1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
3 <!ENTITY rfc2119 PUBLIC '' "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
4 <!ENTITY rfc2195 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2195.xml'>
5 <!ENTITY rfc4422 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4422.xml'>
6 <!ENTITY rfc4511 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4511.xml'>
7 <!ENTITY rfc4512 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4512.xml'>
8 <!ENTITY rfc4513 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4513.xml'>
9 <!ENTITY rfc4517 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4517.xml'>
10 <!ENTITY rfc2831 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2831.xml'>
11 <!ENTITY rfc3062 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3062.xml'>
12 <!ENTITY rfc4520 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4520.xml'>
13 <!ENTITY rfc3672 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3672.xml'>
16 <?xml-stylesheet type='text/xsl' href='http://xml2rfc.ietf.org/authoring/rfc2629.xslt' ?>
19 <?rfc tocindent="no" ?>
20 <?rfc symrefs="yes" ?>
21 <?rfc sortrefs="yes"?>
22 <?rfc iprnotified="no" ?>
24 <rfc category="std" ipr="trust200902" docName="draft-behera-ldap-password-policy-11">
26 <title>Password Policy for LDAP Directories</title>
27 <author initials="J." fullname="Jim Sermersheim" surname="Sermersheim">
28 <organization>Novell, Inc</organization>
31 <street>1800 South Novell Place</street>
37 <phone>+1 801 861-3088</phone>
38 <email>jimse@novell.com</email>
41 <author initials="L." fullname="Ludovic Poitou" surname="Poitou">
42 <organization>Sun Microsystems</organization>
45 <street>180, Avenue de l'Europe</street>
46 <city>Zirst de Montbonnot</city> <code>38334</code> <region>Saint Ismier cedex</region>
49 <phone>+33 476 188 212</phone>
50 <email>ludovic.poitou@sun.com</email>
53 <author initials="H." fullname="Howard Chu" surname="Chu" role="editor">
54 <organization>Symas Corp.</organization>
57 <street>18740 Oxnard Street, Suite 313A</street>
59 <region>California</region>
63 <phone>+1 818 757-7087</phone>
64 <email>hyc@symas.com</email>
67 <date year="2014" month="July"/>
70 Password policy as described in this document is a set of rules that
71 controls how passwords are used and administered in Lightweight
72 Directory Access Protocol (LDAP) based directories. In order to
73 improve the security of LDAP directories and make it difficult for
74 password cracking programs to break into directories, it is desirable
75 to enforce a set of rules on password usage. These rules are made to
76 ensure that users change their passwords periodically, passwords meet
77 construction requirements, the re-use of old password is restricted,
78 and to deter password guessing attacks.
85 <section title="Overview">
87 <t>LDAP-based directory services are currently accepted by many
88 organizations as the access protocol for directories. The ability to
89 ensure the secure read and update access to directory information
90 throughout the network is essential to the successful deployment.
91 Most LDAP implementations support many authentication schemes - the
92 most basic and widely used is the simple authentication i.e., user DN
93 and password. In this case, many LDAP servers have implemented some
94 kind of policy related to the password used to authenticate. Among
95 other things, this policy includes:
96 <list style="symbols">
97 <t>Whether and when passwords expire.</t>
99 <t>Whether failed bind attempts cause the account to be locked.</t>
101 <t>If and how users are able to change their passwords.</t>
105 <t>In order to achieve greater security protection and ensure
106 interoperability in a heterogeneous environment, LDAP needs to
107 standardize on a common password policy model. This is critical to
108 the successful deployment of LDAP directories.</t>
112 <section title="Conventions">
114 <t>Imperative keywords defined in <xref target="RFC2119"/> are used in this document,
115 and carry the meanings described there.</t>
117 <t>All ASN.1 <xref target="X.680"/> Basic Encoding Rules (BER) <xref target="X.690"/> encodings follow the
118 conventions found in Section 5.1 of <xref target="RFC4511"/>.</t>
120 <t>The term "password administrator" refers to a user that has
121 sufficient access control privileges to modify users' passwords. The
122 term "password policy administrator" refers to a user that has
123 sufficient access control privileges to modify the pwdPolicy object
124 defined in this document. The access control that is used to
125 determine whether an identity is a password administrator or password
126 policy administrator is beyond the scope of this document, but
127 typically implies that the password administrator has 'write'
128 privileges to the password attribute.</t>
132 <section title="Application of Password Policy">
134 <t>The password policy defined in this document can be applied to any
135 attribute holding a user's password used for an authenticated LDAP
136 bind operation. In this document, the term "user" represents any
137 LDAP client application that has an identity in the directory.</t>
139 <t>This policy is typically applied to the userPassword attribute in the
140 case of the LDAP simple authentication method <xref target="RFC4511"/> or the case
141 of password based SASL <xref target="RFC4422"/> authentication such as CRAM-MD5
142 <xref target="RFC2195"/> and DIGEST-MD5 <xref target="RFC2831"/>.</t>
144 <t>The policy described in this document assumes that the password
145 attribute holds a single value. No considerations are made for
146 directories or systems that allow a user to maintain multi-valued
147 password attributes.</t>
149 <t>Server implementations MAY institute internal policy whereby certain
150 identities (such as directory administrators) are not forced to
151 comply with any of password policy. In this case, the password for a
152 directory administrator never expires; the account is never locked,
157 <section title="Articles of Password Policy">
159 <t>The following sections explain in general terms each aspect of the
160 password policy defined in this document as well as the need for
161 each. These policies are subdivided into the general groups of
162 password usage and password modification. Implementation details are
163 presented in <xref target="server_enforce"/> and <xref target="client_enforce"/>.</t>
165 <section title="Password Usage Policy">
167 <t>This section describes policy enforced when a password is used to
168 authenticate. The general focus of this policy is to minimize the
169 threat of intruders once a password is in use.</t>
171 <section title="Password Validity Policy">
173 <t>These mechanisms allow account usage to be controlled independent
174 of any password expiration policies. The policy defines the absolute
175 period of time for which an account may be used. This
176 allows an administrator to define an absolute starting time after which
177 a password becomes valid, and an absolute ending time after which the
178 password is disabled.</t>
180 <t>A mechanism is also provided to define the period of time for which
181 an account may remain unused before being disabled.</t>
185 <section title="Password Guessing Limit">
187 <t>In order to prevent intruders from guessing a user's password, a
188 mechanism exists to track the number of consecutive failed
189 authentication attempts, and take action when a limit is reached.
190 This policy consists of several parts:
191 <list style="symbols">
193 <t>A counter to track the number of failed authentication attempts.</t>
195 <t>The amount of time to delay on the first authentication failure.</t>
197 <t>The maximum amount of time to delay on subsequent failures.</t>
199 <t>A timeframe in which the limit of consecutive failed
200 authentication attempts must happen before action is taken.</t>
202 <t>A configurable limit on failed authentication attempts.</t>
204 <t>The action to be taken when the limit is reached. The action will
205 either be nothing, or the account will be locked.</t>
207 <t>An amount of time the account is locked (if it is to be locked).
208 This can be indefinite.</t>
211 <t>Note that using the account lock feature provides an easy
212 avenue for Denial-of-Service (DoS) attacks on user accounts. While
213 some sites' policies require accounts to be locked, this feature is
214 discouraged in favor of delaying each failed login attempt.</t>
216 <t>The delay time will be doubled on each subsequent failure, until it
217 reaches the maximum time configured.</t>
219 <t>[TBD: we could also provide a syntax for configuring a backoff
220 algorithm. E.g. "+<int>" for linearly incrementing delay,
221 "x<int>" for constant multiplier, "^<int> for geometric.
222 But it's probably overkill to add a calculator
223 language to the server.]</t>
230 <section title="Password Modification Policy">
232 <t>This section describes policy enforced while users are modifying
233 passwords. The general focus of this policy is to ensure that when
234 users add or change their passwords, the security and effectiveness
235 of their passwords is maximized. In this document, the term "modify
236 password operation" refers to any operation that is used to add or
237 modify a password attribute. Often this is done by updating the
238 password attribute during an add or modify operation, but MAY be done
239 by other means such as an extended operation.</t>
241 <section title="Password Expiration, Expiration Warning, and Grace
244 <t>One of the key properties of a password is the fact that it is not
245 well known. If a password is frequently changed, the chances of that
246 user's account being broken into are minimized.</t>
248 <t>Password policy administrators may deploy a password policy that
249 causes passwords to expire after a given amount of time - thus
250 forcing users to change their passwords periodically.</t>
252 <t>As a side effect, there needs to be a way in which users are made
253 aware of this need to change their password before actually being
254 locked out of their accounts. One or both of the following methods
256 <list style="symbols">
258 <t>A warning may be returned to the user sometime before his password
259 is due to expire. If the user fails to heed this warning before
260 the expiration time, his account will be locked.</t>
262 <t>The user may bind to the directory a preset number of times after
263 her password has expired. If she fails to change her password
264 during one of her 'grace' authentications, her account will be
270 <section title="Password History">
272 <t>When the Password Expiration policy is used, an additional mechanism
273 may be employed to prevent users from simply re-using a previous
274 password (as this would effectively circumvent the expiration
277 <t>In order to do this; a history of used passwords is kept. The
278 password policy administrator sets the number of passwords to be
279 stored at any given time. Passwords are stored in this history
280 whenever the password is changed. Users aren't allowed to specify
281 any passwords that are in the history list while changing passwords.</t>
285 <section title="Password Minimum Age">
287 <t>Users may circumvent the Password History mechanism by quickly
288 performing a series of password changes. If they change their
289 password enough times, their 'favorite' password will be pushed out
290 of the history list.</t>
292 <t>This process may be made less attractive to users by employing a
293 minimum age for passwords. If users are forced to wait 24 hours
294 between password changes, they may be less likely to cycle through a
295 history of 10 passwords.</t>
299 <section title="Password Quality and Minimum length">
301 <t>In order to prevent users from creating or updating passwords that
302 are easy to guess, a password quality policy may be employed. This
303 policy consists of two general mechanisms - ensuring that passwords
304 conform to a defined quality criterion and ensuring that they are of
305 a minimum length.</t>
307 <t>Forcing a password to comply with the quality policy may imply a
308 variety of things including:
309 <list style="symbols">
311 <t>Disallowing trivial or well-known words make up the password.</t>
313 <t>Forcing a certain number of digits be used.</t>
315 <t>Disallowing anagrams of the user's name.</t></list></t>
317 <t>The implementation of this policy meets with the following problems:
318 <list style="symbols">
320 <t>If the password to be added or updated is encrypted by the client
321 before being sent, the server has no way of enforcing this policy.
322 Therefore, the onus of enforcing this policy falls upon client
325 <t>There are no specific definitions of what 'quality checking'
326 means. This can lead to unexpected behavior in a heterogeneous
327 environment.</t></list></t>
331 <section title="User Defined Passwords">
333 <t>In some cases, it is desirable to disallow users from adding and
334 updating their own passwords. This policy makes this functionality
338 <section title="Password Change after Reset">
340 <t>This policy forces the user to update her password after it has been
341 set for the first time, or has been reset by a password
344 <t>This is needed in scenarios where a password administrator has set or
345 reset the password to a well-known value.</t>
349 <section title="Safe Modification">
351 <t>As directories become more commonly used, it will not be unusual for
352 clients to connect to a directory and leave the connection open for
353 an extended period. This opens up the possibility for an intruder to
354 make modifications to a user's password while that user's computer is
355 connected but unattended.</t>
357 <t>This policy forces the user to prove his identity by specifying the
358 old password during a password modify operation.</t>
360 <t>{TODO: This allows a dictionary attack unless we specify that this is
361 also subject to intruder detection. One solution is to require users
362 to authN prior to changing password. Another solution is to perform
363 intruder detection checks when the password for a non-authenticated
364 identity is being updated}</t>
369 <section title="Restriction of the Password Policy">
371 <t>The password policy defined in this document can apply to any
372 attribute containing a password. Password policy state information
373 is held in the user's entry, and applies to a password attribute, not
374 a particular password attribute value. Thus the server SHOULD
375 enforce that the password attribute subject to password policy,
376 contains one and only one password value.</t>
381 <section title="Schema used for Password Policy">
383 <t>The schema elements defined here fall into two general categories. A
384 password policy object class is defined which contains a set of
385 administrative password policy attributes, and a set of operational
386 attributes are defined that hold general password policy state
387 information for each user.</t>
389 <section title="The pwdPolicy Object Class">
391 <t>This object class contains the attributes defining a password policy
392 in effect for a set of users. <xref target="admin"/> describes the
393 administration of this object, and the relationship between it and
394 particular objects.</t>
397 ( 1.3.6.1.4.1.42.2.27.8.2.1
401 MUST ( pwdAttribute )
402 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
403 pwdMinLength $ pwdMaxLength $ pwdExpireWarning $
404 pwdGraceAuthNLimit $ pwdGraceExpiry $ pwdLockout $
405 pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
406 pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $
407 pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
412 <section title="Attribute Types used in the pwdPolicy ObjectClass">
414 <t>Following are the attribute types used by the pwdPolicy object class.</t>
416 <section title="pwdAttribute">
418 <t>This holds the name of the attribute to which the password policy is
419 applied. For example, the password policy may be applied to the
420 userPassword attribute.</t>
423 ( 1.3.6.1.4.1.42.2.27.8.1.1
425 EQUALITY objectIdentifierMatch
426 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
431 <section title="pwdMinAge">
433 <t>This attribute holds the number of seconds that must elapse between
434 modifications to the password. If this attribute is not present, 0
435 seconds is assumed.</t>
438 ( 1.3.6.1.4.1.42.2.27.8.1.2
440 EQUALITY integerMatch
441 ORDERING integerOrderingMatch
442 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
448 <section title="pwdMaxAge">
450 <t>This attribute holds the number of seconds after which a modified
451 password will expire.</t>
453 <t>If this attribute is not present, or if the value is 0 the password
454 does not expire. If not 0, the value must be greater than or equal
455 to the value of the pwdMinAge.</t>
458 ( 1.3.6.1.4.1.42.2.27.8.1.3
460 EQUALITY integerMatch
461 ORDERING integerOrderingMatch
462 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
468 <section title="pwdInHistory">
470 <t>This attribute specifies the maximum number of used passwords stored
471 in the pwdHistory attribute.</t>
473 <t>If this attribute is not present, or if the value is 0, used
474 passwords are not stored in the pwdHistory attribute and thus may be
478 ( 1.3.6.1.4.1.42.2.27.8.1.4
480 EQUALITY integerMatch
481 ORDERING integerOrderingMatch
482 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
488 <section title="pwdCheckQuality">
490 <t>{TODO: Consider changing the syntax to OID. Each OID will list a
491 quality rule (like min len, # of special characters, etc). These
492 rules can be specified outside this document.}</t>
494 <t>{TODO: Note that even though this is meant to be a check that happens
495 during password modification, it may also be allowed to happen during
496 authN. This is useful for situations where the password is encrypted
497 when modified, but decrypted when used to authN.}</t>
499 <t>This attribute indicates how the password quality will be verified
500 while being modified or added. If this attribute is not present, or
501 if the value is '0', quality checking will not be enforced. A value
502 of '1' indicates that the server will check the quality, and if the
503 server is unable to check it (due to a hashed password or other
504 reasons) it will be accepted. A value of '2' indicates that the
505 server will check the quality, and if the server is unable to verify
506 it, it will return an error refusing the password.</t>
509 ( 1.3.6.1.4.1.42.2.27.8.1.5
510 NAME 'pwdCheckQuality'
511 EQUALITY integerMatch
512 ORDERING integerOrderingMatch
513 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
519 <section title="pwdMinLength">
521 <t>When quality checking is enabled, this attribute holds the minimum
522 number of characters that must be used in a password. If this
523 attribute is not present, no minimum password length will be
524 enforced. If the server is unable to check the length (due to a
525 hashed password or otherwise), the server will, depending on the
526 value of the pwdCheckQuality attribute, either accept the password
527 without checking it ('0' or '1') or refuse it ('2').</t>
530 ( 1.3.6.1.4.1.42.2.27.8.1.6
532 EQUALITY integerMatch
533 ORDERING integerOrderingMatch
534 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
540 <section title="pwdMaxLength">
542 <t>When quality checking is enabled, this attribute holds the maximum
543 number of characters that may be used in a password. If this
544 attribute is not present, no maximum password length will be
545 enforced. If the server is unable to check the length (due to a
546 hashed password or otherwise), the server will, depending on the
547 value of the pwdCheckQuality attribute, either accept the password
548 without checking it ('0' or '1') or refuse it ('2').</t>
551 ( 1.3.6.1.4.1.42.2.27.8.1.31
553 EQUALITY integerMatch
554 ORDERING integerOrderingMatch
555 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
561 <section title="pwdExpireWarning">
563 <t>This attribute specifies the maximum number of seconds before a
564 password is due to expire that expiration warning messages will be
565 returned to an authenticating user.</t>
567 <t>If this attribute is not present, or if the value is 0 no warnings
568 will be returned. If not 0, the value must be smaller than the value
569 of the pwdMaxAge attribute.</t>
572 ( 1.3.6.1.4.1.42.2.27.8.1.7
573 NAME 'pwdExpireWarning'
574 EQUALITY integerMatch
575 ORDERING integerOrderingMatch
576 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
582 <section title="pwdGraceAuthNLimit">
584 <t>This attribute specifies the number of times an expired password can
585 be used to authenticate. If this attribute is not present or if the
586 value is 0, authentication will fail.</t>
589 ( 1.3.6.1.4.1.42.2.27.8.1.8
590 NAME 'pwdGraceAuthNLimit'
591 EQUALITY integerMatch
592 ORDERING integerOrderingMatch
593 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
599 <section title="pwdGraceExpiry">
601 <t>This attribute specifies the number of seconds the grace
602 authentications are valid. If this attribute is not present
603 or if the value is 0, there is no time limit on the grace
607 ( 1.3.6.1.4.1.42.2.27.8.1.30
608 NAME 'pwdGraceExpire'
609 EQUALITY integerMatch
610 ORDERING integerOrderingMatch
611 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
617 <section title="pwdLockout">
619 <t>This attribute indicates, when its value is "TRUE", that the password
620 may not be used to authenticate after a specified number of
621 consecutive failed bind attempts. The maximum number of consecutive
622 failed bind attempts is specified in pwdMaxFailure.</t>
624 <t>If this attribute is not present, or if the value is "FALSE", the
625 password may be used to authenticate when the number of failed bind
626 attempts has been reached.</t>
629 ( 1.3.6.1.4.1.42.2.27.8.1.9
631 EQUALITY booleanMatch
632 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
638 <section title="pwdLockoutDuration">
640 <t>This attribute holds the number of seconds that the password cannot
641 be used to authenticate due to too many failed bind attempts. If
642 this attribute is not present, or if the value is 0 the password
643 cannot be used to authenticate until reset by a password
647 ( 1.3.6.1.4.1.42.2.27.8.1.10
648 NAME 'pwdLockoutDuration'
649 EQUALITY integerMatch
650 ORDERING integerOrderingMatch
651 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
657 <section title="pwdMaxFailure">
659 <t>This attribute specifies the number of consecutive failed bind
660 attempts after which the password may not be used to authenticate.
661 If this attribute is not present, or if the value is 0, this policy
662 is not checked, and the value of pwdLockout will be ignored.</t>
665 ( 1.3.6.1.4.1.42.2.27.8.1.11
667 EQUALITY integerMatch
668 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
669 ORDERING integerOrderingMatch
675 <section title="pwdFailureCountInterval">
677 <t>This attribute holds the number of seconds after which the password
678 failures are purged from the failure counter, even though no
679 successful authentication occurred.</t>
681 <t>If this attribute is not present, or if its value is 0, the failure
682 counter is only reset by a successful authentication.</t>
685 ( 1.3.6.1.4.1.42.2.27.8.1.12
686 NAME 'pwdFailureCountInterval'
687 EQUALITY integerMatch
688 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
689 ORDERING integerOrderingMatch
695 <section title="pwdMustChange">
697 <t>This attribute specifies with a value of "TRUE" that users must
698 change their passwords when they first bind to the directory after a
699 password is set or reset by a password administrator. If this
700 attribute is not present, or if the value is "FALSE", users are not
701 required to change their password upon binding after the password
702 administrator sets or resets the password. This attribute is not set
703 due to any actions specified by this document, it is typically set by
704 a password administrator after resetting a user's password.</t>
707 ( 1.3.6.1.4.1.42.2.27.8.1.13
709 EQUALITY booleanMatch
710 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
716 <section title="pwdAllowUserChange">
718 <t>This attribute indicates whether users can change their own
719 passwords, although the change operation is still subject to access
720 control. If this attribute is not present, a value of "TRUE" is
721 assumed. This attribute is intended to be used in the absence of an
722 access control mechanism.</t>
725 ( 1.3.6.1.4.1.42.2.27.8.1.14
726 NAME 'pwdAllowUserChange'
727 EQUALITY booleanMatch
728 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
734 <section title="pwdSafeModify">
736 <t>This attribute specifies whether or not the existing password must be
737 sent along with the new password when being changed. If this
738 attribute is not present, a "FALSE" value is assumed.</t>
741 ( 1.3.6.1.4.1.42.2.27.8.1.15
743 EQUALITY booleanMatch
744 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
750 <section title="pwdMinDelay">
752 <t>This attribute specifies the number of seconds to delay responding
753 to the first failed authentication attempt. If this attribute is not
754 set or is 0, no delays will be used. pwdMaxDelay must also be specified
755 if pwdMinDelay is set.</t>
758 ( 1.3.6.1.4.1.42.2.27.8.1.24
760 EQUALITY integerMatch
761 ORDERING integerOrderingMatch
762 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
768 <section title="pwdMaxDelay">
770 <t>This attribute specifies the maximum number of seconds to delay
771 when responding to a failed authentication attempt. The time specified
772 in pwdMinDelay is used as the starting time and is then doubled on
773 each failure until the delay time is greater than or equal to pwdMaxDelay
774 (or a successful authentication occurs, which resets the failure counter).
775 pwdMinDelay must be specified if pwdMaxDelay is set.</t>
778 ( 1.3.6.1.4.1.42.2.27.8.1.25
780 EQUALITY integerMatch
781 ORDERING integerOrderingMatch
782 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
788 <section title="pwdMaxIdle">
790 <t>This attribute specifies the number of seconds an account may
791 remain unused before it becomes locked. If this attribute is not
792 set or is 0, no check is performed.</t>
795 ( 1.3.6.1.4.1.42.2.27.8.1.26
797 EQUALITY integerMatch
798 ORDERING integerOrderingMatch
799 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
807 <section title="Attribute Types for Password Policy State Information">
809 <t>Password policy state information must be maintained for each user.
810 The information is located in each user entry as a set of operational
811 attributes. These operational attributes are: pwdChangedTime,
812 pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
813 pwdReset, pwdPolicySubEntry, pwdStartTime, pwdEndTime, pwdLastSuccess.</t>
815 <section title="Password Policy State Attribute Option">
817 <t>Since the password policy could apply to several attributes used to
818 store passwords, each of the above operational attributes must have
819 an option to specify which pwdAttribute it applies to. The password
820 policy option is defined as the following:</t>
823 pwd-<passwordAttribute></t>
825 <t>where passwordAttribute is a string following the OID syntax
826 (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
827 (short name) MUST be used.</t>
829 <t>For example, if the pwdPolicy object has for pwdAttribute
830 "userPassword" then the pwdChangedTime operational attribute, in a
831 user entry, will be:</t>
833 <t>pwdChangedTime;pwd-userPassword: 20000103121520Z</t>
835 <t>This attribute option follows sub-typing semantics. If a client
836 requests a password policy state attribute to be returned in a search
837 operation, and does not specify an option, all subtypes of that
838 policy state attribute are returned.</t>
841 <section title="pwdChangedTime">
843 <t>This attribute specifies the last time the entry's password was
844 changed. This is used by the password expiration policy. If this
845 attribute does not exist, the password will never expire.</t>
848 ( 1.3.6.1.4.1.42.2.27.8.1.16
849 NAME 'pwdChangedTime'
850 DESC 'The time the password was last changed'
851 EQUALITY generalizedTimeMatch
852 ORDERING generalizedTimeOrderingMatch
853 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
856 USAGE directoryOperation )
861 <section title="pwdAccountLockedTime">
863 <t>This attribute holds the time that the user's account was locked. A
864 locked account means that the password may no longer be used to
865 authenticate. A 000001010000Z value means that the account has been
866 locked permanently, and that only a password administrator can unlock
870 ( 1.3.6.1.4.1.42.2.27.8.1.17
871 NAME 'pwdAccountLockedTime'
872 DESC 'The time an user account was locked'
873 EQUALITY generalizedTimeMatch
874 ORDERING generalizedTimeOrderingMatch
875 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
878 USAGE directoryOperation )
883 <section title="pwdFailureTime">
885 <t>This attribute holds the timestamps of the consecutive authentication
889 ( 1.3.6.1.4.1.42.2.27.8.1.19
890 NAME 'pwdFailureTime'
891 DESC 'The timestamps of the last consecutive authentication
893 EQUALITY generalizedTimeMatch
894 ORDERING generalizedTimeOrderingMatch
895 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
897 USAGE directoryOperation )
902 <section title="pwdHistory">
904 <t>This attribute holds a history of previously used passwords. Values
905 of this attribute are transmitted in string format as given by the
909 pwdHistory = time "#" syntaxOID "#" length "#" data
911 time = GeneralizedTime
913 syntaxOID = numericoid ; the string representation of the
914 ; dotted-decimal OID that defines the
915 ; syntax used to store the password.
917 length = number ; the number of octets in data.
919 data = <octets representing the password in the format
920 specified by syntaxOID>.
922 <postamble>GeneralizedTime is specified in 3.3.13 of <xref target="RFC4517"/>. numericoid and number are specified in 1.4 of <xref target="RFC4512"/>.</postamble>
925 <t>This format allows the server to store, and transmit a history of
926 passwords that have been used. In order for equality matching to
927 function properly, the time field needs to adhere to a consistent
928 format. For this purpose, the time field MUST be in GMT format.</t>
931 ( 1.3.6.1.4.1.42.2.27.8.1.20
933 DESC 'The history of user s passwords'
934 EQUALITY octetStringMatch
935 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
937 USAGE directoryOperation )
942 <section title="pwdGraceUseTime">
944 <t>This attribute holds the timestamps of grace authentications after a
945 password has expired.</t>
948 ( 1.3.6.1.4.1.42.2.27.8.1.21
949 NAME 'pwdGraceUseTime'
950 DESC 'The timestamps of the grace authentication after the
951 password has expired'
952 EQUALITY generalizedTimeMatch
953 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
955 USAGE directoryOperation )
960 <section title="pwdReset">
962 <t>This attribute holds a flag to indicate (when TRUE) that the password
963 has been updated by the password administrator and must be changed by
967 ( 1.3.6.1.4.1.42.2.27.8.1.22
969 DESC 'The indication that the password has been reset'
970 EQUALITY booleanMatch
971 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
973 USAGE directoryOperation )
978 <section title="pwdPolicySubentry">
980 <t>This attribute points to the pwdPolicy subentry in effect for this
984 ( 1.3.6.1.4.1.42.2.27.8.1.23
985 NAME 'pwdPolicySubentry'
986 DESC 'The pwdPolicy subentry in effect for this object'
987 EQUALITY distinguishedNameMatch
988 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
991 USAGE directoryOperation )
996 <section title="pwdStartTime">
998 <t>This attribute specifies the time the entry's password becomes
999 valid for authentication. Authentication attempts made before this
1000 time will fail. If this attribute does not exist, then no restriction
1004 ( 1.3.6.1.4.1.42.2.27.8.1.27
1006 DESC 'The time the password becomes enabled'
1007 EQUALITY generalizedTimeMatch
1008 ORDERING generalizedTimeOrderingMatch
1009 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
1011 NO-USER-MODIFICATION
1012 USAGE directoryOperation )
1017 <section title="pwdEndTime">
1019 <t>This attribute specifies the time the entry's password becomes
1020 invalid for authentication. Authentication attempts made after this
1021 time will fail, regardless of expiration or grace settings.
1022 If this attribute does not exist, then this restriction
1026 ( 1.3.6.1.4.1.42.2.27.8.1.28
1028 DESC 'The time the password becomes disabled'
1029 EQUALITY generalizedTimeMatch
1030 ORDERING generalizedTimeOrderingMatch
1031 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
1033 NO-USER-MODIFICATION
1034 USAGE directoryOperation )
1037 <t>Note that pwdStartTime may be set to a time greater than or equal
1038 to pwdEndTime; this simply disables the account.</t>
1041 <section title="pwdLastSuccess">
1043 <t>This attribute holds the timestamp of the last successful
1047 ( 1.3.6.1.4.1.42.2.27.8.1.29
1048 NAME 'pwdLastSuccess'
1049 DESC 'The timestamp of the last successful authentication'
1050 EQUALITY generalizedTimeMatch
1051 ORDERING generalizedTimeOrderingMatch
1052 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
1054 NO-USER-MODIFICATION
1055 USAGE directoryOperation )
1062 <section title="Controls used for Password Policy">
1064 <t>This section details the controls used while enforcing password
1065 policy. A request control is defined that is sent by a client with a
1066 request operation in order to elicit a response control. The
1067 response control contains various warnings and errors associated with
1068 password policy.</t>
1070 <t>{TODO: add a note about advertisement and discovery}</t>
1072 <section title="Request Control">
1074 <t>This control MAY be sent with any LDAP request message in order to
1075 convey to the server that this client is aware of, and can process
1076 the response control described in this document. When a server
1077 receives this control, it will return the response control when
1078 appropriate and with the proper data.</t>
1080 <t>The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the criticality may
1081 be TRUE or FALSE. There is no controlValue.</t>
1084 <section title="Response Control">
1086 <t>If the client has sent a passwordPolicyRequest control, the server
1087 (when solicited by the inclusion of the request control) sends this
1088 control with the following operation responses: bindResponse,
1089 modifyResponse, addResponse, compareResponse and possibly
1090 extendedResponse, to inform of various conditions, and MAY be sent
1091 with other operations (in the case of the changeAfterReset error).
1092 The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the controlValue is
1093 the BER encoding of the following type:</t>
1096 PasswordPolicyResponseValue ::= SEQUENCE {
1097 warning [0] CHOICE {
1098 timeBeforeExpiration [0] INTEGER (0 .. maxInt),
1099 graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
1100 error [1] ENUMERATED {
1101 passwordExpired (0),
1103 changeAfterReset (2),
1104 passwordModNotAllowed (3),
1105 mustSupplyOldPassword (4),
1106 insufficientPasswordQuality (5),
1107 passwordTooShort (6),
1108 passwordTooYoung (7),
1109 passwordInHistory (8) } OPTIONAL }
1112 <t>The timeBeforeExpiration warning specifies the number of seconds
1113 before a password will expire. The graceAuthNsRemaining warning
1114 specifies the remaining number of times a user will be allowed to
1115 authenticate with an expired password. The passwordExpired error
1116 signifies that the password has expired and must be reset. The
1117 changeAfterReset error signifies that the password must be changed
1118 before the user will be allowed to perform any operation other than
1119 bind and modify. The passwordModNotAllowed error is set when a user
1120 is restricted from changing her password. The
1121 insufficientPasswordQuality error is set when a password doesn't pass
1122 quality checking. The passwordTooYoung error is set if the age of
1123 the password to be modified is not yet old enough.</t>
1125 <t>Typically, only either a warning or an error will be encoded though
1126 there may be exceptions. For example, if the user is required to
1127 change a password after the password administrator set it, and the
1128 password will expire in a short amount of time, the control may
1129 include the timeBeforeExpiration warning and the changeAfterReset
1135 <section title="Policy Decision Points">
1137 <t>Following are a number of procedures used to make policy decisions.
1138 These procedures are typically performed by the server while
1139 processing an operation.</t>
1141 <t>The following sections contain detailed instructions that refer to
1142 attributes of the pwdPolicy object class. When doing so, the
1143 attribute of the pwdPolicy object that governs the entry being
1144 discussed is implied.</t>
1146 <section anchor="lockcheck" title="Locked Account Check">
1148 <t>A status of true is returned to indicate that the account is locked
1149 if any of these conditions are met:
1151 <list style="symbols">
1152 <t>The value of the pwdAccountLockedTime attribute is 000001010000Z.</t>
1154 <t>The current time is less than the value of the pwdStartTime
1157 <t>The current time is greater than or equal to the value of the
1158 pwdEndTime attribute.</t>
1160 <t>The current time is greater than or equal to the value of the
1161 pwdLastSuccess attribute added to the value of the pwdMaxIdle
1164 <t>The current time is less than the value of the
1165 pwdAccountLockedTime attribute added to the value of the
1166 pwdLockoutDuration.</t>
1169 <t>Otherwise a status of false is returned.</t>
1173 <section anchor="changenow" title="Password Must be Changed Now Check">
1175 <t>A status of true is returned to indicate that the password must be
1176 changed if all of these conditions are met:
1178 <list style="symbols">
1179 <t>The pwdMustChange attribute is set to TRUE.</t>
1181 <t>The pwdReset attribute is set to TRUE.</t>
1184 <t>Otherwise a status of false is returned.</t>
1187 <section anchor="expcheck" title="Password Expiration Check">
1189 <t>A status of true is returned indicating that the password has expired
1190 if the current time minus the value of pwdChangedTime is greater than
1191 the value of the pwdMaxAge.</t>
1193 <t>Otherwise, a status of false is returned.</t>
1197 <section anchor="gracecheck" title="Remaining Grace AuthN Check">
1199 <t>If the pwdGraceExpiry attribute is present, and the current time is
1200 greater than the password expiration time plus the pwdGraceExpiry
1201 value, zero is returned.</t>
1203 <t>If the pwdGraceUseTime attribute is present, the number of values in
1204 that attribute subtracted from the value of pwdGraceAuthNLimit is
1205 returned. Otherwise zero is returned. A positive result specifies
1206 the number of remaining grace authentications.</t>
1210 <section anchor="expwarn" title="Time Before Expiration Check">
1212 <t>If the pwdExpireWarning attribute is not present a zero status is
1213 returned. Otherwise the following steps are followed:</t>
1215 <t>Subtract the time stored in pwdChangedTime from the current time to
1216 arrive at the password's age. If the password's age is greater than
1217 than the value of the pwdMaxAge attribute, a zero status is returned.
1218 Subtract the value of the pwdExpireWarning attribute from the value
1219 of the pwdMaxAge attribute to arrive at the warning age. If the
1220 password's age is equal to or greater than the warning age, the value
1221 of pwdMaxAge minus the password's age is returned.</t>
1224 <section anchor="intruderlock" title="Intruder Lockout Check">
1226 <t>A status of true indicating that an intruder has been detected is
1227 returned if the following conditions are met:
1229 <list style="symbols">
1230 <t>The pwdLockout attribute is TRUE.</t>
1232 <t>The number of values in the pwdFailureTime attribute that are
1233 younger than pwdFailureCountInterval is greater or equal to the
1234 pwdMaxFailure attribute.</t>
1237 <t>Otherwise a status of false is returned.</t>
1239 <t>While performing this check, values of pwdFailureTime that are old by
1240 more than pwdFailureCountInterval are purged and not counted.</t>
1244 <section anchor="delaycheck" title="Intruder Delay Check">
1246 <t>If the pwdMinDelay attribute is 0 or not set, zero is returned.</t>
1248 <t>Otherwise, a delay time is computed based on the number of values
1249 in the pwdFailureTime attribute. If the computed value is greater
1250 than the pwdMaxDelay attribute, the pwdMaxDelay value is returned.</t>
1252 <t>While performing this check, values of pwdFailureTime that are old by
1253 more than pwdFailureCountInterval are purged and not counted.</t>
1256 <section anchor="tooyoung" title="Password Too Young Check">
1258 <t>If the <xref target="changenow"/> check returned true then this
1259 check will return false, to allow the password to be changed.</t>
1261 <t>A status of true indicating that not enough time has passed since the
1262 password was last updated is returned if:
1264 <list style="symbols">
1265 <t>The value of pwdMinAge is non-zero and pwdChangedTime is present.</t>
1267 <t>The value of pwdMinAge is greater than the current time minus the
1268 value of pwdChangedTime.</t>
1271 <t>Otherwise a false status is returned.</t>
1275 <section anchor="server_enforce" title="Server Policy Enforcement Points">
1277 <t>The server SHOULD enforce that the password attribute subject to a
1278 password policy as defined in this document, contains one and only
1279 one password value.</t>
1281 <t>Note: The case where a single password value is stored in multiple
1282 formats simultaneously is still considered to be only one
1285 <t>The scenarios in the following operations assume that the client has
1286 attached a passwordPolicyRequest control to the request message of
1287 the operation. In the event that the passwordPolicyRequest control
1288 was not sent, no passwordPolicyResponse control is returned. All
1289 other instructions remain the same.</t>
1291 <t>For successfully completed operations, unless otherwise stated, no
1292 passwordPolicyResponse control is returned.</t>
1294 <section title="Password-based Authentication">
1296 <t>This section contains the policy enforcement rules and policy data
1297 updates used while validating a password. Operations that validate
1298 passwords include, but are not limited to, the Bind operation where
1299 the simple choice specifies a password, and the Compare operation
1300 where the attribute being compared holds a password. Note that while
1301 the Compare operation does not authenticate a user to the LDAP
1302 server, it may be used by an external application for purposes of
1305 <section title="Fail if the account is locked">
1307 <t>If the account is locked as specified in <xref target="lockcheck"/>, the server
1308 fails the operation with an appropriate resultCode (i.e.
1309 invalidCredentials (49) in the case of a bind operation, compareFalse
1310 (5) in the case of a compare operation, etc.). The server MAY set
1311 the error: accountLocked (1) in the passwordPolicyResponse in the
1312 controls field of the message.</t>
1316 <section title="Validated Password Procedures">
1318 <t>If the validation operation indicates that the password validated,
1319 these procedures are followed in order:</t>
1321 <section title="Policy state updates">
1323 <t>Delete the pwdFailureTime and pwdAccountLockedTime attributes.</t>
1325 <t>Set the value of the pwdLastSuccess attribute to the current time.</t>
1327 <t>Note: setting pwdLastSuccess is optional, but it is required if
1328 the policy has pwdMaxIdle defined.</t>
1331 <section title="Password must be changed now">
1333 <t>If the decision in <xref target="changenow"/> returns true, the server sends to the
1334 client a response with an appropriate successful resultCode (i.e.
1335 success (0), compareTrue (6), etc.), and includes the
1336 passwordPolicyResponse in the controls field of the bindResponse
1337 message with the warning: changeAfterReset specified.</t>
1339 <t>For bind, the server MUST then disallow all operations issued by this
1340 user except modify password, bind, unbind, abandon and StartTLS
1341 extended operation.</t>
1344 <section title="Expired password">
1346 <t>If the password has expired as per <xref target="expcheck"/>, the server either
1347 returns a success or failure based on the state of grace
1348 authentications.</t>
1350 <section title="Remaining Grace Authentications">
1352 <t>If there are remaining grace authentications as per <xref target="gracecheck"/>, the
1353 server adds a new value with the current time in pwdGraceUseTime.
1354 Then it sends to the client a response with an appropriate successful
1355 resultCode (i.e. success (0), compareTrue (6), etc.), and includes
1356 the passwordPolicyResponse in the controls field of the response
1357 message with the warning: graceAuthNsRemaining choice set to the
1358 number of grace authentications left.</t>
1360 <t>Implementor's note: The system time of the host machine may be more
1361 granular than is needed to ensure unique values of this attribute.
1362 It is recommended that a mechanism is used to ensure unique
1363 generalized time values. The fractional seconds field may be used
1364 for this purpose.</t>
1368 <section title="No Remaining Grace Authentications">
1370 <t>If there are no remaining grace authentications, the server fails the
1371 operation with an appropriate resultCode (invalidCredentials (49),
1372 compareFalse (5), etc.), and includes the passwordPolicyResponse in
1373 the controls field of the bindResponse message with the error:
1374 passwordExpired (0) set.</t>
1378 <section title="Expiration Warning">
1380 <t>If the result of <xref target="expwarn"/> is a positive number, the server sends
1381 to the client a response with an appropriate successful resultCode
1382 (i.e. success (0), compareTrue (6), etc.), and includes the
1383 passwordPolicyResponse in the controls field of the bindResponse
1384 message with the warning: timeBeforeExiration set to the value as
1385 described above. Otherwise, the server sends a successful response,
1386 and omits the passwordPolicyResponse.</t>
1390 <section title="AuthN Failed Procedures">
1392 <t>If the authentication process indicates that the password failed
1393 validation due to invalid credentials, these procedures are followed:</t>
1395 <section title="Policy state update">
1397 <t>Add the current time as a value of the pwdFailureTime attribute.</t>
1399 <t>Implementor's note: The system time of the host machine may be more
1400 granular than is needed to ensure unique values of this attribute.
1401 It is recommended that a mechanism is used to ensure unique
1402 generalized time values. The fractional seconds field may be used
1403 for this purpose.</t>
1407 <section title="Handle Intruder Detection">
1409 <t>If the check in <xref target="intruderlock"/> returns a true state, the server locks
1410 the account by setting the value of the pwdAccountLockedTime
1411 attribute to the current time. After locking the account, the server
1412 fails the operation with an appropriate resultCode
1413 (invalidCredentials (49), compareFalse (5), etc.), and includes the
1414 passwordPolicyResponse in the controls field of the message with the
1415 error: accountLocked (1).</t>
1417 <t>If the check in <xref target="delaycheck"/> returns a non-zero value,
1418 the server waits that number of seconds before sending the authentication
1419 response back to the client.</t>
1424 <section title="Password Update Operations">
1426 <t>Because the password is stored in an attribute, various operations
1427 (like add and modify) may be used to create or update a password.
1428 But some alternate mechanisms have been defined or may be defined,
1429 such as the LDAP Password Modify Extended Operation <xref target="RFC3062"/>.</t>
1431 <t>While processing a password update, the server performs the following
1434 <section title="Safe Modification">
1436 <t>If pwdSafeModify is set to TRUE and if there is an existing password
1437 value, the server ensures that the password update operation includes
1438 the user's existing password.</t>
1440 <t>When the LDAP modify operation is used to modify a password, this is
1441 done by specifying both a delete action and an add or replace action,
1442 where the delete action specifies the existing password, and the add
1443 or replace action specifies the new password. Other password update
1444 operations SHOULD employ a similar mechanism. Otherwise this policy
1447 <t>If the existing password is not specified, the server does not
1448 process the operation and sends the appropriate response message to
1449 the client with the resultCode: insufficientAccessRights (50), and
1450 includes the passwordPolicyResponse in the controls field of the
1451 response message with the error: mustSupplyOldPassword (4).</t>
1454 <section title="Change After Reset">
1456 <t>If the decision in <xref target="changenow"/> returns true, the server ensures that
1457 the password update operation contains no modifications other than
1458 the modification of the password attribute. If other modifications
1459 exist, the server sends a response message to the client with the
1460 resultCode: insufficientAccessRights (50), and includes the
1461 passwordPolicyResponse in the controls field of the response message
1462 with the error: changeAfterReset (2).</t>
1465 <section title="Rights Check">
1467 <t>Check to see whether the bound identity has sufficient rights to
1468 update the password. If the bound identity is a user changing its
1469 own password, this MAY be done by checking the pwdAllowUserChange
1470 attribute or using an access control mechanism. The determination of
1471 this is implementation specific. If the user is not allowed to
1472 update her password, the server sends a response message to the
1473 client with the resultCode: insufficientAccessRights (50), and
1474 includes the passwordPolicyResponse in the controls field of the
1475 response message with the error: passwordModNotAllowed (3).</t>
1478 <section title="Too Early to Update">
1480 <t>If the check in <xref target="tooyoung"/> results in a true status The server sends
1481 a response message to the client with the resultCode:
1482 constraintViolation (19), and includes the passwordPolicyResponse in
1483 the controls field of the response message with the error:
1484 passwordTooYoung (7).</t>
1487 <section title="Password Quality">
1489 <t>Check the value of the pwdCheckQuality attribute. If the value is
1490 non-zero, the server:
1492 <list style="symbols">
1493 <t>Ensure that the password meets the quality criteria enforced by
1494 the server. This enforcement is implementation specific.
1495 If the server is unable to check the quality (due to a hashed
1496 password or otherwise), the value of pwdCheckQuality is evaluated.
1497 If the value is 1, operation continues. If the value is 2, the
1498 server sends a response message to the client with the resultCode:
1499 constraintViolation (19), and includes the passwordPolicyResponse
1500 in the controls field of the response message with the error:
1501 insufficientPasswordQuality (5).<vspace blankLines="1"/>
1502 If the server is able to check the password quality, and the check
1503 fails, the server sends a response message to the client with the
1504 resultCode: constraintViolation (19), and includes the
1505 passwordPolicyResponse in the controls field of the response
1506 message with the error: insufficientPasswordQuality (5).</t>
1508 <t>checks the value of the pwdMinLength attribute. If the value is
1509 non-zero, it ensures that the new password is of at least the
1510 minimum length.<vspace blankLines="1"/>
1511 If the server is unable to check the length (due to a hashed
1512 password or otherwise), the value of pwdCheckQuality is evaluated.
1513 If the value is 1, operation continues. If the value is 2, the
1514 server sends a response message to the client with the resultCode:
1515 constraintViolation (19), and includes the passwordPolicyResponse
1516 in the controls field of the response message with the error:
1517 passwordTooShort (6).<vspace blankLines="1"/>
1518 If the server is able to check the password length, and the check
1519 fails, the server sends a response message to the client with the
1520 resultCode: constraintViolation (19), and includes the
1521 passwordPolicyResponse in the controls field of the response
1522 message with the error: passwordTooShort (6).</t>
1527 <section title="Invalid Reuse">
1529 <t>If pwdInHistory is present and its value is non-zero, the server
1530 checks whether this password exists in the entry's pwdHistory
1531 attribute or in the current password attribute. If the password does
1532 exist in the pwdHistory attribute or in the current password
1533 attribute, the server sends a response message to the client with the
1534 resultCode: constraintViolation (19), and includes the
1535 passwordPolicyResponse in the controls field of the response message
1536 with the error: passwordInHistory (8).</t>
1539 <section title="Policy State Updates">
1541 <t>If the steps have completed without causing an error condition, the
1542 server performs the following steps in order to update the necessary
1543 password policy state attributes:</t>
1545 <t>If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
1546 updates the pwdChangedTime attribute on the entry to the current
1549 <t>If the value of pwdInHistory is non-zero, the server adds the
1550 previous password (if one existed) to the pwdHistory attribute. If
1551 the number of attributes held in the pwdHistory attribute exceeds the
1552 value of pwdInHistory, the server removes the oldest excess
1555 <t>If the value the pwdMustChange is TRUE and the modification is
1556 performed by a password administrator, then the pwdReset attribute is
1557 set to TRUE. Otherwise, the pwdReset is removed from the user's
1558 entry if it exists.</t>
1560 <t>The pwdFailureTime and pwdGraceUseTime attributes is removed from the
1561 user's entry if they exist.</t>
1565 <section title="Other Operations">
1567 <t>For operations other than bind, password update, unbind, abandon or
1568 StartTLS, if the decision in <xref target="changenow"/> returns true, the server
1569 sends a response message to the client with the resultCode:
1570 insufficientAccessRights (50), and includes the
1571 passwordPolicyResponse in the controls field of the response message
1572 with the error: changeAfterReset (2).</t>
1576 <section anchor="client_enforce" title="Client Policy Enforcement Points">
1578 <t>These sections illustrate possible scenarios for each LDAP operation
1579 and define the types of responses that identify those scenarios.</t>
1581 <t>The scenarios in the following operations assume that the client
1582 attached a passwordPolicyRequest control to the request message of
1583 the operation, and thus may receive a passwordPolicyResponse control
1584 in the response message. In the event that the passwordPolicyRequest
1585 control was not sent, no passwordPolicyResponse control is returned.
1586 All other instructions remain the same.</t>
1588 <section title="Bind Operation">
1590 <t>For every bind response received, the client checks the resultCode of
1591 the bindResponse and checks for a passwordPolicyResponse control to
1592 determine if any of the following conditions are true and MAY prompt
1593 the user accordingly.
1595 <list style="symbols">
1596 <t>bindResponse.resultCode = insufficientAccessRights (50),
1597 passwordPolicyResponse.error = accountLocked (1): The password
1598 failure limit has been reached and the account is locked. The
1599 user needs to retry later or contact the password administrator to
1600 reset the password.</t>
1602 <t>bindResponse.resultCode = success (0),
1603 passwordPolicyResponse.error = changeAfterReset (2): The user is
1604 binding for the first time after the password administrator set
1605 the password. In this scenario, the client SHOULD prompt the user
1606 to change his password immediately.</t>
1608 <t>bindResponse.resultCode = success (0),
1609 passwordPolicyResponse.warning = graceAuthNsRemaining: The
1610 password has expired but there are remaining grace
1611 authentications. The user needs to change it.</t>
1613 <t>bindResponse.resultCode = invalidCredentials (49),
1614 passwordPolicyResponse.error = passwordExpired (0): The password
1615 has expired and there are no more grace authentications. The user
1616 contacts the password administrator in order to have its password
1619 <t>bindResponse.resultCode = success (0),
1620 passwordPolicyResponse.warning = timeBeforeExpiration: The user's
1621 password will expire in n number of seconds.</t>
1625 <section title="Modify Operations">
1627 <section title="Modify Request">
1629 <t>If the application or client encrypts the password prior to sending
1630 it in a password modification operation (whether done through
1631 modifyRequest or another password modification mechanism), it SHOULD
1632 check the values of the pwdMinLength, and pwdCheckQuality attributes
1633 and SHOULD enforce these policies.</t>
1636 <section title="Modify Response">
1638 <t>If the modifyRequest operation was used to change the password, or if
1639 another mechanism is used --such as an extendedRequest-- the
1640 modifyResponse or other appropriate response MAY contain information
1641 pertinent to password policy. The client checks the resultCode of
1642 the response and checks for a passwordPolicyResponse control to
1643 determine if any of the following conditions are true and optionally
1644 notify the user of the condition.
1646 <list style="symbols">
1647 <t>pwdModResponse.resultCode = insufficientAccessRights (50),
1648 passwordPolicyResponse.error = mustSupplyOldPassword (4): The user
1649 attempted to change her password without specifying the old
1650 password but the password policy requires this.</t>
1652 <t>pwdModResponse.resultCode = insufficientAccessRights (50),
1653 passwordPolicyResponse.error = changeAfterReset (2): The user must
1654 change her password before submitting any other LDAP requests.</t>
1656 <t>pwdModResponse.resultCode = insufficientAccessRights (50),
1657 passwordPolicyResponse.error = passwordModNotAllowed (3): The user
1658 doesn't have sufficient rights to change his password.</t>
1660 <t>pwdModResponse.resultCode = constraintViolation (19),
1661 passwordPolicyResponse.error = passwordTooYoung (7): It is too
1662 soon after the last password modification to change the password.</t>
1664 <t>pwdModResponse.resultCode = constraintViolation (19),
1665 passwordPolicyResponse.error = insufficientPasswordQuality (5):
1666 The password failed quality checking.</t>
1668 <t>pwdModResponse.resultCode = constraintViolation (19),
1669 passwordPolicyResponse.error = passwordTooShort (6): The length of
1670 the password is too short.</t>
1672 <t>pwdModResponse.resultCode = constraintViolation (19),
1673 passwordPolicyResponse.error = passwordInHistory (8): The password
1674 has already been used; the user must choose a different one.</t>
1679 <section title="Add Operation">
1681 <t>If a password is specified in an addRequest, the client checks the
1682 resultCode of the addResponse and checks for a passwordPolicyResponse
1683 control to determine if any of the following conditions are true and
1684 may prompt the user accordingly.
1686 <list style="symbols">
1687 <t>addResponse.resultCode = insufficientAccessRights (50),
1688 passwordPolicyResponse.error = passwordModNotAllowed (3): The user
1689 doesn't have sufficient rights to add this password.</t>
1691 <t>addResponse.resultCode = constraintViolation (19),
1692 passwordPolicyResponse.error = insufficientPasswordQuality (5):
1693 The password failed quality checking.</t>
1695 <t>addResponse.resultCode = constraintViolation (19),
1696 passwordPolicyResponse.error = passwordTooShort (6): The length of
1697 the password is too short.</t>
1702 <section title="Compare Operation">
1704 <t>When a compare operation is used to compare a password, the client
1705 checks the resultCode of the compareResponse and checks for a
1706 passwordPolicyResponse to determine if any of the following
1707 conditions are true and MAY prompt the user accordingly. These
1708 conditions assume that the result of the comparison was true.
1710 <list style="symbols">
1711 <t>compareResponse.resultCode = compareFalse (5),
1712 passwordPolicyResponse.error = accountLocked (1): The password
1713 failure limit has been reached and the account is locked. The
1714 user needs to retry later or contact the password administrator to
1715 reset the password.</t>
1717 <t>compareResponse.resultCode = compareTrue (6),
1718 passwordPolicyResponse.warning = graceAuthNsRemaining: The
1719 password has expired but there are remaining grace
1720 authentications. The user needs to change it.</t>
1722 <t>compareResponse.resultCode = compareFalse (5),
1723 passwordPolicyResponse.error = passwordExpired (0): The password
1724 has expired and there are no more grace authentications. The user
1725 must contact the password administrator to reset the password.</t>
1727 <t>compareResponse.resultCode = compareTrue (6),
1728 passwordPolicyResponse.warning = timeBeforeExpiration: The user's
1729 password will expire in n number of seconds.</t>
1734 <section title="Other Operations">
1736 <t>For operations other than bind, unbind, abandon or StartTLS, the
1737 client checks the result code and control to determine if
1738 the user needs to change the password immediately.
1740 <list style="symbols">
1741 <t><Response>.resultCode = insufficientAccessRights (50),
1742 passwordPolicyResponse.error = changeAfterReset (2) : The user
1743 needs to change the password immediately.</t>
1748 <section anchor="admin" title="Administration of the Password Policy">
1750 <t>{TODO: Need to define an administrativeRole (need OID). Need to
1751 describe whether pwdPolicy admin areas can overlap}</t>
1753 <t>A password policy is defined for a particular subtree of the DIT by
1754 adding to an LDAP subentry whose immediate superior is the root of
1755 the subtree, the pwdPolicy auxiliary object class. The scope of the
1756 password policy is defined by the SubtreeSpecification attribute of
1757 the LDAP subentry as specified in <xref target="RFC3672"/>.</t>
1759 <t>It is possible to define password policies for different password
1760 attributes within the same pwdPolicy entry, by specifying multiple
1761 values of the pwdAttribute. But password policies could also be in
1762 separate sub entries as long as they are contained under the same
1765 <t>Only one policy may be in effect for a given password attribute
1766 in any entry. If multiple policies exist which overlap in the range
1767 of entries affected, the resulting behavior is undefined.</t>
1769 <t>Modifying the password policy MUST NOT result in any change in users'
1770 entries to which the policy applies.</t>
1772 <t>It SHOULD be possible to overwrite the password policy for one user
1773 by defining a new policy in a subentry of the user entry.</t>
1775 <t>Each object that is controlled by password policy advertises the
1776 subentry that is being used to control its policy in its
1777 pwdPolicySubentry attribute. Clients wishing to examine or manage
1778 password policy for an object may interrogate the pwdPolicySubentry
1779 for that object in order to arrive at the proper pwdPolicy subentry.</t>
1782 <section title="Password Policy and Replication">
1784 <t>{TODO: This section needs to be changed to highlight the pitfalls of
1785 replication, suggest some implementation choices to overcome those
1786 pitfalls, but remove prescriptive language relating to the update of
1787 state information}</t>
1789 <t>The pwdPolicy object defines the password policy for a portion of the
1790 DIT and MUST be replicated on all the replicas of this subtree, as
1791 any subentry would be, in order to have a consistent policy among all
1792 replicated servers.</t>
1794 <t>The elements of the password policy that are related to the users are
1795 stored in the entry themselves as operational attributes. As these
1796 attributes are subject to modifications even on a read-only replica,
1797 replicating them must be carefully considered.</t>
1799 <t>The pwdChangedTime attribute MUST be replicated on all replicas, to
1800 allow expiration of the password.</t>
1802 <t>The pwdReset attribute MUST be replicated on all replicas, to deny
1803 access to operations other than bind and modify password.</t>
1805 <t>The pwdHistory attribute MUST be replicated to writable replicas. It
1806 doesn't have to be replicated to a read-only replica, since the
1807 password will never be directly modified on this server.</t>
1809 <t>The pwdAccountLockedTime, pwdFailureTime and pwdGraceUseTime
1810 attributes SHOULD be replicated to writable replicas, making the
1811 password policy global for all servers. When the user entry is
1812 replicated to a read-only replica, these attributes SHOULD NOT be
1813 replicated. This means that the number of failures, of grace
1814 authentications and the locking will take place on each replicated
1815 server. For example, the effective number of failed attempts on a
1816 user password will be N x M (where N is the number of servers and M
1817 the value of pwdMaxFailure attribute). Replicating these attributes
1818 to a read-only replica MAY reduce the number of tries globally but
1819 MAY also introduce some inconstancies in the way the password policy
1822 <t>Note: there are some situations where global replication of these
1823 state attributes may not be desired. For example, if two clusters of
1824 replicas are geographically remote and joined by a slow network link,
1825 and their users only login from one of the two locations, it may be
1826 unnecessary to propagate all of the state changes from one cluster
1827 to the other. Servers SHOULD allow administrators to control which
1828 attributes are replicated on a case-by-case basis.</t>
1830 <t>Servers participating in a loosely consistent multi-master
1831 replication agreement SHOULD employ a mechanism which ensures
1832 uniqueness of values when populating the attributes pwdFailureTime
1833 and pwdGraceUseTime. The method of achieving this is a local matter
1834 and may consist of using a single authoritative source for the
1835 generation of unique time values, or may consist of the use of the
1836 fractional seconds part to hold a replica identifier.</t>
1839 <section title="Security Considerations">
1841 <t>This document defines a set of rules to implement in an LDAP server,
1842 in order to mitigate some of the security risks associated with the
1843 use of passwords and to make it difficult for password cracking
1844 programs to break into directories.</t>
1846 <t>Authentication with a password MUST follow the recommendations made
1847 in <xref target="RFC4513"/>.</t>
1849 <t>Modifications of passwords SHOULD only occur when the connection is
1850 protected with confidentiality and secure authentication.</t>
1852 <t>Access controls SHOULD be used to restrict access to the password
1853 policy attributes. The attributes defined to maintain the password
1854 policy state information SHOULD only be modifiable by the password
1855 administrator or higher authority. The pwdHistory attribute MUST be
1856 subject to the same level of access control as the attrbute holding
1859 <t>As it is possible to define a password policy for one specific user
1860 by adding a subentry immediately under the user's entry, Access
1861 Controls SHOULD be used to restrict the use of the pwdPolicy object
1862 class or the LDAP subentry object class.</t>
1864 <t>When the intruder detection password policy is enforced, the LDAP
1865 directory is subject to a denial of service attack. A malicious user
1866 could deliberately lock out one specific user's account (or all of
1867 them) by sending bind requests with wrong passwords. There is no way
1868 to protect against this kind of attack. The LDAP directory server
1869 SHOULD log as much information as it can (such as client IP address)
1870 whenever an account is locked, in order to be able to identify the
1871 origin of the attack. Denying anonymous access to the LDAP directory
1872 is also a way to restrict this kind of attack. Using the login
1873 delay instead of the lockout mechanism will also help avoid this
1874 denial of service.</t>
1876 <t>Returning certain status codes (such as passwordPolicyResponse.error
1877 = accountLocked) allows a denial of service attacker to know that it
1878 has successfully denied service to an account. Servers SHOULD
1879 implement additional checks which return the same status when it is
1880 sensed that some number of failed authentication requests has occured
1881 on a single connection, or from a client address. Server
1882 implementors are encouraged to invent other checks similar to this in
1883 order to thwart this type of DoS attack.</t>
1886 <section title="IANA Considerations">
1888 <t>In accordance with <xref target="RFC4520"/> the following
1889 registrations are requested.</t>
1890 <section title="Object Identifiers">
1891 <t>The OIDs used in this specification are derived from
1892 iso(1) identified-organization(3) dod(6) internet(1) private(4)
1893 enterprise(1) Sun(42) products(2) LDAP(27) ppolicy(8). These
1894 OIDs have been in use since at least July 2001 when version 04
1895 of this draft was published. No additional OID assignment
1896 is being requested.</t>
1898 <section title="LDAP Protocol Mechanisms">
1899 <t>Registration of the protocol mechanisms specified in this
1900 document is requested.
1902 <list style="empty">
1903 <t>Subject: Request for LDAP Protocol Mechanism Registration</t>
1904 <t>Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1</t>
1905 <t>Description: Password Policy Request and Response Control</t>
1906 <t>Person & email address to contact for further information:
1907 <list style="empty">
1908 <t>Howard Chu <hyc@symas.com></t>
1910 <t>Usage: Control</t>
1911 <t>Specification: (I-D) draft-behera-ldap-password-policy</t>
1912 <t>Author/Change Controller: IESG</t>
1916 <section title="LDAP Descriptors">
1917 <t>Registration of the descriptors specified in this
1918 document is requested.
1920 <list style="empty">
1921 <t>Subject: Request for LDAP Descriptor Registration</t>
1922 <t>Descriptor (short name): see table</t>
1923 <t>Object Identifier: see table</t>
1924 <t>Description: see table</t>
1925 <t>Person & email address to contact for further information:
1926 <list style="empty">
1927 <t>Howard Chu <hyc@symas.com></t>
1929 <t>Specification: (I-D) draft-behera-ldap-password-policy</t>
1930 <t>Author/Change Controller: IESG</t>
1934 ----------------------- ---- ------------------------------
1935 pwdPolicy O 1.3.6.1.4.1.42.2.27.8.2.1
1936 pwdAttribute A 1.3.6.1.4.1.42.2.27.8.1.1
1937 pwdMinAge A 1.3.6.1.4.1.42.2.27.8.1.2
1938 pwdMaxAge A 1.3.6.1.4.1.42.2.27.8.1.3
1939 pwdInHistory A 1.3.6.1.4.1.42.2.27.8.1.4
1940 pwdCheckQuality A 1.3.6.1.4.1.42.2.27.8.1.5
1941 pwdMinLength A 1.3.6.1.4.1.42.2.27.8.1.6
1942 pwdMaxLength A 1.3.6.1.4.1.42.2.27.8.1.31
1943 pwdExpireWarning A 1.3.6.1.4.1.42.2.27.8.1.7
1944 pwdGraceAuthNLimit A 1.3.6.1.4.1.42.2.27.8.1.8
1945 pwdGraceExpiry A 1.3.6.1.4.1.42.2.27.8.1.30
1946 pwdLockout A 1.3.6.1.4.1.42.2.27.8.1.9
1947 pwdLockoutDuration A 1.3.6.1.4.1.42.2.27.8.1.10
1948 pwdMaxFailure A 1.3.6.1.4.1.42.2.27.8.1.11
1949 pwdFailureCountInterval A 1.3.6.1.4.1.42.2.27.8.1.12
1950 pwdMustChange A 1.3.6.1.4.1.42.2.27.8.1.13
1951 pwdAllowUserChange A 1.3.6.1.4.1.42.2.27.8.1.14
1952 pwdSafeModify A 1.3.6.1.4.1.42.2.27.8.1.15
1953 pwdMinDelay A 1.3.6.1.4.1.42.2.27.8.1.24
1954 pwdMaxDelay A 1.3.6.1.4.1.42.2.27.8.1.25
1955 pwdMaxIdle A 1.3.6.1.4.1.42.2.27.8.1.26
1956 pwdChangedTime A 1.3.6.1.4.1.42.2.27.8.1.16
1957 pwdAccountLockedTime A 1.3.6.1.4.1.42.2.27.8.1.17
1958 pwdFailureTime A 1.3.6.1.4.1.42.2.27.8.1.19
1959 pwdHistory A 1.3.6.1.4.1.42.2.27.8.1.20
1960 pwdGraceUseTime A 1.3.6.1.4.1.42.2.27.8.1.21
1961 pwdReset A 1.3.6.1.4.1.42.2.27.8.1.22
1962 pwdPolicySubEntry A 1.3.6.1.4.1.42.2.27.8.1.23
1963 pwdStartTime A 1.3.6.1.4.1.42.2.27.8.1.27
1964 pwdEndTime A 1.3.6.1.4.1.42.2.27.8.1.28
1965 pwdLastSuccess A 1.3.6.1.4.1.42.2.27.8.1.29
1969 --------------------
1977 <section title="LDAP AttributeDescription Options">
1979 <t>Registration of the AttributeDescription option specified
1980 in this document is requested.
1982 <list style="empty">
1983 <t>Subject: Request for LDAP Attribute Description Option Registration</t>
1984 <t>Option Name: pwd-</t>
1985 <t>Family of Options: YES</t>
1986 <t>Person & email address to contact for further information:
1987 <list style="empty">
1988 <t>Howard Chu <hyc@symas.com></t>
1990 <t>Specification: (I-D) draft-behera-ldap-password-policy</t>
1991 <t>Author/Change Controller: IESG</t>
1993 <list style="empty">
1994 <t>Used with policy state attributes to specify to which password attribute
1995 the state belongs.</t></list>
2000 <section title="Acknowledgement">
2002 <t>This document is based in part on prior work done by Valerie Chu from
2003 Netscape Communications Corp, published as
2004 draft-vchu-ldap-pwd-policy-00.txt (December 1998). Prasanta Behera
2005 participated in early revisions of this document.</t>
2009 <references title="Normative References">
2022 <reference anchor="X.680">
2024 <title>Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
2026 <organization abbrev="ITU-T">
2027 International Telecommunications Union</organization>
2029 <date month="July" year="2002" />
2031 <seriesInfo name="ITU-T Recommendation" value="X.680" />
2034 <reference anchor="X.690">
2036 <title>Information Technology - ASN.1 encoding rules: Specification of Basic
2037 Encoding Rules (BER), Canonical Encoding Rules (CER) and
2038 Distinguished Encoding Rules (DER)</title>
2040 <organization abbrev="ITU-T">
2041 International Telecommunications Union</organization>
2043 <date month="July" year="2002" />
2045 <seriesInfo name="ITU-T Recommendation" value="X.690" />