Controlling access to your server
ou can restrict access to your entire server or any part of it. You can specify that only certain people can see certain files, or that everyone except those people can see certain files. Note that this access restriction applies only to files and directories that your server can send to a client. It does not have anything to do with allowing people to administer your server.
For example, suppose you keep confidential employee records on your server, and you want to allow only the Personnel department to see them. You could keep all these records in a directory called records
and specify that only a group of people you call Personnel can see the files in that directory. When someone tries to access a restricted document, they are prompted for a name and password. If they enter a name and password that correspond to a name-password pair in your private list of people in Personnel, they are allowed to see the requested document. Otherwise, they are told they didn't enter a valid name and/or password.
If your server has SSL enabled, the user's name and password are sent encrypted. Otherwise, names and passwords are sent openly, and can be intercepted. Another benefit to using SSL is that your server can use client certificates in its access control.
When changing access control on files or directories on your server, you usually follow this process:
- Create a user database if needed.
- Enter one or more users into the appropriate user database (discussed on page 86).
- Choose the files and/or directories whose accessibility you want to change (discussed on page 95).
- Specify the default access (everyone allowed or everyone denied) for that resource (discussed on page 96).
- Specify which users are exceptions to the default access (discussed on page 96).
Creating, removing, and editing databases
The users and groups that you specify when setting access control are all stored in one or more databases. A database is a list of users and groups.
Netscape servers use a high-speed database format called DBM. This format can search a large database with one file system read (normal files search the database linearly).
Important
Although Netscape servers support multiple databases, you might need only one database for all your users. The main reason for maintaining multiple databases is if you have different servers installed on the same computer. A mail server might have a completely different database than a news server or a web server.
If you're only maintaining one server on your computer, however, you'll find it's easier to keep track of your users if they're all in the same database. If you need to separate your users, use the grouping features described on page 89. (Netscape servers support multiple databases because older server programs did not have grouping capabilities.)
The server stores its databases in the directory authdb, off of the root server directory. When specifying a database, use only its name, not its directory path.
Using the Manage User Databases form, you can perform three tasks with databases:
Creating a database
To create a user database for your server,
- In the Server Manager choose Access Control|Manage User Databases. The Manage User Databases form appears.
- Click the New Database radio button.
- In the New Database field, type a name for the database. Don't type a path because all databases are stored in /authdb. The database name can be up to 256 characters.
- If you don't want to protect this database with a password, click the No Password radio button. If you do want to require that a password be used when editing this database, click the Password button, and type a password in the field. To ensure accuracy, repeat the password in the field below. The password can be up to 8 characters.
- Click the Create New Database button, and confirm your changes.
Removing a database
To remove a user database,
- In the Server Manager choose Access Control|Manage User Databases. The Manage User Databases form appears.
- Click the This Database radio button.
- Choose the database from the drop-down list to the right.
- Type the database's password in the Existing Database Password field.
- Click the Remove Database button, and confirm your changes.
Changing a database's password
- In the Server Manager choose Access Control|Manage User Databases. The Manage User Databases form appears.
- Click the This Database radio button.
- Choose the database from the drop-down list to the right.
- Type the database's current password in the Existing Database Password field.
- If you don't want to protect this database with a password, click the No Password radio button. If you do want to require that a password be used when editing this database, click the Password button, and type a password in the field. To ensure accuracy, repeat the password in the field below. The password can be up to 8 characters.
- Click the Change Database Password button, and confirm your changes.
Creating, removing, and editing users
There are two types of users that you deal with in access control: users specifically entered into a database you maintain, and users from specified domains or IP addresses. This section deals with the first kind--users in a database you maintain. For more information on controlling access based on domain or IP address, see "Denying access to a resource" on page 96, and "Allowing access to a resource" on page 97.
You can have any number of users in your database, and you can put them into as many groups as you like. For example, you might want to separate your users into a Personnel group and a Sales group. You can put a user into more than one group.
You can also maintain multiple databases, but it's much easier to keep track of your users if they're in one database. (Multiple databases are remnants of older server programs that did not have grouping capabilities.)
You can create users, remove them, or change their passwords. You can also list all the users in your database.
Creating a user
To import users from an existing database, see "Importing users" on page 92. To add a user manually,
- In the Server Manager, choose Access Control|Create User. The Create User form appears.
- If needed, choose the database you want to add the user to, and type the password for the database. (Usually, you will add users to your default database, and not need to change this setting, so these fields are at the bottom of the form.)
- In the Login Name field, type the login name the user will use. This is the name the user will type when prompted for a name by the server. It can be up to 254 characters.
- In the Full Name field, type the user's full name. The user never sees this. It is to help you keep track of your users.
- In the Password field, type a password for the user. It can be up to 8 characters. Type it again in the next text field to ensure accuracy. The user will type this password when prompted by the server.
- Choose which group to place the user into. If you don't want the user in a group, choose None. When you create a user, you can only place them in one group. To add the user to another group, see "Editing a group" on page 91.
- Click the OK button. Confirm your changes, and the information is added to the selected database.
Removing a user
To remove users from a database,
- In the Server Manager, choose Access Control|Remove User. The Remove User form appears. Or choose List Users, and choose the Remove User link for the user you want to remove. (For more detailed information about the List Users form, see page 89.)
- In the Login Name field, type the login name of the user you want to delete.
- Choose the database that contains the user that you want to remove.
- Type the password for that database file.
- Click the OK button. Confirm your changes.
Editing a user
To change any of a user's information,
- In the Server Manager, choose Access Control|Edit User. The Edit User form appears. Or choose List Users, and choose the Edit User link for the user you want to edit. (For more detailed information about the List Users form, see page 89.)
- Choose the database containing the user you want to edit, and type the password for the database. (Usually, you will keep all your users in your default database, and not need to change this setting, so these fields are at the bottom of the form.)
- In the Edit User field, type the login name of the user you want to edit.
- Click the Get User Data button. The information about that user appears in the appropriate fields of the form.
- Change any of the information in the fields. If you want to change the password, make sure to type the new one in twice.
- Click the OK button. Confirm your changes.
Listing users
When you want to remove or edit a user, it's often easier to select that user from a list than to type in their exact login name. To see a list of users in a database,
- In the Server Manager, choose Access Control|List Users. The List Users form appears.
- Choose the database you want to list the users of. Type that database's password.
- In the Filter field, type any wildcard pattern you want to use as a filter for user names in the database.
For example, if you only want to list users whose login names begin with
D, type d*
into the Filter field. For more information on wildcard patterns,
refer to "Understanding wildcard patterns" on page 41.
- Click the Show Users button. The user list appears in the form. To the right of each login name are two links: Edit User, and Remove User.
- To edit a user, click the Edit User link beside its login name. The Edit User form appears.
- To remove a user, click the Remove User link beside its login name. The Remove User form appears.
Creating, removing, and editing groups
A group is a collection of users. Using groups saves time when you set access control for parts of your server. Since you can specify that a named group is allowed or denied access, you don't have to go through the tedious process of adding each individual user to an access control list (see page 97). For example, say you have several directories on your server that you want the Sales department to see, but not the Marketing department. You create a group for each department, and specify that only the group Sales has access to the directories. Now, if someone moves from Marketing to Sales, you only have to take them out of one group and put them into the other. You don't have to change any of the access control specifications.
To save even more time, you can also put other groups into a group. For example, your Sales and Marketing groups could both be part of the group Business. A group may belong to multiple other groups.
The members of a group must all be within the same database. It's recommended that you use only one database for all your users, since your users are easier to keep track of that way, and you can more fully exploit the power of grouping. Also, user databases are shared across all servers that are installed (web servers, mail servers, news servers, and so on.), so you may want to have a different database for each server to avoid confusion.
If you need to separate your users, use the grouping features. (Netscape servers support multiple databases because older server programs did not have grouping capabilities.)
You can create or remove groups, or edit their contents. You can also list the contents of groups.
Creating a group
To create a group,
- In the Server Manager, choose Access Control|Create Group. The Create Group form appears.
- Choose the database that you want the group to be a part of, and type the password for the database. (Usually, you will keep all your users and groups in your default database, and not need to change this setting, so these fields are at the bottom of the form.)
- In the New Group field, type the name of the new group.
- If you want this new group to be a part of another group, choose that other group from the list of groups. Otherwise, choose None.
- Click OK. Confirm your changes.
Once you have created a group, you can add a user to it by editing that user. (See page 88.)
Removing a group
Removing a group does not remove the individual users in the group from the database. To remove a group from a database,
- In the Server Manager, choose Access Control|Remove Group. The Remove Group form appears. Or choose List Groups, and choose the Remove Group link for the group you want to remove. (For more detailed information about the List Groups form, see page 92.)
- In the Group field, type the name of the group you want to remove.
- Choose the database that contains the group you want to remove.
- Type the password for that database file.
- Click the OK button. Confirm your changes.
Editing a group
To change a group's members,
- In the Server Manager, choose Access Control|Edit Group. The Edit Group form appears. Or choose List Groups, and choose the Edit Group link for the group you want to edit. (For more detailed information about the List Groups form, see page 92.)
- Choose the database containing the group you want to edit, and type the password for the database.
- From the Group drop-down list, choose the group you want to edit.
- Click the Get Group Data button. The information about that group appears in the appropriate fields of the form.
- You can change what other groups are part of this group, and what users are part of this group. To change any of the information in the lists, reselect differerent names.
Note
The groups and users are not selected unless they are highlighted.
- Click the OK button. Save and apply your changes.
Listing groups
When you want to remove or edit a group, it's often easier to select that group from a list than to type in its exact name. To see a list of groups in a database,
- In the Server Manager, choose Access Control|List Group. The List Groups form appears.
- Choose the database you want to list the groups of. Type that database's password.
- In the Filter field, type any wildcard pattern you want to use as a filter for user names in the database.
For example, if you only want to list groups whose login names begin with
S, type s*
into the Filter field. For more information on wildcard patterns,
see "Understanding wildcard patterns" on page 41.
- Click the List Groups button. The group list appears in the form. To the right of each login name are two links: Edit Group, and Remove Group.
- To edit a group, click the Edit Group link beside its login name. The Edit Group form appears.
- To remove a user, click the Remove Group link beside its login name. The Remove Group form appears.
Importing users
Instead of entering users manually one at a time, you can import users from an existing database into your server's user database. Your existing database must be in one of two formats: text, or NCSA-style. The difference between the two styles is that the passwords in the NCSA-style database are encrypted. No matter which file type, the format of the file should be something like this:
user1:password1
user2:password2
user3:password3
To import users from an existing file,
- From the Import Into Database drop-down list, choose the database you want to import the new users into.
- Type that database's password in the Database Password field.
- In the Import From Text File field, type the path and name of the file you're importing from. This file can reside locally, or on any network drive your computer can access.
- Your server automatically stores users' passwords in encrypted form. If you are importing from a database whose users' passwords are already encrypted, you don't need your server to do this for you, and you should click the No button under the Encrypt the Passwords heading. If the users' passwords aren't already encrypted, click Yes to encrypt them during the transfer.
- If the database you're importing from includes users' full names, you have this information imported also, by click the Yes button under the Extract Full User Names heading.
- Sometimes a user in the destination database has the same login name as a user in the file you're importing from. If you want to replace such users in the destination database, click the Yes button under the Overwrite Existing Users heading. If you don't want to import users with duplicate names, click No.
Controlling access with client certificates
If you have enabled SSL on your server (as described in Chapter 7, "Encryption and SSL"), you can use client certificates in conjunction with access control. To do this, you must specify that a resource requires a client certificate to access it.
When this feature is enabled on your server, a user with a certificate types their login name and password only the first time they attempt to access a restricted resource. Once their identity is established, the server maps their login name and password to that specific certificate. From then on, that user no longer needs to type their login name or password when accessing resources where client authentication is required. When that user attempts to access a restricted resource, their client sends the server the client certificate, which the server checks against its list of mappings. If the certificate belongs to a user to whom you've granted access to the resource, the resource is served.
Note
Requiring client authentication for controlling access to specific resources is different than requiring client authentication for all connections to the server, as described in "Setting security preferences" on page 125. Also be aware that requiring client certificates for all SSL connections does not automatically map the certificates to users in your databases. To do this, you must specify that a client certificate is required in order to access a specified resource, as described in "Allowing access to a resource" on page 97.
You can examine the certificates mapped to the users in your databases, and delete any mapping from a user. To list your certificate mappings,
- In the server manager, choose Access Control|List Certificate Mappings. The Certificate Mappings form appears.
- Choose the database containing the users you want to list or edit.
- Type the password for that database.
- In the Filters section, specify any conditions you want to constrain the listing by. For example, if you only want to see users whose login names begin with B, type
B*
in the login name field. You can use shell expressions in the Filters section. The Login Name field is for the login names in your database. The Subject Name field is for the Subject of the certificate. The Issuer Name field is for the Certification Authority who issued the client certificates.
- To reverse the filters you specify in this section, click Select entries which do not match all filter criteria. For example, if you type
B*
in the Login Name field, and then clicked this button, you would get a list of all users whose login names do not begin with B.
- To list all the mappings that match the specified criteria, click the List Certificates button. At the bottom of the form, a list of mappings appears. To edit this list, see the procedures following these steps.
- To list login names (that match your Login Name filter) that do not have certificate mappings, click the List Users button. At the bottom of the form, a list of users appears. This list is purely informational. It contains no mappings for you to edit.
To examine a certificate, or delete its mapping,
- In the list that appears when you click List Certificates, click the login name associated with the mapping that you want to examine or delete. A dialog box containing information about that certificate appears.
- To delete that mapping, click the Delete button.
- To view the previous or next mapping, click the < or > buttons respectively.
- Click Quit when you are done.
Restricting access
After you have created the users you want to use in access control (see "Creating, removing, and editing users" on page 86), you use the Restrict Access form to restrict users' access to specified files. For example, say you have created two groups: Sales and Marketing. You want the Sales group to be able to see and change all the files in a directory called contacts
. You don't want Marketing (or anyone else) to see the files. Using your server's access control, you specify that by default, the contacts
directory is not available for any kind of access to anyone. Then you specify that the Sales group is an exception to the default access. You further specify that not only can they read the files in that directory, but they can also change them.
To change the access control for part of your server,
- Choose Access Control|Restrict Access. The Restrict Access form appears.
- Using the Resource Picker, specify the part of the server to change access control for.
- Turn access control on or off for the specified files by clicking the button named either Turn off access control or Turn on access control.
- For each type of access--read and write, set the default accessibility--Allow or Deny.
Read access allows a user only to view the file. Write access allows the user
to change or delete the file, assuming they also have access to the file
through your server computer's operating system. (Technically, Read
includes these HTTP methods: GET, HEAD, POST, INDEX. Write includes
these: PUT, DELETE, MKDIR, RMDIR, MOVE.)
When you set these access defaults, they will apply to everyone attempting
to read or write to the files or directories you specified earlier.
- Specify which users are the exceptions to the default accessibility for each access type by clicking the appropriate Permissions button. If the default access is Allow, the Deny Access to a Resource form appears (see page 96). If the default access is Deny, the Allow Access to a Resource form appears (see page 97). After using those forms, the server manager returns you to this form in the state you left it.
- Choose the response a client will see when access is denied. Under the Access Denied Response heading, click the Respond "Not Found" button to send a message to the client saying the requested file was not found. Alternatively, you can click the Respond with this text file button, and specify absolute path and filename of a text or HTML file to send instead. Whether you specify a file or not, the server also sends the HTTP error code
404 Not Found
.
- Click the OK button and confirm your changes.
Denying access to a resource
In the Restrict Access form described on page 95, you set the default read and write access of a resource (a directory or group of files). If you set read or write access to allow all access by default, you can specify exceptions by clicking the Permissions button. The Deny Access to a Resource form appears.
When determining the exceptions who are denied access, you can specify users from specified hostnames or IP addresses.
First you must specify how hostnames are processed. If you want to deny users from only the exact hostnames you'll specify below, click Include specified names only. However, if you also want to deny users from alias domains of your specified hostnames, click Include aliases of specified names.
To deny users from specific hostnames or IP addresses, type a comma-separated list of hostnames or IP addresses in the text fields. Restricting by hostname is more flexible than by IP address--if a user's IP address changes, you won't have to update this list. But on the other hand, restricting by IP address is more reliable--if a DNS lookup fails for a connected client, hostname restriction cannot be used.
The hostname and IP addresses should be specified with a wildcard pattern, and/or a comma-separated list. The wildcard notations you can use are specialized; you can only use the *
. Also, for the IP address, the *
must replace an entire byte in the address. That is, 198.95.251.*
is acceptable, but 198.95.251.3*
is not. When the *
appears in an IP address, it must be the right-most character. For example, 198.*
is acceptable, but 198.*.251.30
is not.
For hostnames, the *
must also replace an entire component of the name. That is, *.netscape.com
is acceptable, but *sers.netscape.com
is not. When the *
appears in a hostname, it must be the left-most character. For example, *.netscape.com
is acceptable, but users.*.com
is not.
Allowing access to a resource
In the Restrict Access form described on page 95, you set the default read and write access of a resource (a directory or group of files). If you set read or write access to deny all access by default, you can specify exceptions by clicking the Permissions button. The Allow Access to a Resource form appears.
When determining the exceptions who are allowed access, you can specify two types of users:
You specify both types of users in this form.
If all types of user authentication are used, the server checks the user's information in the following order (if the criteria in step 1 or 2 are met, the client skips the other steps, and is allowed access).
- Is the client's IP address automatically allowed?
- Is the client's hostname automatically allowed?
- Is the client identified (through password or valid certificate) as a one of the allowed users from your database?
- Is the client's IP address allowed if the user is one of the allowed users from your database?
- Is the client's hostname allowed if the user is one of the allowed users from your database?
When a request comes in for a document, the server knows the IP address that the request is coming from. Once it has this address, it uses DNS to look up the hostname that corresponds to that IP address.
After this step, the server tries to match the incoming host name with any hostnames specified in this form. If the client passes, the document is served. If the client fails the test, the server then checks its IP address against the restriction IP addresses. If it passes, the document is served. If it fails, then the server sends the message specified in the Restrict Access form (see page 95).
If you will be specifying hostnames to allow users from, decide how you want the hostnames processed. If you want to allow only users from the exact hostnames you'll specify below, click Include specified names only. However, if you also want to accept users from alias domains of your specified hostnames, click Include aliases of specified names.
To allow users from specific hostnames or IP addresses, enter a wildcard pattern of hostnames or IP addresses in text fields. Restricting by hostname is more flexible than by IP address--if a user's IP address changes, you won't have to update this list. But on the other hand, restricting by IP address is more reliable--if a DNS lookup fails for a connected client, hostname restriction cannot be used.
If someone is allowed access by virtue of their hostname or IP address (as in steps 1 and 2 on page 98), they are not prompted for a login name or password (or their certificate). All other users are asked for that information. To allow access to the users listed in your database, follow these steps.
- Choose the user database containing the users you want.
- Choose whether to allow everyone from that database, or only certain groups and users.
- Using a comma-separated list, specify the groups in the Groups field, and/or the users in the Users field. For example, if your database contained Bob, Fred, Mary, and Joe but you only wanted Bob and Mary to have access to this section, you would enter Bob,Mary. If you leave this entry blank, all users from the database are allowed access.
- To further restrict access, specify any additional hostnames or IP addresses the users in the database must connect from. These Hostnames and IP Addresses fields can be left blank if your database users can be from any hostnames or IP addresses.
- Specify the message that a user sees when asked for a login name and password by typing it in the Login Prompt field.
- Choose the authentication method. If you want the user to always prove their identity by typing their username and password, click Basic username and password. If you want to automatically use your clients' certificates as the basis of authentication, click Client certificate (SSL). (This automatically maps a certificate to user's name and password as described in "Controlling access with client certificates" on page 93.)
- Click Done.
- Be sure to click Done in the Restrict Access form when you have finished modifying access control for part of your server.