Controlling access to your server

ou can restrict access to your entire proxy server or to any URLs the proxy can serve. You can specify that only certain people access specific URLs, or that everyone except those people can see the files. This access restriction applies only to URLs that your proxy server can send to a client. It does not have anything to do with allowing people to administer or configure your server.

For example, you might allow all clients to access URLs for the HTTP protocol but then allow only restricted access to FTP and Gopher. You could also restrict URLs based on host or domain names, such as if you have a proxy serving many internal web servers but you want only specific people to access a confidential research project stored on one of the web servers.

If your server has SSL enabled, the user's name and password are sent encrypted. Otherwise, names and passwords are sent openly, and can be intercepted.

When changing access control to your server, you usually follow this process:

1. Create one or more user databases.
2. Enter one or more users into the appropriate user database (discussed on page 116).
3. Create a resource by choosing the URLs you want to restrict (discussed on page 123).
4. Specify the default access (everyone allowed or everyone denied) for that resource (discussed on page 124).
5. Specify which users are exceptions to the default access (discussed on page 124).

Netscape servers use a high-speed database format called DBM. This format can search a large database with one file system read (normal files search the database linearly).

Note
Although Netscape servers support multiple databases, you might need only one database for all your users. The main reason for maintaining multiple databases is if you have different servers installed on the same computer. A proxy server might have a completely different database than a web server or a mail server.

If you're only maintaining one server on your computer, however, you'll find it's easier to keep track of your users if they're all in the same database. If you need to separate your users, use the grouping features described on page 119. (Netscape servers support multiple databases because older server programs did not have grouping capabilities.)

The server stores its databases in the directory authdb/, off of the server root directory. When specifying a database, use only its name not its directory path.

Using the Manage User Databases form, you can perform three tasks with databases:

• Creating a database
• Removing a database
• Changing a database password

1. In the Server Manager choose Access Control|Manage User Databases. The Manage User Databases form appears.
2. Click the New Database radio button.
3. In the New Database field, type a name for the database. Don't type a path because all databases are stored in the authdb directory. The database name can be up to 256 characters.
4. If you don't want to protect this database with a password, click the No Password radio button. If you do want to require that a password be used when editing this database, click the Password button and type a password in the field. To ensure accuracy, type the password again in the second field. The password can be up to 8 characters.
5. Click the Create New Database button and confirm your changes.

1. In the Server Manager choose Access Control|Manage User Databases. The Manage User Databases form appears.
2. Check This Database.
3. Choose the database from the drop-down list to the right.
4. Type the database's password in the Existing Database Password field.
5. Click the Remove Database button and confirm your changes.

1. In the Server Manager choose Access Control|Manage User Databases. The Manage User Databases form appears.
2. Check This Database.
3. Choose the database from the drop-down list.
4. Type the database's current password in the Existing Database Password field.
5. If you don't want to protect this database with a password, click the No Password radio button. If you do want to require that a password be used when editing this database, click the Password button and type a password in the field. To ensure accuracy, repeat the password in the field below. The password can be up to 8 characters.
6. Click the Change Database Password button and confirm your changes.

You can have any number of users in your database, and you can put them into as many groups as you like. For example, you might want to separate your users into a Personnel group and a Sales group. You can put a user into more than one group.

You can also maintain multiple databases, but it's much easier to keep track of your users if they're in one database. (Multiple databases are remnants of older server programs that did not have grouping capabilities.)

You can create users, remove them, or change their passwords. You can also list all the users in your database.

Creating a user

1. In the Server Manager, choose Access Control|Create User. The Create User form appears.
2. If needed, choose the database you want to add the user to and type the password for the database. (Usually, you will add users to your default database and not need to change this setting, so these fields are at the bottom of the form.)
3. In the Login Name field, type the login name the user will use. This is the name the user will type when prompted for a name by the server. It can be up to 254 characters.
4. In the Full Name field, type the user's full name. The user never sees this name, but you can use it to keep track of your users.
5. In the Password field, type a password for the user. It can be up to 8 characters. Type it again in the next text field to ensure accuracy. The user will type this password when prompted by the server.
6. Choose which group to place the user into. If you don't want the user in a group, choose None. When you create a user, you can only place them in one group. To add the user to another group, see "Editing a group" on page 121.
7. Click the OK button. Confirm your changes, and the information is added to the selected database.

1. In the Server Manager, choose Access Control|Remove User. The Remove User form appears. Or choose List Users, and choose the Remove User link for the user you want to remove. (For more detailed information about the List Users form, see page 119.)
2. In the Login Name field, type the login name of the user you want to delete.
3. Choose the database that contains the user that you want to remove.
4. Type the password for that database file.
5. Click the OK button. Confirm your changes.

1. In the Server Manager, choose Access Control|Edit User. The Edit User form appears. Or choose List Users, and choose the Edit User link for the user you want to edit. (For more detailed information about the List Users form, see page 119.)
2. Choose the database containing the user you want to edit, and type the password for the database. (Usually, you will keep all your users in your default database, and not need to change this setting, so these fields are at the bottom of the form.)
3. In the Edit User field, type the login name of the user you want to edit.
4. Click the Get User Data button. The information about that user appears in the appropriate fields of the form.
5. Change any of the information in the fields. If you want to change the password, make sure to type the new one in twice.
6. Click the OK button. Confirm your changes.

1. In the Server Manager, choose Access Control|List Users. The List Users form appears.
2. Choose the database you want to list the users of. Type that database's password.
3. In the Filter field, type any wildcard pattern you want to use as a filter for user names in the database. For example, if you only want to list users whose login names begin with D, type d* into the Filter field. Use shell expressions for the wildcard pattern.

4. Click the Show Users button. The user list appears in the form. To the right of each login name are two links: Edit User, and Remove User.
5. To edit a user, click the Edit User link beside its login name. The Edit User form appears.
6. To remove a user, click the Remove User link beside its login name. The Remove User form appears.

To save even more time, you can also put other groups into a group. For example, your Sales and Marketing groups could both be part of the group Business. A group can belong to multiple groups.

The members of a group must all be within the same database. It's recommended that you use only one database for all your users, since your users are easier to keep track of that way. Also, user databases are shared across all servers that are installed (web servers, mail servers, proxy servers, and so on.), so you might want to have a different database for each server to avoid confusion.

You can create or remove groups, or edit the contents of a group. You can also list the contents of groups.

Creating a group

1. In the Server Manager, choose Access Control|Create Group. The Create Group form appears.
2. Choose the database that you want the group to be a part of and type the password for the database. (Usually, you will keep all your users and groups in your default database and not need to change this setting, so these fields are at the bottom of the form.)
3. In the New Group field, type the name of the new group.
4. If you want this new group to be a part of another group, choose the other group from the list of groups. Otherwise, choose None.
5. Click OK. Confirm your changes.

Removing a group

1. In the Server Manager, choose Access Control|Remove Group. The Remove Group form appears. Or choose List Groups, and choose the Remove Group link for the group you want to remove. (For more information about the List Groups form, see page 122.)
2. In the Group field, type the name of the group you want to remove.
3. Choose the database that contains the group you want to remove.
4. Type the password for that database file.
5. Click the OK button. Confirm your changes.

1. In the Server Manager, choose Access Control|Edit Group. The Edit Group form appears. Or choose List Groups, and choose the Edit Group link for the group you want to edit. (For more detailed information about the List Groups form, see page 122.)
2. Choose the database that has the group you want to edit, and then type the password for the database.
3. From the Group drop-down list, choose the group you want to edit.
4. Click the Get Group Data button. The information about that group appears in the appropriate fields of the form.
5. You can change the users and groups that are part of this group. To change any of the information in the lists, reselect different names. The groups and users are not selected unless they are highlighted.
6. Click the OK button. Save and apply your changes.

1. In the Server Manager, choose Access Control|List Group. The List Groups form appears.
2. Choose the database you want to list the groups of. Type that database's password.
3. In the Filter field, type any wildcard pattern you want to use as a filter for user names in the database. For example, if you only want to list groups whose login names begin with S, type s* into the Filter field. Use shell expressions for the wildcard pattern.

4. Click the List Groups button. The group list appears in the form. To the right of each login name are two links: Edit Group, and Remove Group.
5. To edit a group, click the Edit Group link next to its login name. The Edit Group form appears.
6. To remove a user, click the Remove Group link next to its login name. The Remove Group form appears.

user1:password1

user2:password2

user3:password3

1. From the Import Into Database drop-down list, choose the database you want to import the new users into.
2. Type that database's password in the Database Password field.
3. In the Import From Text File field, type the path and name of the file you're importing from. This file can reside locally, or on any network drive your computer can access.
4. Netscape server user databases stores the users' passwords in encrypted form. If the database's user passwords are already encrypted, click the Yes button under the Encrypt the Passwords heading. If the database's user passwords aren't already encrypted, click No.
5. If the database you're importing from includes users' full names, you have this information imported also, by click the Yes button under the Extract Full User Names heading.
6. Sometimes a user in the destination database has the same login name as a user in the file you're importing from. If you want to replace such users in the destination database, click the Yes button under the Overwrite Existing Users heading. If you don't want to import users with duplicate names, click No.

When this feature is enabled on your server, a user with a certificate types their login name and password only the first time they attempt to access a restricted resource. Once their identity is established, the server maps their login name and password to that specific certificate. From then on, that user no longer needs to type their login name or password when accessing resources where client authentication is required. When that user attempts to access a restricted resource, their client sends the server the client certificate, which the server checks against its list of mappings. If the certificate belongs to a user to whom you've granted access to the resource, the resource is served.

Note

Requiring client authentication for controlling access to specific resources is different than requiring client authentication for all connections to the server, as described in "Setting security preferences" on page 125. Also be aware that requiring client certificates for all SSL connections does not automatically map the certificates to users in your databases. To do this, you must specify that a client certificate is required in order to access a specified resource, as described in "Allowing access to a resource" on page 97.

You can examine the certificates mapped to the users in your databases, and delete any mapping from a user. To list your certificate mappings,

1. In the server manager, choose Access Control|List Certificate Mappings. The Certificate Mappings form appears.
2. Choose the database containing the users you want to list or edit.
3. Type the password for that database.
4. In the Filters section, specify any conditions you want to constrain the listing by. For example, if you only want to see users whose login names begin with B, type B* in the login name field. You can use shell expressions in the Filters section. The Login Name field is for the login names in your database. The Subject Name field is for the Subject of the certificate. The Issuer Name field is for the Certification Authority who issued the client certificates.
5. To reverse the filters you specify in this section, click Select entries which do not match all filter criteria. For example, if you type B* in the Login Name field, and then clicked this button, you would get a list of all users whose login names do not begin with B.
6. To list all the mappings that match the specified criteria, click the List Certificates button. At the bottom of the form, a list of mappings appears. To edit this list, see the procedures following these steps.
7. To list login names (that match your Login Name filter) that do not have certificate mappings, click the List Users button. At the bottom of the form, a list of users appears. This list is purely informational. It contains no mappings for you to edit.

1. In the list that appears when you click List Certificates, click the login name associated with the mapping that you want to examine or delete. A dialog box containing information about that certificate appears.
2. To delete that mapping, click the Delete button.
3. To view the previous or next mapping, click the < or > buttons respectively.
4. Click Quit when you are done.

To change the access control for part of your server,

1. Choose Access Control|Restrict Access. The Restrict Access form appears.
2. Use the drop-down list to choose a regular expression that matches the URLs you want to configure. If an expression doesn't exist, click the Regular Expressions button and create an expression. For example, to change access to all URLs in the Netscape domain, type
   .*://.*.netscape.com/.* in the field.
3. Turn access control on or off for the selected URLs by clicking the button named either Turn off access control or Turn on access control.
4. For each type of access--read and write, set the default accessibility--Allow or Deny. Read access allows a user only to view the file. Write access allows the user to change or delete the file, assuming they also have access to the file through your server computer's operating system. (Technically, Read includes these HTTP methods: GET, HEAD, POST, INDEX. Write includes these: PUT, DELETE, MKDIR, RMDIR, MOVE.)

   When you set these access defaults, they will apply to everyone attempting to read or write to files or directories in the URLs you specified. For example, you could allow users Read access to the Netscape domain so they can download software through your proxy server.

5. Specify which users are the exceptions to the default accessibility for each access type by clicking the appropriate Permissions button. If the default access is Allow, the Deny Access to a Resource form appears (see page 125). If the default access is Deny, the Allow Access to a Resource form appears (see page 126). After using those forms, the Server Manager returns you to this form.
6. Choose the response a client will see when access is denied. Under the Access Denied Response heading, click the Respond "Not Found" button to send a message to the client saying the requested file was not found. Alternatively, you can click the Respond with this text file button, and specify an absolute path and filename of a text or HTML file to send instead of sending the generic "Not Found" message. Whether or not you specify a file, the server also sends the HTTP error code 404 Not Found.
7. Click the OK button and confirm your changes.

When determining who is denied access, you can specify users from specified hostnames or IP addresses.

First you must specify how hostnames are processed. If you want to deny users from only the exact hostnames you'll specify, click Include specified names only. However, if you also want to deny users from alias domains of your specified hostnames, click Include aliases of specified names.

To deny users from specific hostnames or IP addresses, type a comma-separated list of hostnames or IP addresses in the text fields. Restricting by hostname is more flexible than by IP address--if a user's IP address changes, you won't have to update this list. But on the other hand, restricting by IP address is more reliable--if a DNS lookup fails for a connected client, hostname restriction cannot be used.

The hostname and IP addresses should be specified with a wildcard pattern or a comma-separated list. The wildcard notations you can use are specialized; you can only use the * character. Also, for the IP address, the * must replace an entire byte in the address. That is, 198.95.251.* is acceptable, but 198.95.251.3* is not. When the * character appears in an IP address, it must be the right-most character. For example, 198.* is acceptable, but 198.*.251.30 is not.

For hostnames, the * must also replace an entire component of the name. That is, *.netscape.com is acceptable, but *sers.netscape.com is not. When the * appears in a hostname, it must be the left-most character. For example, *.netscape.com is acceptable, but users.*.com is not.

Allowing access to a resource

When determining who is allowed access, you can specify two types of users:

• users from specified hostnames or IP addresses
• users (and groups) from your database

If all types of user authentication are used, the server checks the user's information in the following order (if the criteria in step 1 or 2 are met, the client skips the other steps, and is allowed access).

1. Is the client's IP address automatically allowed?
2. Is the client's hostname automatically allowed?
3. Is the client identified (through password) as a one of the allowed users from your database?
4. Is the client's IP address allowed if the user is one of the allowed users from your database?
5. Is the client's hostname allowed if the user is one of the allowed users from your database?

If you will be specifying host names to allow users from, decide how you want the host names processed. If you want to allow only users from the exact host names you'll specify, click Include specified names only. However, if you also want to accept users from alias domains of your specified hostnames, click Include aliases of specified names.

To allow users from specific hostnames or IP addresses, enter a wildcard pattern of hostnames or IP addresses in text fields. Restricting by hostname is more flexible than by IP address--if a user's IP address changes, you won't have to update this list. But on the other hand, restricting by IP address is more reliable--if a DNS lookup fails for a connected client, hostname restriction cannot be used.

If someone is allowed access by virtue of their hostname or IP address (as in steps 1 and 2 on page 126), they are not prompted for a login name or password. All other users are asked for that information.

To allow access to the users listed in your database,

1. Choose the user database containing the users you want.
2. Choose whether or not to allow everyone from that database or to allow only certain groups and users.
3. Using a comma-separated list, specify the groups in the Groups field or the users in the Users field. For example, if your database contained Bob, Fred, Mary, and Joe but you only wanted Bob and Mary to have access to this section, you would enter Bob,Mary. If you leave this entry blank, all users from the database are allowed access.
4. To further restrict access, specify any additional hostnames or IP addresses the users in the database must connect from. These Hostnames and IP Addresses fields can be left blank if your database users can be from any hostnames or IP addresses.
5. Specify the message that a user sees when asked for a login name and password by typing it in the Login Prompt field.
6. Click Done.
7. Be sure to click Done in the Restrict Access form when you have finished modifying access control for part of your server.