSphere Application Server (Websphere is a registered trademark of IBM in the US and other countries) or the HTTP server, support LDAP functionality as a base feature.

A directory server is an implementation of the LDAP protocol. It is basically a read-centric repository, wherein customers can store any kind of data viz. users, applications, files, printers, network resources etc. Data is stored in the directory servers in the form of entries. The server supports different operations as per the LDAP protocol. These include LDAP add, LDAP modify, LDAP search, LDAP delete, etc. Replication can also be set up between two LDAP servers to achieve high availability and load balancing. In case of LDAP update operations like add, modify, delete, the server that receives the operations (also known as supplier) replicates those to its replica (consumer) so that data in both the servers remains in sync. If password

policy is enabled on one server in the replication topology, then to enforce it uniformly across all the servers in the topology, it is imperative to replicate the password policy attributes to all the servers so that the password policy rules remain in synch.

Problem solved by the method

When an LDAP server enforces password policy, one of the parameter that it tries to enforce is account lockout after maximum number of bad password attempts. To do this, it has to keep track of the number of bad binds from a given user. To do this, a counter is maintained within the user entries, which is incremented on every bad bind from the user. This means that there is an internal update on the user entries if there is a bad bind.

If a bad bind attempt happens on a read-only replica (referred to as RO replica henceforth), it is not replicated to either masters or other replicas in the topology for the reason that RO replicas are not capable of replicating any updates to any other server in the topology. Hence if 'm' is the number of bad attempts permitted by the password policy, the account w...