3 Internet-Draft P. Behera
4 draft behera-ldap-password-policy-07.txt L. Poitou
5 Intended Category: Proposed Standard Sun Microsystems
6 Expires: August 2004 J. Sermersheim
12 Password Policy for LDAP Directories
17 This document is an Internet-Draft and is in full conformance with
18 all provisions of Section 10 of RFC 2026.
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
25 Internet-Drafts are draft documents valid for a maximum of six
26 months and may be updated, replaced, or obsoleted by other documents
27 at any time. It is inappropriate to use Internet- Drafts as
28 reference material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 Technical discussions of this draft are held on the LDAPEXT Working
37 Group mailing list at ietf-ldapext@netscape.com. Editorial comments
38 may be sent to the authors listed in Section 13.
40 Copyright (C) The Internet Society (2004). All rights Reserved.
42 Please see the Copyright Section near the end of this document for
49 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
50 "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document
51 are to be interpreted as described in RFC 2119 [RFC-2119].
55 Behera, et. al. Expires August 15, 2004 Page 1
57 INTERNET DRAFT LDAP Password Policy 15 February 2004
63 Password policy as described in this document is a set of rules that
64 controls how passwords are used and administered in LDAP
65 directories. In order to improve the security of LDAP directories
66 and make it difficult for password cracking programs to break into
67 directories, it is desirable to enforce a set of rules on password
68 usage. These rules are made to ensure that users change their
69 passwords periodically, passwords meet construction requirements,
70 the re-use of old password is restricted, and users are locked out
71 after a certain number of failed attempts.
77 LDAP-based directory services are currently accepted by many
78 organizations as the access protocol for directories. The ability to
79 ensure the secure read and update access to directory information
80 throughout the network is essential to the successful deployment.
81 Most LDAP implementations support many authentication schemes - the
82 most basic and widely used is the simple authentication i.e., user
83 DN and password. In this case, many LDAP servers have implemented
84 some kind of policy related to the password used to authenticate.
85 Among other things, this policy includes:
87 - Whether and when passwords expire.
88 - Whether failed bind attempts cause the account to be locked.
89 - If and how users are able to change their passwords.
91 In order to achieve greater security protection and ensure
92 interoperability in a heterogeneous environment, LDAP needs to
93 standardize on a common password policy model. This is critical to
94 the successful deployment of LDAP directories.
96 2.1. Application of password policy
98 The password policy defined in this document can be applied to any
99 attribute holding a user's password used for an authenticated LDAP
100 bind operation. In this document, the term "user" represents any
101 LDAP client application that has an identity in the directory.
103 This policy is typically applied to the userPassword attribute in
104 the case of the LDAP simple authentication method [RFC-2251] or the
105 case of password based SASL [RFC-2222] authentication such as CRAM-
106 MD5 [RFC-2195] and DIGEST-MD5 [RFC-Digest].
111 Behera, et. al. Expires August 15, 2004 Page 2
113 INTERNET DRAFT LDAP Password Policy 15 February 2004
116 The policy described in this document assumes that the password
117 attribute holds a single value. No considerations are made for
118 directories or systems that allow a user to maintain multi-valued
121 Server implementations MAY institute internal policy whereby certain
122 identities (such as directory administrators) are not forced to
123 comply with any of password policy. In this case, the password for a
124 directory administrator never expires; the account is never locked,
127 The term "directory administrator" refers to a user that has
128 sufficient access control privileges to modify users' passwords, and
129 the pwdPolicy object defined in this document. The access control
130 that is used to determine whether an identity is a directory
131 administrator is beyond the scope of this document, but typically
132 implies that the administrator has 'write' privileges to the
135 3. Articles of password policy
137 The following sections explain in general terms each aspect of the
138 password policy defined in this document as well as the need for
139 each. These policies are subdivided into the general groups of
140 password usage and password modification. Implementation details are
141 presented in Sections 6 and 7.
143 3.1. Password Usage Policy
145 This section describes policy enforced when a password is used to
146 authenticate. The general focus of this policy is to minimize the
147 threat of intruders once a password is in use.
149 3.1.1. Password Guessing limit
151 In order to prevent intruders from guessing a user's password, a
152 mechanism exists to track the number of failed authentication
153 attempts, and take action when a limit is reached.
155 This policy consists of five parts:
157 - A configurable limit on failed authentication attempts.
159 - A counter to track the number of failed authentication attempts.
161 - A timeframe in which the limit of consecutive failed
162 authentication attempts must happen before action is taken.
167 Behera, et. al. Expires August 15, 2004 Page 3
169 INTERNET DRAFT LDAP Password Policy 15 February 2004
172 - The action to be taken when the limit is reached. The action will
173 either be nothing, or the account will be locked.
175 - An amount of time the account is locked (if it is to be locked).
176 This can be indefinite.
178 3.2. Password Modification Policy
180 This section describes policy enforced while users are modifying
181 passwords. The general focus of this policy is to ensure that when
182 users add or change their passwords, the security and effectiveness
183 of their passwords is maximized. In this document, the term "modify
184 password operation" refers to any operation that is used to add or
185 modify a password attribute. Often this is done by updating the
186 userPassword attribute during an add or modify operation, but MAY be
187 done by other means such as an extended operation.
190 3.2.1. Password Expiration, Expiration Warning, and Grace binds
192 One of the key properties of a password is the fact that it is not
193 well known. If a password is frequently changed, the chances of that
194 user's account being broken into are minimized.
196 Directory administrators may deploy a password policy that causes
197 passwords to expire after a given amount of time - thus forcing
198 users to change their passwords periodically.
200 As a side effect, there needs to be a way in which users are made
201 aware of this need to change their password before actually being
202 locked out of their accounts. One or both of the following methods
205 - The user is sent a warning sometime before his password is due to
206 expire. If the user fails to heed this warning before the
207 expiration time, his account will be locked.
209 - The user may bind to the directory a preset number of times after
210 her password has expired. If she fails to change her password
211 during one of her 'grace' binds, her account will be locked.
213 3.2.2. Password History
215 When the Password Expiration policy is used, an additional mechanism
216 may be employed to prevent users from simply re-using a previous
217 password (as this would effectively circumvent the expiration
223 Behera, et. al. Expires August 15, 2004 Page 4
225 INTERNET DRAFT LDAP Password Policy 15 February 2004
228 In order to do this; a history of used passwords is kept. The
229 directory administrator sets the number of passwords to be stored at
230 any given time. Passwords are stored in this history whenever the
231 password is changed. Users aren't allowed to specify any passwords
232 that are in the history list while changing passwords.
234 3.2.3. Password Minimum Age
236 Users may circumvent the Password History mechanism by quickly
237 performing a series of password changes. If they change their
238 password enough times, their 'favorite' password will be pushed out
241 This process may be made less attractive to users by employing a
242 minimum age for passwords. If users are forced to wait 24 hours
243 between password changes, they may be less likely to cycle through a
244 history of 10 passwords.
246 3.2.4. Password Quality and Minimum length
248 In order to prevent users from creating or updating passwords that
249 are easy to guess, a password quality policy may be employed. This
250 policy consists of two general mechanisms - ensuring that passwords
251 conform to a defined quality criteria and ensuring that they are of
254 Forcing a password to comply with the quality policy may imply a
255 variety of things including:
257 - Disallowing trivial or well-known words make up the password.
259 - Forcing a certain number of digits be used.
261 - Disallowing anagrams of the user's name.
263 The implementation of this policy meets with the following problems:
265 - If the password to be added or updated is encrypted by the client
266 before being sent, the server has no way of enforcing this
267 policy. Therefore, the onus of enforcing this policy falls upon
268 client implementations.
270 - There are no specific definitions of what 'quality checking'
271 means. This can lead to unexpected behavior in a heterogeneous
274 3.2.5. User Defined Passwords
279 Behera, et. al. Expires August 15, 2004 Page 5
281 INTERNET DRAFT LDAP Password Policy 15 February 2004
284 In some cases, it is desirable to disallow users from adding and
285 updating their own passwords. This policy makes this functionality
288 This implies that certain other policy, such as password expiration
291 3.2.6. Password Change After Reset
293 This policy forces the user to update her password after it has been
294 set for the first time, or has been reset by the directory
297 This is needed in scenarios where a directory administrator has set
298 or reset the password to a well-known value.
300 3.2.7. Safe modification
302 As directories become more commonly used, it will not be unusual for
303 clients to connect to a directory and leave the connection open for
304 an extended period. This opens up the possibility for an intruder to
305 make modifications to a user's password while that user's computer
306 is connected but unattended.
308 This policy forces the user to prove his identity by specifying the
309 old password during a password modify operation.
311 3.3. Restriction of the Password Policy
313 The password policy defined in this document can apply to any
314 attribute containing a password. Password policy state information
315 is held in the user's entry, and applies to a password attribute,
316 not a particular password attribute value. Thus the server SHOULD
317 enforce that the password attribute subject to password policy,
318 contains one and only one password value.
321 4. Schema used for Password Policy
323 The schema elements defined here fall into two general categories. A
324 password policy object class is defined which contains a set of
325 administrative password policy attributes, and a set of operational
326 attributes are defined that hold general password policy state
327 information for each user.
329 4.1. The pwdPolicy Object Class
331 This object class contains the attributes defining a password policy
332 in effect for a set of users. Section 8 describes the administration
335 Behera, et. al. Expires August 15, 2004 Page 6
337 INTERNET DRAFT LDAP Password Policy 15 February 2004
340 of this object, and the relationship between it and particular
343 ( 1.3.6.1.4.1.42.2.27.8.2.1
347 MUST ( pwdAttribute )
348 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
349 pwdMinLength $ pwdExpireWarning $ pwdGraceLoginLimit $ pwdLockout
350 $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
351 pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
353 4.2. Attribute Types used in the pwdPolicy ObjectClass
355 Following are the attribute types used by the pwdPolicy object
360 This holds the name of the attribute to which the password policy is
361 applied. For example, the password policy may be applied to the
362 userPassword attribute.
364 ( 1.3.6.1.4.1.42.2.27.8.1.1
366 EQUALITY objectIdentifierMatch
367 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
371 This attribute holds the number of seconds that must elapse between
372 modifications to the password. If this attribute is not present, 0
375 ( 1.3.6.1.4.1.42.2.27.8.1.2
377 EQUALITY integerMatch
378 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
383 This attribute holds the number of seconds after which a modified
384 password will expire.
386 If this attribute is not present, or if the value is 0 the password
387 does not expire. If not 0, the value must be greater than or equal
388 to the value of the pwdMinAge.
391 Behera, et. al. Expires August 15, 2004 Page 7
393 INTERNET DRAFT LDAP Password Policy 15 February 2004
397 ( 1.3.6.1.4.1.42.2.27.8.1.3
399 EQUALITY integerMatch
400 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
405 This attribute specifies the maximum number of used passwords stored
406 in the pwdHistory attribute.
408 If this attribute is not present, or if the value is 0, used
409 passwords are not stored in the pwdHistory attribute and thus may be
412 ( 1.3.6.1.4.1.42.2.27.8.1.4
414 EQUALITY integerMatch
415 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
418 4.2.5. pwdCheckQuality
420 This attribute indicates how the password quality will be verified
421 while being modified or added. If this attribute is not present, or
422 if the value is '0', quality checking will not be enforced. A value
423 of '1' indicates that the server will check the quality, and if the
424 server is unable to check it (due to a hashed password or other
425 reasons) it will be accepted. A value of '2' indicates that the
426 server will check the quality, and if the server is unable to verify
427 it, it will return an error refusing the password.
429 ( 1.3.6.1.4.1.42.2.27.8.1.5
430 NAME 'pwdCheckQuality'
431 EQUALITY integerMatch
432 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
437 When quality checking is enabled, this attribute holds the minimum
438 number of characters that must be used in a password. If this
439 attribute is not present, no minimum password length will be
440 enforced. If the server is unable to check the length (due to a
441 hashed password or otherwise), the server will, depending on the
442 value of the pwdCheckQuality attribute, either accept the password
443 without checking it ('0' or '1') or refuse it ('2').
447 Behera, et. al. Expires August 15, 2004 Page 8
449 INTERNET DRAFT LDAP Password Policy 15 February 2004
452 ( 1.3.6.1.4.1.42.2.27.8.1.6
454 EQUALITY integerMatch
455 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
458 4.2.7. pwdExpireWarning
460 This attribute specifies the maximum number of seconds before a
461 password is due to expire that expiration warning messages will be
462 returned to an authenticating user. If this attribute is not
463 present, or if the value is 0 no warnings will be sent. If not 0,
464 the value must be smaller than the value of the pwdMaxAge attribute.
466 ( 1.3.6.1.4.1.42.2.27.8.1.7
467 NAME 'pwdExpireWarning'
468 EQUALITY integerMatch
469 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
472 4.2.8. pwdGraceLoginLimit
474 This attribute specifies the number of times an expired password can
475 be used to authenticate. If this attribute is not present or if the
476 value is 0, authentication will fail.
478 ( 1.3.6.1.4.1.42.2.27.8.1.8
479 NAME 'pwdGraceLoginLimit'
480 EQUALITY integerMatch
481 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
486 This attribute indicates, when its value is "TRUE", that the
487 password may not be used to authenticate after a specified number of
488 consecutive failed bind attempts. The maximum number of consecutive
489 failed bind attempts is specified in pwdMaxFailure.
491 If this attribute is not present, or if the value is "FALSE", the
492 password may be used to authenticate when the number of failed bind
493 attempts has been reached.
495 ( 1.3.6.1.4.1.42.2.27.8.1.9
497 EQUALITY booleanMatch
498 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
503 Behera, et. al. Expires August 15, 2004 Page 9
505 INTERNET DRAFT LDAP Password Policy 15 February 2004
508 4.2.10. pwdLockoutDuration
510 This attribute holds the number of seconds that the password cannot
511 be used to authenticate due to too many failed bind attempts. If
512 this attribute is not present, or if the value is 0 the password
513 cannot be used to authenticate until reset by an administrator.
515 ( 1.3.6.1.4.1.42.2.27.8.1.10
516 NAME 'pwdLockoutDuration'
517 EQUALITY integerMatch
518 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
521 4.2.11. pwdMaxFailure
523 This attribute specifies the number of consecutive failed bind
524 attempts after which the password may not be used to authenticate.
525 If this attribute is not present, or if the value is 0, this policy
526 is not checked, and the value of pwdLockout will be ignored.
528 ( 1.3.6.1.4.1.42.2.27.8.1.11
530 EQUALITY integerMatch
531 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
534 4.2.12. pwdFailureCountInterval
536 This attribute holds the number of seconds after which the password
537 failures are purged from the failure counter, even though no
538 successful authentication occurred.
540 If this attribute is not present, or if its value is 0, the failure
541 counter is only reset by a successful authentication.
543 ( 1.3.6.1.4.1.42.2.27.8.1.12
544 NAME 'pwdFailureCountInterval'
545 EQUALITY integerMatch
546 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
549 4.2.13. pwdMustChange
551 This attribute specifies with a value of "TRUE" that users must
552 change their passwords when they first bind to the directory after a
553 password is set or reset by the administrator. If this attribute is
554 not present, or if the value is "FALSE", users are not required to
555 change their password upon binding after the administrator sets or
559 Behera, et. al. Expires August 15, 2004 Page 10
561 INTERNET DRAFT LDAP Password Policy 15 February 2004
565 ( 1.3.6.1.4.1.42.2.27.8.1.13
567 EQUALITY booleanMatch
568 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
571 4.2.14. pwdAllowUserChange
573 This attribute indicates whether users can change their own
574 passwords, although the change operation is still subject to access
575 control. If this attribute is not present, a value of "TRUE" is
578 ( 1.3.6.1.4.1.42.2.27.8.1.14
579 NAME 'pwdAllowUserChange'
580 EQUALITY booleanMatch
581 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
584 4.2.15. pwdSafeModify
586 This attribute specifies whether or not the existing password must
587 be sent when changing a password. If this attribute is not present,
588 a "FALSE" value is assumed.
590 ( 1.3.6.1.4.1.42.2.27.8.1.15
592 EQUALITY booleanMatch
593 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
596 4.3. Attribute Types for Password Policy State Information
598 Password policy state information must be maintained for each user.
599 The information is located in each user entry as a set of
600 operational attributes. These operational attributes are:
601 pwdChangedTime, pwdAccountLockedTime, pwdExpirationWarned,
602 pwdFailureTime, pwdHistory, pwdGraceUseTime, pwdReset,
605 4.3.1. Password Policy State Attribute Option
607 Since the password policy could apply to several attributes used to
608 store passwords, each of the above operational attributes must have
609 an option to specify which pwdAttribute is applies to.
610 The password policy option is defined as the following:
611 pwd-<passwordAttribute>
615 Behera, et. al. Expires August 15, 2004 Page 11
617 INTERNET DRAFT LDAP Password Policy 15 February 2004
620 where passwordAttribute a string following the OID syntax
621 (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
622 (short name) MUST be used.
624 For example, if the pwdPolicy object has for pwdAttribute
625 "userPassword" then the pwdChangedTime operational attribute, in a
627 pwdChangedTime;pwd-userPassword: 20000103121520Z
629 This attribute option follows sub-typing semantics. If a client
630 requests a password policy state attribute to be returned in a
631 search operation, and does not specify an option, all subtypes of
632 that policy state attribute are returned.
635 4.3.2. pwdChangedTime
637 This attribute specifies the last time the entry's password was
638 changed. This is used by the password expiration policy. If this
639 attribute does not exist, the password will never expire.
641 ( 1.3.6.1.4.1.42.2.27.8.1.16
642 NAME 'pwdChangedTime'
643 DESC 'The time the password was last changed'
644 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
645 EQUALITY generalizedTimeMatch
646 ORDERING generalizedTimeOrderingMatch
648 USAGE directoryOperation)
650 4.3.3. pwdAccountLockedTime
652 This attribute holds the time that the user's account was locked. A
653 locked account means that the password may no longer be used to
654 authenticate. A 0 value means that the account has been locked
655 permanently, and that only an administrator can unlock the account.
657 ( 1.3.6.1.4.1.42.2.27.8.1.17
658 NAME 'pwdAccountLockedTime'
659 DESC 'The time an user account was locked'
660 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
661 EQUALITY generalizedTimeMatch
662 ORDERING generalizedTimeOrderingMatch
664 USAGE directoryOperation)
666 4.3.4. pwdExpirationWarned
671 Behera, et. al. Expires August 15, 2004 Page 12
673 INTERNET DRAFT LDAP Password Policy 15 February 2004
676 This attribute contains the time when the password expiration
677 warning was first sent to the client. The password will expire in
678 the pwdExpireWarning time.
680 ( 1.3.6.1.4.1.42.2.27.8.1.18
681 NAME 'pwdExpirationWarned'
682 DESC 'The time the user was first warned about the coming
683 expiration of the password'
684 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
685 EQUALITY generalizedTimeMatch
686 ORDERING generalizedTimeOrderingMatch
688 USAGE directoryOperation )
690 4.3.5. pwdFailureTime
692 This attribute holds the timestamps of the consecutive
693 authentication failures.
695 ( 1.3.6.1.4.1.42.2.27.8.1.19
696 NAME 'pwdFailureTime'
697 DESC 'The timestamps of the last consecutive authentication
699 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
700 EQUALITY generalizedTimeMatch
701 ORDERING generalizedTimeOrderingMatch
702 USAGE directoryOperation )
707 This attribute holds a history of previously used passwords.
709 Values of this attribute are transmitted in string format as given
710 by the following ABNF:
712 pwdHistory = time "#" syntaxOID "#" length "#" data
714 time = <generalizedTimeString as specified in 6.14 of
717 syntaxOID = numericoid ; the string representation of the
718 ; dotted-decimal OID that defines the
719 ; syntax used to store the password.
720 ; numericoid is described in 4.1 of
723 length = numericstring ; the number of octets in data.
724 ; numericstring is described in 4.1 of
727 Behera, et. al. Expires August 15, 2004 Page 13
729 INTERNET DRAFT LDAP Password Policy 15 February 2004
734 data = <octets representing the password in the format
735 specified by syntaxOID>.
737 This format allows the server to store, and transmit a history of
738 passwords that have been used. In order for equality matching to
739 function properly, the time field needs to adhere to a consistent
740 format. For this purpose, the time field MUST be in GMT format.
742 ( 1.3.6.1.4.1.42.2.27.8.1.20
744 DESC 'The history of user s passwords'
745 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
746 EQUALITY octetStringMatch
747 USAGE directoryOperation)
749 4.3.7. pwdGraceUseTime
751 This attribute holds the timestamps of grace login once a password
754 ( 1.3.6.1.4.1.42.2.27.8.1.21
755 NAME 'pwdGraceUseTime'
756 DESC 'The timestamps of the grace login once the password has
758 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
759 EQUALITY generalizedTimeMatch
761 USAGE directoryOperation)
765 This attribute holds a flag to indicate (when TRUE) that the
766 password has been reset and therefore must be changed by the user on
767 first authentication.
769 ( 1.3.6.1.4.1.42.2.27.8.1.22
771 DESC 'The indication that the password has been reset'
772 EQUALITY booleanMatch
773 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
775 USAGE directoryOperation)
777 4.3.9. pwdPolicySubentry
779 This attribute points to the pwdPolicy subentry in effect for this
783 Behera, et. al. Expires August 15, 2004 Page 14
785 INTERNET DRAFT LDAP Password Policy 15 February 2004
789 ( 1.3.6.1.4.1.42.2.27.8.1.23
790 NAME 'pwdPolicySubentry'
791 DESC 'The pwdPolicy subentry in effect for this object'
792 EQUALITY distinguishedNameMatch
793 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
795 USAGE directoryOperation)
797 5. Controls used for Password Policy
799 This section details the controls used while enforcing password
800 policy. A request control is defined that is sent by a client with a
801 request operation in order to elicit a response control. The
802 response control contains various warnings and errors associated
803 with password policy.
807 This control MAY be sent with any LDAP request message in order to
808 convey to the server that this client is aware of, and can process
809 the response control described in this document. When a server
810 receives this control, it will return the response control when
811 appropriate and with the proper data.
813 The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the criticality
814 MUST be FALSE. There is no controlValue.
816 passwordPolicyRequest
818 controlType: 1.3.6.1.4.1.42.2.27.8.5.1
822 5.2. Response Control
824 If the client has sent a passwordPolicyRequest control, the server
825 sends this control with the following operation responses:
826 bindResponse, modifyResponse, addResponse, compareResponse and
827 possibly extendedResponse, to inform of various conditions, and MAY
828 be sent with other operations (in the case of the changeAfterReset
831 passwordPolicyResponse
833 controlType: 1.3.6.1.4.1.42.2.27.8.5.1
835 controlValue: an OCTET STRING, whose value is the BER encoding of the
839 Behera, et. al. Expires August 15, 2004 Page 15
841 INTERNET DRAFT LDAP Password Policy 15 February 2004
845 PasswordPolicyResponseValue ::= SEQUENCE {
847 timeBeforeExpiration [0] INTEGER (0 .. maxInt),
848 graceLoginsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL
849 error [1] ENUMERATED {
852 changeAfterReset (2),
853 passwordModNotAllowed (3),
854 mustSupplyOldPassword (4),
855 insufficientPasswordQuality (5),
856 passwordTooShort (6),
857 passwordTooYoung (7),
858 passwordInHistory (8) } OPTIONAL }
860 The timeBeforeExpiration warning specifies the number of seconds
861 before a password will expire. The graceLoginsRemaining warning
862 specifies the remaining number of times a user will be allowed to
863 authenticate with an expired password. The passwordExpired error
864 signifies that the password has expired and must be reset. The
865 changeAfterReset error signifies that the password must be changed
866 before the user will be allowed to perform any operation other than
867 bind and modify. The passwordModNotAllowed error is set when a user
868 is restricted from changing her password. The
869 insufficientPasswordQuality error is set when a password doesn't
870 pass quality checking. The passwordTooYoung error is set if the age
871 of the password to be modified is not yet old enough.
873 Typically, only either a warning or an error will be encoded though
874 there may be exceptions. For example, if the user is required to
875 change a password after the administrator set it, and the password
876 will expire in a short amount of time, the control may include the
877 timeBeforeExpiration warning and the changeAfterReset error.
880 6. Server Implementation by LDAP operation
882 The following sections contain detailed instructions that refer to
883 attributes of the pwdPolicy object class. When doing so, the
884 attribute of the pwdPolicy object that governs the entry being
885 discussed is implied.
887 The server SHOULD enforce that the password attribute subject to a
888 password policy as defined in this document, contains one and only
891 The scenarios in the following operations assume that the client has
892 attached a passwordPolicyRequest control to the request message of
895 Behera, et. al. Expires August 15, 2004 Page 16
897 INTERNET DRAFT LDAP Password Policy 15 February 2004
900 the operation. In the event that the passwordPolicyRequest control
901 was not sent, no passwordPolicyRequest control is returned. All
902 other instructions remain the same.
907 When processing a bind request, the server MUST perform the
910 1. Check for a locked account:
912 If the value of the pwdAccountLockedTime attribute is 0, or if
913 the current time is less than the value of the
914 pwdAccountLockedTime attribute added to the value of the
915 pwdLockoutDuration, the account is locked.
917 If the account is locked, the server MUST send a bindResponse to
918 the client with the resultCode: unwillingToPerform (53), and MUST
919 include the passwordPolicyResponse in the controls field of the
920 bindResponse message with the error: accountLocked (1).
922 If the account is not locked, the server MUST proceed with the
925 2. Check the result of the bind operation:
927 If the bind operation succeeds with authentication, the server
928 MUST do the following:
930 A. Delete the pwdFailureTime attribute.
932 B. Check whether the password must be changed now.
934 If the pwdMustChange attribute is set to TRUE, and if the
935 pwdReset attribute is set to TRUE, the password must be
938 If the password must be changed now, the server MUST send a
939 bindResponse to the client with the resultCode: success (0),
940 and MUST include the passwordPolicyResponse in the controls
941 field of the bindResponse message with the warning:
942 changeAfterReset specified.
943 The server MUST then disallow all operations issued by this
944 user except modify password, bind, unbind, abandon and
945 StartTLS extended operation.
947 If the password does not need to be changed now, the operation
951 Behera, et. al. Expires August 15, 2004 Page 17
953 INTERNET DRAFT LDAP Password Policy 15 February 2004
957 C. Check for password expiration
959 The password has expired when either of the following
962 - If the value of the pwdExpireWarning attribute is 0, the
963 server subtracts the current time from the time stored in
964 pwdChangedTime to arrive at the password's age. If the age
965 is greater than the value in the pwdMaxAge attribute, the
966 password has expired.
968 - If the value of the pwdExpireWarning attribute is non-
969 zero, and the pwdExpirationWarned attribute is present and
970 has a time value, the server subtracts the current time
971 from the time stored in the pwdExpirationWarned to arrive
972 at the first warning age. If the age is greater than the
973 value in the pwdExpireWarning attribute, the password has
976 If the password has expired, the server MUST check for
977 remaining grace logins.
979 If the pwdGraceUseTime attribute is present, the server
980 MUST count the number of values in that attribute and
981 subtract it from the pwdGraceLoginLimit. A positive result
982 specifies the number of remaining grace logins.
984 If there are remaining grace logins, the server MUST add a
985 new value with the current time in pwdGraceUseTime. Then
986 it MUST send a bindResponse with the resultCode: success
987 (0), and MUST include the passwordPolicyResponse in the
988 controls field of the bindResponse message with the
989 warning: graceLoginsRemaining choice set to the number of
992 If there are no remaining grace logins, the server MUST
993 send a bindResponse with the resultCode:
994 invalidCredentials (49), and MUST include the
995 passwordPolicyResponse in the controls field of the
996 bindResponse message with the error: passwordExpired (0)
999 If the password has not expired, execution continues.
1001 D. Calculates whether the time before expiration warning should
1007 Behera, et. al. Expires August 15, 2004 Page 18
1009 INTERNET DRAFT LDAP Password Policy 15 February 2004
1012 If the pwdExpireWarning attribute is present and contains a
1013 value, the server MUST perform the following steps.
1015 If the pwdExpirationWarned attribute is present and has a
1016 time value, the warning time is the value of the
1017 pwdExpirationWarned attribute plus the value of the
1018 pwdExpireWarning attribute minus the current time.
1020 If the pwdExpirationWarned attribute is not present, the
1021 server MUST subtract the current time from the time stored
1022 in pwdChangedTime to arrive at the password's age. If the
1023 age is greater than the value of the pwdMaxAge attribute
1024 minus the value of the pwdExpireWarning attribute, the
1025 server MUST set the current time as the value of the
1026 pwdExpirationWarned attribute, and the warning time is the
1027 value of pwdMaxAge minus the password's age.
1029 If the warning time is a positive number, the server MUST
1030 send a bindResponse with the resultCode: success (0), and
1031 MUST include the passwordPolicyResponse in the controls
1032 field of the bindResponse message with the warning:
1033 timeBeforeExiration set to the value as described above.
1035 If the warning time is zero, or wasn't calculated, the
1036 server MUST send a bindResponse with the resultCode:
1037 success (0), and MUST include the passwordPolicyResponse
1038 with nothing in the SEQUENCE.
1040 If the pwdExpireWarning attribute is not present, the server
1041 MUST send a bindResponse with the resultCode: success (0),
1042 and MUST include the passwordPolicyResponse with nothing in
1045 If the bind operation fails authentication due to invalid
1046 credentials, the server MUST do the following:
1048 A. Add the current time as a value of the pwdFailureTime
1051 B. If the pwdLockout attribute is TRUE, the server MUST also do
1054 Count the number of values in the pwdFailureTime attribute
1055 that are younger than pwdFailureCountInterval.
1057 If the number of these failures is greater or equal to the
1058 pwdMaxFailure attribute, the server MUST lock the account
1059 by setting the value of the pwdAccountLockedTime attribute
1060 to the current time. After locking the account, the server
1063 Behera, et. al. Expires August 15, 2004 Page 19
1065 INTERNET DRAFT LDAP Password Policy 15 February 2004
1068 MUST send a bindResponse to the client with the
1069 resultCode: unwillingToPerform (53), and MUST include the
1070 passwordPolicyResponse in the controls field of the
1071 bindResponse message with the error: accountLocked (1).
1073 If the number of failures is less than the pwdMaxFailure
1074 attribute, operation proceeds.
1076 C. Failure times that are old by more than
1077 pwdFailureCountInterval are purged from the pwdFailureTime
1082 6.2. Modify Password Operation
1084 Because the password is stored in an attribute, the modify operation
1085 may be used to create or update a password. But some alternate
1086 mechanisms have been defined or may be defined, such as the LDAP
1087 Password Modify Extended Operation [RFC-3062].
1092 While processing a password modification, the server MUST perform
1093 the following steps:
1095 1. Check the pwdSafeModify attribute. If set to TRUE, the server
1096 MUST ensure that the modify password operation included the
1097 user's existing password. When the LDAP modify operation is used
1098 to modify a password, this is done by specifying both a delete
1099 action and an add or replace action, where the delete action is
1100 first, and specifies the existing password, and the add or
1101 replace action specifies the new password. Other password modify
1102 operations SHOULD employ a similar mechanism. Otherwise this
1105 If the existing password is not specified, the server MUST NOT
1106 process the operation and MUST send the appropriate response
1107 message to the client with the resultCode: unwillingToPerform
1108 (53), and MUST include the passwordPolicyResponse in the controls
1109 field of the response message with the error:
1110 mustSupplyOldPassword (4).
1113 2. Check the value of the pwdMustChange attribute. If TRUE, the
1114 server MUST check the pwdReset attribute in the user's entry, to
1115 see if a directory administrator has reset the password. If so,
1116 it MUST ensure that the modify password operation contains no
1119 Behera, et. al. Expires August 15, 2004 Page 20
1121 INTERNET DRAFT LDAP Password Policy 15 February 2004
1124 modifications other than the modification of the password
1125 attribute. If other modifications exist, the server MUST send a
1126 response message to the client with the resultCode:
1127 unwillingToPerform (53), and MUST include the
1128 passwordPolicyResponse in the controls field of the response
1129 message with the error: changeAfterReset (2).
1131 3. Check to see whether the bound identity has sufficient rights to
1132 modify the password. If the bound identity is a user changing its
1133 own password, this MAY be done by checking the pwdAllowUserChange
1134 attribute or using an access control mechanism. The determination
1135 of this is implementation specific. If the user is not allowed to
1136 change her password, the server MUST send a response message to
1137 the client with the resultCode: unwillingToPerform (53), and MUST
1138 include the passwordPolicyResponse in the controls field of the
1139 response message with the error: passwordModNotAllowed (3).
1141 4. Check the value of the pwdMinAge attribute. If it is set to a
1142 non-zero value, the server MUST subtract the current time from
1143 the value of the pwdChangedTime attribute to arrive at the
1144 password's age. If the password's age is less than the value of
1145 the pwdMinAge attribute, the password is too young to modify. In
1146 this case, the server MUST send a response message to the client
1147 with the resultCode: constraintViolation (19), and MUST include
1148 the passwordPolicyResponse in the controls field of the response
1149 message with the error: passwordTooYoung (7).
1151 5. Check the value of the pwdCheckQuality attribute.
1153 If the value is non-zero, The server:
1155 A. MUST ensure that the password meets the quality criteria
1156 enforced by the server. This enforcement is implementation
1159 If the server is unable to check the quality (due to a hashed
1160 password or otherwise), the value of pwdCheckQuality is
1161 evaluated. If the value is 1, operation MUST continue. If the
1162 value is 2, the server MUST send a response message to the
1163 client with the resultCode: constraintViolation (19), and MUST
1164 include the passwordPolicyResponse in the controls field of
1165 the response message with the error:
1166 insufficientPasswordQuality (5).
1168 If the server is able to check the password quality, and the
1169 check fails, the server MUST send a response message to the
1170 client with the resultCode: constraintViolation (19), and MUST
1171 include the passwordPolicyResponse in the controls field of
1175 Behera, et. al. Expires August 15, 2004 Page 21
1177 INTERNET DRAFT LDAP Password Policy 15 February 2004
1180 the response message with the error:
1181 insufficientPasswordQuality (5).
1183 B. MUST check the value of the pwdMinLength attribute. If the
1184 value is non-zero, it MUST ensure that the new password is of
1185 at least the minimum length.
1187 If the server is unable to check the length (due to a hashed
1188 password or otherwise), the value of pwdCheckQuality is
1189 evaluated. If the value is 1, operation MUST continue. If the
1190 value is 2, the server MUST send a response message to the
1191 client with the resultCode: constraintViolation (19), and MUST
1192 include the passwordPolicyResponse in the controls field of
1193 the response message with the error: passwordTooShort (6).
1195 If the server is able to check the password length, and the
1196 check fails, the server MUST send a response message to the
1197 client with the resultCode: constraintViolation (19), and MUST
1198 include the passwordPolicyResponse in the controls field of
1199 the response message with the error: passwordTooShort (6).
1201 6. Check the value of the pwdInHistory attribute. If the value is
1202 non-zero, the server MUST check whether this password exists in
1203 the entry's pwdHistory attribute or in the current password
1204 attribute. If the password does exist in the pwdHistory attribute
1205 or in the current password attribute, the server MUST send a
1206 response message to the client with the resultCode:
1207 constraintViolation (19), and MUST include the
1208 passwordPolicyResponse in the controls field of the response
1209 message with the error: passwordInHistory (8).
1211 If the steps have completed without causing an error condition, the
1212 server MUST follow the following steps in order to update the
1213 necessary password policy state attributes:
1215 7. Check the value of the pwdMaxAge attribute. If the value is non-
1216 zero, or if the value of the pwdMinAge attribute is non-zero, the
1217 server MUST update the pwdChangedTime attribute on the entry to
1220 8. If the value of the pwdInHistory attribute is non-zero, the
1221 server MUST add the previous password to the pwdHistory
1222 attribute. If the number of attributes held in the pwdHistory
1223 attribute exceeds the value of pwdInHistory, the server MUST
1224 remove the oldest excess passwords.
1226 9. Remove the pwdFailureTime, pwdReset, pwdGraceUseTime and
1227 pwdExpirationWarned attributes from the user's entry if they
1231 Behera, et. al. Expires August 15, 2004 Page 22
1233 INTERNET DRAFT LDAP Password Policy 15 February 2004
1238 The server MUST then apply the modify password operation.
1242 The password MAY be set during an Add operation. If it is, the
1243 server MUST perform the following steps while processing the add
1244 operation. Note that these are essentially duplicates of steps 3, 5
1245 and 7 from Section 6.2 with the exception that pwdAllowUserChange is
1248 1. Check to see whether the bound identity has sufficient rights to
1249 modify the password. This MAY be done by the use of an access
1250 control mechanism. If the user is not allowed to add this
1251 password, the server MUST send an addResponse to the client with
1252 the resultCode: unwillingToPerform (53), and MUST include the
1253 passwordPolicyResponse in the controls field of the addResponse
1254 message with the error: passwordModNotAllowed (3).
1256 2. Check the value of the pwdCheckQuality attribute.
1258 If the value is non-zero, The server:
1260 A. MUST ensure that the password meets the quality criteria
1261 enforced by the server. This enforcement is implementation
1264 If the server is unable to check the quality (due to a hashed
1265 password or otherwise), the value of pwdCheckQuality MUST be
1266 evaluated. If the value is 1, operation MUST continue. If the
1267 value is 2, the server MUST send an addResponse to the client
1268 with the resultCode: constraintViolation (19), and MUST
1269 include the passwordPolicyResponse in the controls field of
1270 the addResponse message with the error:
1271 insufficientPasswordQuality (5).
1273 If the server is able to check the password quality, and the
1274 check fails, the server MUST send an addResponse to the client
1275 with the resultCode: constraintViolation (19), and MUST
1276 include the passwordPolicyResponse in the controls field of
1277 the addResponse message with the error:
1278 insufficientPasswordQuality (5).
1280 B. MUST check the value of the pwdMinLength attribute. If the
1281 value is non-zero, it MUST ensure that the new password is of
1282 at least the minimum length.
1287 Behera, et. al. Expires August 15, 2004 Page 23
1289 INTERNET DRAFT LDAP Password Policy 15 February 2004
1292 If the server is unable to check the length (due to a hashed
1293 password or otherwise), the value of pwdCheckQuality MUST be
1294 evaluated. If the value is 1, operation MUST continue. If the
1295 value is 2, the server MUST send an addResponse to the client
1296 with the resultCode: constraintViolation (19), and MUST
1297 include the passwordPolicyResponse in the controls field of
1298 the addResponse message with the error: passwordTooShort (6).
1300 If the server is able to check the password length, and the
1301 check fails, the server MUST send an addResponse to the client
1302 with the resultCode: constraintViolation (19), and MUST
1303 include the passwordPolicyResponse in the controls field of
1304 the addResponse message with the error: passwordTooShort (6).
1306 If the steps above have completed without causing an error
1307 condition, the server MUST follow the steps below in order to update
1308 the necessary password policy state attributes.
1310 3. Check the value of the pwdMaxAge attribute. If the value is non-
1311 zero, or if the value of the pwdMinAge attribute is non-zero, the
1312 server MUST update the pwdChangedTime attribute on the entry to
1315 6.4. Compare Operation
1317 The compare operation MAY be used to compare a password. This might
1318 be performed when a client wishes to verify that user's supplied
1319 password is correct. An example of this is an LDAP HTTP
1320 authentication redirector. It may be desirable to use this rather
1321 than performing a bind operation in order to reduce possible
1322 overhead involved in performing a bind. Access Controls SHOULD be
1323 used to restrict this comparison from being made.
1325 If a server supports this behavior, it MUST comply with the
1326 following. Otherwise the password policy described in this document
1327 may be circumvented.
1329 While comparing password attributes, the server MUST perform the
1332 1. Check for a locked account:
1334 If the value of the pwdAccountLockedTime attribute is 0, or if
1335 the current time is less than the value of the
1336 pwdAccountLockedTime attribute added to the value of the
1337 pwdLockoutDuration, the account is locked.
1339 If the account is locked, the server MUST send a compareResponse
1340 to the client with the resultCode: compareFalse (5), and MUST
1343 Behera, et. al. Expires August 15, 2004 Page 24
1345 INTERNET DRAFT LDAP Password Policy 15 February 2004
1348 include the passwordPolicyResponse in the controls field of the
1349 compareResponse message with the error: accountLocked (1).
1351 If the account is not locked, the server MUST proceed with the
1354 2. If Access Controls permit, the server MUST proceed with compare
1355 operation and MUST check the result.
1357 If the result of the compare operation is true, the server MUST
1360 A. Delete the pwdFailureTime attribute.
1362 B. Check for password expiration
1364 The password has expired when either of the following
1367 - If the value of the pwdExpireWarning attribute is 0, the
1368 server MUST subtract the current time from the time stored
1369 in pwdChangedTime to arrive at the password's age. If the
1370 age is greater than the value in the pwdMaxAge attribute,
1371 the password has expired.
1373 - If the value of the pwdExpireWarning attribute is non-
1374 zero, and the pwdExpirationWarned attribute is present and
1375 has a time value, the server MUST subtract the current
1376 time from the time stored in the pwdExpirationWarned to
1377 arrive at the first warning age. If the age is greater
1378 than the value in the pwdExpireWarning attribute, the
1379 password has expired.
1381 If the password has expired, the server MUST check for
1382 remaining grace logins.
1384 If the pwdGraceUseTime attribute is present, the server
1385 MUST count the number of values in that attribute and MUST
1386 subtract it from the pwdGraceLoginLimit. A positive result
1387 specifies the number of remaining grace logins.
1389 If there are remaining grace logins, the server MUST add a
1390 new value with the current time in pwdGraceUseTime. Then
1391 it MUST send a compareResponse with the resultCode:
1392 compareTrue (6), and MUST include the
1393 passwordPolicyResponse in the controls field of the
1394 compareResponse message with the warning:
1395 graceLoginsRemaining choice set to the number of grace
1399 Behera, et. al. Expires August 15, 2004 Page 25
1401 INTERNET DRAFT LDAP Password Policy 15 February 2004
1405 If there are no remaining grace logins, the server MUST
1406 send a compareResponse with the resultCode: compareFalse
1407 (5), and MUST include the passwordPolicyResponse in the
1408 controls field of the compareResponse message with the
1409 error: passwordExpired (0) set.
1411 If the password has not expired, execution MUST continue.
1413 C. Calculate whether the time before expiration warning should be
1416 If the pwdExpireWarning attribute is present and contains a
1417 value, the server MUST perform the following steps.
1419 If the pwdExpirationWarned attribute is present and has a
1420 time value, the warning time is the value of the
1421 pwdExpirationWarned attribute plus the value of the
1422 pwdExpireWarning attribute minus the current time.
1424 If the pwdExpirationWarned attribute is not present, the
1425 server MUST subtract the current time from the time stored
1426 in pwdChangedTime to arrive at the password's age. If the
1427 age is greater than the value of the pwdMaxAge attribute
1428 minus the value of the pwdExpireWarning attribute, the
1429 server MUST set the current time as the value of the
1430 pwdExpirationWarned attribute, and the warning time is the
1431 value of pwdMaxAge minus the password's age.
1433 If the warning time is a positive number, the server MUST
1434 send a compareResponse with the resultCode: compareTrue
1435 (6), and MUST include the passwordPolicyResponse in the
1436 controls field of the compareResponse message with the
1437 warning: timeBeforeExiration set to the value as described
1440 If the warning time is zero, or wasn't calculated, the
1441 server MUST send a compareResponse with the resultCode:
1442 compareTrue (6), and MUST include the
1443 passwordPolicyResponse with nothing in the SEQUENCE.
1445 If the pwdExpireWarning attribute is not present, the server
1446 MUST send a compareResponse with the resultCode: compareTrue
1447 (6), and MUST include the passwordPolicyResponse with nothing
1450 If the result of the compare operation is false, the server MUST
1455 Behera, et. al. Expires August 15, 2004 Page 26
1457 INTERNET DRAFT LDAP Password Policy 15 February 2004
1460 A. Add the current time as a value of the pwdFailureTime
1463 B. If the pwdLockout attribute is TRUE, the server MUST do
1466 Count the number of values in the pwdFailureTime
1467 attribute that are younger than
1468 pwdFailureCountInterval.
1470 If the number of these failures is greater or equal to
1471 the pwdMaxFailure attribute, the server MUST lock the
1472 account by setting the value of the
1473 pwdAccountLockedTime attribute to the current time.
1474 After locking the account, the server MUST send a
1475 compareResponse to the client with the resultCode:
1476 compareFalse (5), and MUST include the
1477 passwordPolicyResponse in the controls field of the
1478 compareResponse message with the error: accountLocked
1481 If the number of failures is less than the
1482 pwdMaxFailure attribute, operation MUST proceed.
1484 If the pwdLockout attribute is FALSE, operation MUST
1487 C. Failure times that are old by more than
1488 pwdFailureCountInterval, MUST be purged from the
1489 pwdFailureTime attribute.
1491 D. If no errors were returned, the server MUST send a
1492 compareResponse with the resultCode: compareTrue (6), and
1493 MUST include the passwordPolicyResponse with nothing in
1496 7. Client Implementation by LDAP operation
1498 These sections illustrate possible scenarios for each LDAP operation
1499 and define the types of responses that identify those scenarios.
1501 The scenarios in the following operations assume that the client
1502 attached a passwordPolicyRequest control to the request message of
1503 the operation, and thus MAY receive a passwordPolicyResponse control
1504 in the response message. In the event that the passwordPolicyRequest
1505 control was not sent, no passwordPolicyRequest control is returned.
1506 All other instructions remain the same.
1511 Behera, et. al. Expires August 15, 2004 Page 27
1513 INTERNET DRAFT LDAP Password Policy 15 February 2004
1517 For every bind response received, the client MUST check the
1518 resultCode of the bindResponse and MUST check for a
1519 passwordPolicyResponse to determine if any of the following
1520 conditions are true and MAY prompt the user accordingly.
1522 1. The password failure limit has been reached and the account is
1523 locked. The user needs to retry later or contact the directory
1524 administrator to reset the password.
1526 resultCode: unwillingToPerform (53)
1527 passwordPolicyResponse: error: accountLocked (1)
1529 2. The user is binding for the first time after the directory
1530 administrator set the password. In this scenario, the client
1531 SHOULD prompt the user to change his password immediately.
1533 resultCode: success (0)
1534 passwordPolicyResponse: error: changeAfterReset (2)
1536 3. The password has expired but there are remaining grace logins.
1537 The user needs to change it.
1539 resultCode: success (0)
1540 passwordPolicyResponse: warning: graceLoginsRemaining
1542 4. The password has expired and there are no more grace logins. The
1543 user MUST contact the directory administrator in order to have
1546 resultCode: invalidCredentials (49)
1547 passwordPolicyResponse: error: passwordExpired (0)
1549 5. The user's password will expire in n number of seconds.
1551 resultCode: success (0)
1552 passwordPolicyResponse: warning: timeBeforeExpiration
1554 7.2. Modify Operations
1556 7.2.1. Modify Request
1558 If the application or client encrypts the password prior to sending
1559 it in a password modification operation (whether done through
1560 modifyRequest or another password modification mechanism), it SHOULD
1561 check the values of the pwdMinLength, and pwdCheckQuality attributes
1562 and SHOULD enforce these policies.
1564 7.2.2. Modify Response
1567 Behera, et. al. Expires August 15, 2004 Page 28
1569 INTERNET DRAFT LDAP Password Policy 15 February 2004
1573 If the modifyRequest operation was used to change the password, or
1574 if another mechanism is used --such as an extendedRequest-- the
1575 modifyResponse or other appropriate response MAY contain information
1576 pertinent to password policy. The client MUST check the resultCode
1577 of the response and MUST check for a passwordPolicyResponse to
1578 determine if any of the following conditions are true and optionally
1579 notify the user of the condition.
1581 1. The user attempted to change her password without specifying the
1582 old password but the password policy requires this.
1584 resultCode: unwillingToPerform (53)
1585 passwordPolicyResponse: error: mustSupplyOldPassword (4)
1587 2. The user MUST change her password before submitting any other
1590 resultCode: unwillingToPerform (53)
1591 passwordPolicyResponse: error: changeAfterReset (2)
1593 3. The user doesn't have sufficient rights to change his password.
1595 resultCode: unwillingToPerform (53)
1596 passwordPolicyResponse: error: passwordModNotAllowed (3)
1598 4. It is too soon after the last password modification to change the
1601 resultCode: constraintViolation (19)
1602 passwordPolicyResponse: error: passwordTooYoung (7)
1604 5. The password failed quality checking.
1606 resultCode: constraintViolation (19)
1607 passwordPolicyResponse: error:
1608 insufficientPasswordQuality (5)
1610 6. The length of the password is too short.
1612 resultCode: constraintViolation (19)
1613 passwordPolicyResponse: error: passwordTooShort (6)
1615 7. The password has already been used; the user MUST choose a
1618 resultCode: constraintViolation (19)
1619 passwordPolicyResponse: error: passwordInHistory (8)
1623 Behera, et. al. Expires August 15, 2004 Page 29
1625 INTERNET DRAFT LDAP Password Policy 15 February 2004
1631 If a password is specified in an addRequest, the client MUST check
1632 the resultCode of the addResponse and MUST check for a
1633 passwordPolicyResponse to determine if any of the following
1634 conditions are true and may prompt the user accordingly.
1636 1. The user doesn't have sufficient rights to add this password.
1638 resultCode: unwillingToPerform (53)
1639 passwordPolicyResponse: error: passwordModNotAllowed (3)
1641 2. The password failed quality checking.
1643 resultCode: constraintViolation (19)
1644 passwordPolicyResponse: error:
1645 insufficientPasswordQuality (5)
1647 3. The length of the password is too short.
1649 resultCode: constraintViolation (19)
1650 passwordPolicyResponse: error: passwordTooShort (6)
1653 7.4. Compare Operation
1655 When a compare operation is used to compare a password, the client
1656 MUST check the resultCode of the compareResponse and MUST check for
1657 a passwordPolicyResponse to determine if any of the following
1658 conditions are true and MAY prompt the user accordingly. These
1659 conditions assume that the result of the comparison was true.
1661 1. The password failure limit has been reached and the account is
1662 locked. The user needs to retry later or contact the directory
1663 administrator to reset the password.
1665 resultCode: compareFalse (5)
1666 passwordPolicyResponse: error: accountLocked (1)
1668 2. The password has expired but there are remaining grace logins.
1669 The user needs to change it.
1671 resultCode: compareTrue (6)
1672 passwordPolicyResponse: warning: graceLoginsRemaining
1674 3. The password has expired and there are no more grace logins. The
1675 user MUST contact the directory administrator to reset the
1679 Behera, et. al. Expires August 15, 2004 Page 30
1681 INTERNET DRAFT LDAP Password Policy 15 February 2004
1685 resultCode: compareFalse (5)
1686 passwordPolicyResponse: error: passwordExpired (0)
1688 4. The user's password will expire in n number of seconds.
1690 resultCode: compareTrue (6)
1691 passwordPolicyResponse: warning: timeBeforeExpiration
1694 7.5. Other Operations
1696 For operations other than bind, unbind, abandon, search or StartTLS,
1697 the client MUST check the following result code and control to
1698 determine if the user needs to change the password immediately.
1700 1. The user needs to change password. The user SHOULD be prompted to
1701 change the password immediately.
1703 resultCode: unwillingToPerform (53)
1704 passwordPolicyResponse: error: changeAfterReset (2)
1706 8. Administration of a Password Policy
1709 A password policy MUST be defined for a particular subtree of the
1710 DIT by adding to an LDAP subentry whose immediate superior is the
1711 root of the subtree, the pwdPolicy auxiliary object class.
1712 The scope of the password policy is defined by the
1713 SubtreeSpecification attribute of the LDAP subentry as specified in
1714 RFC 3672 [RFC-3672].
1716 It is possible to define password policies for different password
1717 attributes within the same pwdPolicy entry, by specifying multiple
1718 values of the pwdAttribute. But password policies could also be in
1719 separate sub entries as long as they are contained under the same
1722 Modifying the password policy MUST not result in any change in
1723 users' entries to which the policy applies.
1725 It SHOULD be possible to overwrite the password policy for one user
1726 by defining a new policy in a subentry of the user entry.
1728 Each object that is controlled by password policy SHALL advertise
1729 the subentry that is being used to control its policy in its
1730 pwdPolicySubentry attribute. Clients wishing to examine or manage
1731 password policy for an object, MUST interrogate the
1735 Behera, et. al. Expires August 15, 2004 Page 31
1737 INTERNET DRAFT LDAP Password Policy 15 February 2004
1740 pwdPolicySubentry for that object in order to arrive at the proper
1743 9. Password Policy and Replication
1745 The pwdPolicy object defines the password policy for a portion of
1746 the DIT and MUST be replicated on all the replicas of this subtree,
1747 as any subentry would be, in order to have a consistent policy among
1748 all replicated servers.
1750 The elements of the password policy that are related to the users
1751 are stored in the entry themselves as operational attributes.
1752 As these attributes are subject to modifications even on a read-only
1753 replica, replicating them must be carefully considered.
1755 The pwdChangedTime attribute MUST be replicated on all replicas, to
1756 allow expiration of the password.
1758 The pwdReset attribute MUST be replicated on all replicas, to deny
1759 access to operations other than bind and modify password.
1761 The pwdHistory attribute MUST be replicated to writable replicas. It
1762 doesn't have to be replicated to a read-only replica, since the
1763 password will never be directly modified on this server.
1765 The pwdAccountLockedTime, pwdExpirationWarned, pwdFailureTime and
1766 pwdGraceUseTime attributes MUST be replicated to writable replicas,
1767 making the password policy global for all servers.
1768 When the user entry is replicated to a read-only replica, these
1769 attributes SHOULD NOT be replicated. This means that the number of
1770 failures, of grace logins and the locking will take place on each
1771 replicated server. For example, the effective number of failed
1772 attempts on a user password will be N x M (where N is the number of
1773 servers and M the value of pwdMaxFailure attribute).
1774 Replicating these attributes to a read-only replica MAY reduce the
1775 number of tries globally but MAY also introduce some inconstancies
1776 in the way the password policy is applied.
1779 10. Security Considerations
1781 This document defines a set of rules to implement in an LDAP server,
1782 in order to mitigate some of the security risks associated with the
1783 use of passwords and to make it difficult for password cracking
1784 programs to break into directories.
1786 Authentication with a password MUST follow the recommendations made
1787 in RFC 2829 [RFC-2829].
1791 Behera, et. al. Expires August 15, 2004 Page 32
1793 INTERNET DRAFT LDAP Password Policy 15 February 2004
1796 Modifications of passwords SHOULD only occur when the connection is
1797 protected with confidentiality and secure authentication.
1799 Access controls SHOULD be used to restrict access to the password
1800 policy attributes. Especially all the attributes defined to maintain
1801 the Password Policy state information SHOULD not be modifiable by
1802 anyone but the Administrator of the directory server.
1804 As it is possible to define a password policy for one specific user
1805 by adding a subentry immediately under the user's entry, Access
1806 Controls SHOULD be used to restrict the use of the pwdPolicy object
1807 class or the LDAP subentry object class.
1809 When a password policy is put in place, the LDAP directory is
1810 subject to a denial of service attack. A malicious user could
1811 deliberately lock out one specific user's account (or all of them)
1812 by sending bind requests with wrong passwords. There is no way to
1813 protect against this kind of attack. The LDAP directory server
1814 SHOULD log as much information as it can (such as client IP address)
1815 whenever an account is locked, in order to be able to identify the
1816 origin of the attack. Denying anonymous access to the LDAP directory
1817 is also a way to restrict this kind of attacks.
1822 This document is based in part on prior work done by Valerie Chu
1823 from Netscape Communications Corp, published as draft-vchu-ldap-pwd-
1824 policy-00.txt (December 1998).
1827 12. Normative References
1829 [RFC-2119] S. Bradner, "Key Words for use in RFCs to Indicate
1830 Requirement Levels", RFC 2119, March 1997.
1832 [RFC-2195] J. Klensin, R. Catoe, P. Krumviede, "IMAP/POP AUTHorize
1833 Extension for Simple Challenge/Response", RFC 2195, September 1997.
1835 [RFC-2222] J. Myers, "Simple Authentication and Security Layer
1836 (SASL)", RFC 2222, October 1997.
1838 [RFC-2251] Wahl, M., Howes, T., Kille, S., "Lightweight Directory
1839 Access Protocol (v3)", RFC 2251, August 1997.
1841 [RFC-2252] Wahl, M., Coulbeck, A., Howes, T., Kille, S.,
1842 "Lightweight Directory Access Protocol (v3): Attribute Syntax
1843 Definitions", RFC 2252, December 1997.
1847 Behera, et. al. Expires August 15, 2004 Page 33
1849 INTERNET DRAFT LDAP Password Policy 15 February 2004
1852 [RFC-Digest] Paul J. Leach, Chris Newman, "Using Digest
1853 Authentication as a SASL Mechanism", RFC 2831, May 2000.
1855 [RFC-3062] K. Zeilenga, "LDAP Password Modify Extended Operation",
1856 RFC 3062, February 2001.
1858 [RFC-3672] K. Zeilenga, S. Legg, "Subentries in the Lightweight
1859 Directory Access Protocol (LDAP)", RFC 3672, December.
1862 13. Authors' Addresses
1865 18366 Chelmsford Dr.
1868 prasantabehera@yahoo.com
1871 Sun Microsystems Inc.
1872 180, Avenue de l'Europe
1874 38334 Saint Ismier cedex
1877 ludovic.poitou@sun.com
1881 1800 South Novell Place
1882 Provo, Utah 84606, USA
1886 14. Copyright Notice
1888 Copyright (C) The Internet Society (2004). All Rights
1891 This document and translations of it may be copied and furnished to
1892 others, and derivative works that comment on or otherwise explain it
1893 or assist in its implementation may be prepared, copied, published
1894 and distributed, in whole or in part, without restriction of any
1895 kind, provided that the above copyright notice and this paragraph
1896 are included on all such copies and derivative works. However, this
1897 document itself may not be modified in any way, such as by removing
1898 the copyright notice or references to the Internet Society or other
1899 Internet organizations, except as needed for the purpose of
1900 developing Internet standards in which case the procedures for
1903 Behera, et. al. Expires August 15, 2004 Page 34
1905 INTERNET DRAFT LDAP Password Policy 15 February 2004
1908 copyrights defined in the Internet Standards process must be
1909 followed, or as required to translate it into languages other than
1912 The limited permissions granted above are perpetual and will not be
1913 revoked by the Internet Society or its successors or assigns.
1915 This document and the information contained herein is provided on an
1916 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1917 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1918 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1919 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1920 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
1959 Behera, et. al. Expires August 15, 2004 Page 35