Controlling access to your server


ou can control who accesses the administration server forms. This chapter discusses the various methods you can use to determine who has access to forms in the administration server. For example, you can specify who has full control of all the servers installed on a computer and who has partial control of one or more servers. Before you can use access control on the administration server, you must enable
distributed administration and set up an administrators group in your LDAP directory. This chapter assumes you've already configured distributed administration and have entries in the users and groups directory.

What is access control?

Access control lets you determine who can access the administration server and which servers and forms (also called programs) they can access. You can use two attributes for controlling access:

User-Group authentication

You can require users to authenticate themselves before getting access to your administration server. Authentication means that users verify their identity by entering a username and password.

If you require users to enter a username and password to get access to your server, you store the list of users and groups in an LDAP database, which can be either a file stored on the administration server computer or an LDAP server on a remote computer (for example, a computer running Netscape Directory Server). To use this type of authentication, you need a database containing the users and groups you want to reference when restricting access to your server.

When users attempt to access a form that has User-Group authentication, the web browser displays a dialog box asking the user to enter a username and password. After entering the information, the user either sees the Server Administration page or a message that says they don't have access. (You can customize the access-denied message that they see.) Figure 4.1 shows the authentication window. This window shows a custom message.

Users see this window when authenticating themselves to the server.

If your server doesn't use SSL encryption, the username and password that the end user types are sent unencrypted across the network. Someone could intercept the network packets and read the username and password being sent to the administration server. For this reason, User-Group authentication is most effective when combined with SSL encryption or Host-IP authentication, or both.

Host-IP authentication

You can limit access to forms on your administration server by making them available only to people using specific computers. You specify hostnames or IP addresses for the computers that you want to allow or deny. You can use wildcard patterns to specify multiple computers or entire networks. If you want to use this feature, you must have DNS running in your network and your computer must be configured to use it.

It's possible for more than one person to have access to a particular computer. For this reason, Host-IP authentication is most effective when combined with User-Group authentication. If both methods of authentication are used, the end user will have to enter a username and password before getting access.

Access control files

When you use access control on your administration server, the settings are stored in a file with the extension .acl. Access control files are stored in the directory <server_root>/<server_type>acl where <server_type> is the name of the server. For example, the administration server uses the directory adminacl. Netscape Enterprise server uses httpacl.

The administration server uses three ACL files, all located in the directory <server_root>/adminacl:

How does access control work?

When the server evaluates an incoming request, it determines access based on a hierarchy of rules called access-control entries (ACEs), and then it uses the last entry to determine if the request is allowed or denied. Each ACE specifies whether or not the server should continue to the next ACE in the hierarchy. The collection of ACEs is called an access-control list (ACL). By default, the server has one ACL file that contains multiple ACLs.

When the server gets a request for a form, the server uses the ACL file and the rules in that file to determine if it should grant access or not. The rules can reference the hostname or IP address of the computer sending the request. The rules can also reference users and groups stored in the LDAP directory or local database.

For example, the following ACL file contains the two default entries for the administration server (admin-serv) plus one that allows users in the "admin-reduced" group administer the Admin Preferences forms in the administration server.

Version 3.0;
acl "admin-serv"
deny with file = "/usr/suitespot/adminacl/admin-denymsg.html";
deny (all)
(user = "anyone");
deny absolute (all)
group != "admin";
allow (all)
(group = "admin-reduced") and
(program = "Admin Preferences")
The first line that starts with "deny" tells the server what file to return if a user isn't allowed access to the server. The second deny message denies everyone access, but because the rule isn't absolute (like the next one), the server continues down the list to see if the user is allowed in a subsequent line. The third line is an absolute statement that denies anyone who isn't in the "admin" group in the LDAP directory. In this case, the "admin" group is the group specified for distributed administration.

The last rule explicitly allows access to the forms in the Admin Preferences section of the administration server to anyone in the "admin-reduced" group.

Restricting access

This section takes you through the process of restricting access to your administration server. The sections following this one describe in detail each option available when using access control. Keep in mind that most access-control rules use only a subset of the available options.

To create an access-control rule:

  1. Go to the Server Manager and choose Global Settings|Restrict Access.
  2. Specify the server that you want to control. For example, you can select admin-serv to set up access control for the administration server. The drop-down list contains an entry for each 3.x server you have installed in the server root.
  3. Click the Edit ACL button. The right frame divides into two frames that you use to set the access control rules. If the server you chose already has access control, the rules will appear in the top frame. With the administration server, each ACL begins with two deny statements. The following figure briefly describes the function of each form element.

The ACL form contains links that, when clicked, display another form in the bottom frame (not shown).

  1. Click the New Line button. This adds a default ACL rule to the bottom row of the table. You can use the up and down arrows in the left column to move the rule, if needed.
  2. Select the action you want to apply to the rule by clicking the Deny link. The bottom frame displays a form where you can check if you want to deny or allow access to the users, groups, or hosts you'll specify in the following steps.

Check the option you want, and then click Update.

  1. Specify User-Group authentication by clicking the anyone link listed under the Users/Groups column. The bottom frame displays a form for configuring User-Group authentication. By default, there is no authentication, meaning anyone can access the server.

Check the options you want, and then click Update.

  1. Specify the computers you want to include in the rule by clicking the anyplace link. The bottom frame displays a form where you can enter wildcard patterns of host names or IP address to allow or deny.

Check the options you want, and then click Update.

  1. Specify the programs you want to restrict. Programs are the forms in the Server Manager for the server you selected. For example, you can restrict access to all forms for configuring the administration server by checking the "All Programs" radio button. If you want to restrict access to one or two sets of forms, choose the categories in the drop-down list. If you want to restrict access to one form in a category, type the name of the form in the "Program Items" field. For example, to restrict access to the access control form, type distacl in the Program Items field. For more information, see the "Access to programs" section later in this chapter.

Click Update to add the programs options to the rules for the line you're editing.

  1. If you are familiar with ACL files, you can enter a customized ACL entry by clicking X under the Extra column. This area is useful if you use the access control API to customize ACLs.
  2. Check Continue if you want the access-control rule to continue in a chain. This means the next line is evaluated before the server determines if the user is allowed access. When creating multiple lines in an access-control entry, it's best to work from the most general restrictions to the most specific ones.
  3. Repeat steps 4 through 10 for each rule you need. If you want the user to be redirected to another URL if their request is denied, check Redirection when denied. Click the link to specify the URL for redirection.
  4. Click the Submit button to store the new access-control rules in the ACL file. If you click Revert, the server removes any changes you made to the rules from the time you first opened the 2-frame window. Be cautious when using Revert because you can't restore your edits. In most cases, it's probably better to delete the rule lines individually.
    The following sections describe the options that appear in the bottom frame of the access-control window.

Specifying users and groups

You can restrict access to your administration server based on the user who requests a form. The administration server uses a list of users in the administrators group (the group you set up for distributed administration) to determine access rights for the user requesting a resource. The list of users are stored either in a database on the server computer or in an LDAP server, such as Netscape Directory Server. You should make sure the database has users and the administrators group in it before you set access control.

You can allow or deny access to everyone in the administrators group, or you can allow or deny specific people by using wildcard patterns or lists of users.

To configure access control with users and groups, follow the general directions for restricting access. When you click the Users/Groups field, a form appears in the bottom frame. The following list describes the options in the form.

Specifying host names and IP addresses

You can restrict access to your administration server based on which computer the request comes from. You specify this restriction by using wildcard patterns that match the computers host names or IP addresses. For example, to allow or deny all computers in a specific domain, you would enter a wildcard pattern that matched all hosts from that domain, such as *.netscape.com.

This setting doesn't affect the Host/IP setting for the administration server's superuser. That is, you can set different hostnames and IP addresses that the superuser must use when accessing the administration server.

To specify users from hostnames or IP addresses, follow the general directions for restricting access. When you click the From Host field (the link called anyplace), a form appears in the bottom frame. Check the Only from option and then type either a wildcard pattern or a comma-separated list of hostnames and IP addresses. Restricting by hostname is more flexible than by IP address--if a user's IP address changes, you won't have to update this list. Restricting by IP address, however, is more reliable--if a DNS lookup fails for a connected client, hostname restriction cannot be used.

The hostname and IP addresses should be specified with a wildcard pattern or a comma-separated list. The wildcard notations you can use are specialized; you can only use the *. Also, for the IP address, the * must replace an entire byte in the address. That is, 198.95.251.* is acceptable, but 198.95.251.3* is not. When the * appears in an IP address, it must be the right-most character. For example, 198.* is acceptable, but 198.*.251.30 is not.

For hostnames, the * must also replace an entire component of the name. That is, *.netscape.com is acceptable, but *sers.netscape.com is not. When the * appears in a hostname, it must be the left-most character. For example, *.netscape.com is acceptable, but users.*.com is not.

Access to programs

You can select areas of the administration server that administrators can access. You can choose groups of forms that appear in the top frame of the Server Manager (such as Cluster Management), or you can choose specific forms that appear as links in the left frame of the Server Manager (such as "New User" under User & Groups).

Access to programs affects the server you choose when restricting access. For example, if your administration server contains a Netscape Enterprise Server and a Netscape Collabra Server, you choose the server you want to restrict, and then you set up the access control rules for that server. In this case, you could allow some administrators to configure agents in the Netscape Enterprise Server, and then you could allow a different set of administrators to configure newsgroups in the Netscape Collabra Server.

To control access to a program in a server,

  1. Go to the Server Manager forms for the administration server. Choose Global Settings|Restrict Access.
  2. Use the drop-down list to choose the server whose administration access you want to restrict. The administration server is labeled "admin-serv." Other servers are labeled with their type and their server id (for example, https-mozilla).
    When you select a server to restrict, you are restricting who can view the Server Manager forms and which forms they can use to configure that server. For example, you might allow some administrators to configure the Users & Groups section of the administration server and not allow them access to the Global Settings. After you choose a server, click Edit ACL. The two-frame access-control forms appear.

    1. Each ACL begins with two deny lines (the default setting), one that restricts access to only those users in the "administrators" group set for distributed administration, and another that restricts access to all users. If you want to change either of these lines, you need to manually edit the ACL file. Click the New Line button to add a rule to the ACL. Each rule you create allows access to the server. By specifically allowing access for users, you reduce the risk that you'll allow access to users you don't want.
    2. Choose the users, groups, hosts, and IP addresses you want to apply to this access control rule.
    3. By default, administrators have access to all programs for a server. Click the All link under Programs in the top frame. The bottom frame displays a form that lists the programs for the server type you selected.
    4. Check the radio button labeled "Only the following," and then select the Program Groups you want to apply to the rule. You can choose multiple groups by pressing the Control key and then clicking the groups you want.

    The Program Groups listed use the same name as the buttons in the top frame of the Server Manager for the server type you selected. For example, in the administration server, there are buttons labeled Admin Preferences, Global Settings, and so on. When an administrator accesses the administration server, the server uses their username, host, and IP to determine what forms they'll see. If they have access to only one or two forms, they will only see those forms.

    1. You can control access to a specific form within a group. Type the name of the form program in the Program Items field.

    To determine the name of a form, place your pointer over the link in the left frame of the Server Manager and then view the text in the status bar of your browser. The last word after the + is the name for that form.

    For example, suppose you have one person who administers a Netscape Directory Server and you want that person to have access only to the "Configure Directory Service" form. In this case, you would set up a rule that applies to them (host, IP, and so on), and then you would enter dsconfig in the Program Items name.

    1. Click Update and then Submit to save the access control rule.

Writing customized expressions

You can enter custom expressions for an ACL. You can use this feature if you are familiar with the syntax and structure of ACL files. There are a few features available only by editing the ACL file or creating custom expressions. For example, you can restrict access to your server depending on the time of day, day of the week, or both.

The following customized expression shows how you could restrict access by time of day and day of the week. This example assumes you have two groups in your LDAP directory: the "regular" group gets access Monday through Friday, 8:00am to 5:00pm. The "critical" group gets access all the time.

allow (read)
{
(group=regular and dayofweek="mon,tue,wed,thu,fri");
(group=regular and (timeofday>=0800 and timeofday<=1700));
(group=critical)
}
For more information on valid syntax and ACL files, see the online help.

Turning access control on and off

You can turn on access control depending on the server an administrator accesses. You could create and turn on access-control for a specific server on your computer and leave it off (default) for any other servers. For example, you could deny all access to the administration server's Server Manager forms only. With distributed administration on and access control off by default for any other servers, administrators could still access and configure the other servers, but they couldn't configure the administration server itself.

This access control is in addition to the user being in the administrators group set for distributed administration. The administration server first checks that a user (other than superuser) is in the administrators group, and then it evaluates the access-control rules.

Responding when access is denied

You can choose the response a user sees when they are denied access. You can vary the message for each access-control object. By default, the user is sent a message that says the file wasn't found (the HTTP error code 404 Not Found is also sent).

To change what message is sent for a particular ACL:

  1. In the ACL form, click the link called "Response when denied."
  2. In the lower frame, check the radio button called Respond with the following file.
  3. In the text field, type an absolute path to a text or HTML file you want to send to the user when they are denied access. Be sure the server has read access to this file on your system--it's a good idea to have the file in a directory under the server root. Make sure the file doesn't contain references to other files (such as style sheets) or images because they won't be sent. Click Update.
  4. Make sure you submit the access control rule by clicking the Submit button in the top frame.


Copyright 1997 Netscape Communications Corporation. All rights reserved.