1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
3 <!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
4 <!ENTITY rfc2195 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2195.xml'>
5 <!ENTITY rfc4422 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4422.xml'>
6 <!ENTITY rfc4511 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4511.xml'>
7 <!ENTITY rfc4512 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4512.xml'>
8 <!ENTITY rfc4513 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4513.xml'>
9 <!ENTITY rfc4517 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4517.xml'>
10 <!ENTITY rfc2831 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2831.xml'>
11 <!ENTITY rfc3062 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3062.xml'>
12 <!ENTITY rfc3383 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3383.xml'>
13 <!ENTITY rfc3672 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3672.xml'>
16 <?xml-stylesheet type='text/xsl' href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
19 <?rfc tocindent="no" ?>
20 <?rfc symrefs="yes" ?>
21 <?rfc sortrefs="yes"?>
22 <?rfc iprnotified="no" ?>
24 <rfc category="std" ipr="trust200902" docName="draft-behera-ldap-password-policy-10">
26 <title>Password Policy for LDAP Directories</title>
27 <author initials="J." fullname="Jim Sermersheim" surname="Sermersheim">
28 <organization>Novell, Inc</organization>
31 <street>1800 South Novell Place</street>
37 <phone>+1 801 861-3088</phone>
38 <email>jimse@novell.com</email>
41 <author initials="L." fullname="Ludovic Poitou" surname="Poitou">
42 <organization>Sun Microsystems</organization>
45 <street>180, Avenue de l'Europe</street>
46 <city>Zirst de Montbonnot</city> <code>38334</code> <region>Saint Ismier cedex</region>
49 <phone>+33 476 188 212</phone>
50 <email>ludovic.poitou@sun.com</email>
53 <author initials="H." fullname="Howard Chu" surname="Chu" role="editor">
54 <organization>Symas Corp.</organization>
57 <street>18740 Oxnard Street, Suite 313A</street>
59 <region>California</region>
63 <phone>+1 818 757-7087</phone>
64 <email>hyc@symas.com</email>
67 <date year="2009" month="August"/>
70 Password policy as described in this document is a set of rules that
71 controls how passwords are used and administered in Lightweight
72 Directory Access Protocol (LDAP) based directories. In order to
73 improve the security of LDAP directories and make it difficult for
74 password cracking programs to break into directories, it is desirable
75 to enforce a set of rules on password usage. These rules are made to
76 ensure that users change their passwords periodically, passwords meet
77 construction requirements, the re-use of old password is restricted,
78 and to deter password guessing attacks.
85 <section title="Overview">
87 <t>LDAP-based directory services are currently accepted by many
88 organizations as the access protocol for directories. The ability to
89 ensure the secure read and update access to directory information
90 throughout the network is essential to the successful deployment.
91 Most LDAP implementations support many authentication schemes - the
92 most basic and widely used is the simple authentication i.e., user DN
93 and password. In this case, many LDAP servers have implemented some
94 kind of policy related to the password used to authenticate. Among
95 other things, this policy includes:
96 <list style="symbols">
97 <t>Whether and when passwords expire.</t>
99 <t>Whether failed bind attempts cause the account to be locked.</t>
101 <t>If and how users are able to change their passwords.</t>
105 <t>In order to achieve greater security protection and ensure
106 interoperability in a heterogeneous environment, LDAP needs to
107 standardize on a common password policy model. This is critical to
108 the successful deployment of LDAP directories.</t>
112 <section title="Conventions">
114 <t>Imperative keywords defined in <xref target="RFC2119"/> are used in this document,
115 and carry the meanings described there.</t>
117 <t>All ASN.1 <xref target="X.680"/> Basic Encoding Rules (BER) <xref target="X.690"/> encodings follow the
118 conventions found in Section 5.1 of <xref target="RFC4511"/>.</t>
120 <t>The term "password administrator" refers to a user that has
121 sufficient access control privileges to modify users' passwords. The
122 term "password policy administrator" refers to a user that has
123 sufficient access control privileges to modify the pwdPolicy object
124 defined in this document. The access control that is used to
125 determine whether an identity is a password administrator or password
126 policy administrator is beyond the scope of this document, but
127 typically implies that the password administrator has 'write'
128 privileges to the password attribute.</t>
132 <section title="Application of Password Policy">
134 <t>The password policy defined in this document can be applied to any
135 attribute holding a user's password used for an authenticated LDAP
136 bind operation. In this document, the term "user" represents any
137 LDAP client application that has an identity in the directory.</t>
139 <t>This policy is typically applied to the userPassword attribute in the
140 case of the LDAP simple authentication method <xref target="RFC4511"/> or the case
141 of password based SASL <xref target="RFC4422"/> authentication such as CRAM-MD5
142 <xref target="RFC2195"/> and DIGEST-MD5 <xref target="RFC2831"/>.</t>
144 <t>The policy described in this document assumes that the password
145 attribute holds a single value. No considerations are made for
146 directories or systems that allow a user to maintain multi-valued
147 password attributes.</t>
149 <t>Server implementations MAY institute internal policy whereby certain
150 identities (such as directory administrators) are not forced to
151 comply with any of password policy. In this case, the password for a
152 directory administrator never expires; the account is never locked,
157 <section title="Articles of Password Policy">
159 <t>The following sections explain in general terms each aspect of the
160 password policy defined in this document as well as the need for
161 each. These policies are subdivided into the general groups of
162 password usage and password modification. Implementation details are
163 presented in <xref target="server_enforce"/> and <xref target="client_enforce"/>.</t>
165 <section title="Password Usage Policy">
167 <t>This section describes policy enforced when a password is used to
168 authenticate. The general focus of this policy is to minimize the
169 threat of intruders once a password is in use.</t>
171 <section title="Password Validity Policy">
173 <t>These mechanisms allow account usage to be controlled independent
174 of any password expiration policies. The policy defines the absolute
175 period of time for which an account may be used. This
176 allows an administrator to define an absolute starting time after which
177 a password becomes valid, and an absolute ending time after which the
178 password is disabled.</t>
180 <t>A mechanism is also provided to define the period of time for which
181 an account may remain unused before being disabled.</t>
185 <section title="Password Guessing Limit">
187 <t>In order to prevent intruders from guessing a user's password, a
188 mechanism exists to track the number of consecutive failed
189 authentication attempts, and take action when a limit is reached.
190 This policy consists of several parts:
191 <list style="symbols">
193 <t>A counter to track the number of failed authentication attempts.</t>
195 <t>The amount of time to delay on the first authentication failure.</t>
197 <t>The maximum amount of time to delay on subsequent failures.</t>
199 <t>A timeframe in which the limit of consecutive failed
200 authentication attempts must happen before action is taken.</t>
202 <t>A configurable limit on failed authentication attempts.</t>
204 <t>The action to be taken when the limit is reached. The action will
205 either be nothing, or the account will be locked.</t>
207 <t>An amount of time the account is locked (if it is to be locked).
208 This can be indefinite.</t>
211 <t>Note that using the account lock feature provides an easy
212 avenue for Denial-of-Service (DoS) attacks on user accounts. While
213 some sites' policies require accounts to be locked, this feature is
214 discouraged in favor of delaying each failed login attempt.</t>
216 <t>The delay time will be doubled on each subsequent failure, until it
217 reaches the maximum time configured.</t>
219 <t>[TBD: we could also provide a syntax for configuring a backoff
220 algorithm. E.g. "+<int>" for linearly incrementing delay,
221 "x<int>" for constant multiplier, "^<int> for geometric.
222 But it's probably overkill to add a calculator
223 language to the server.]</t>
230 <section title="Password Modification Policy">
232 <t>This section describes policy enforced while users are modifying
233 passwords. The general focus of this policy is to ensure that when
234 users add or change their passwords, the security and effectiveness
235 of their passwords is maximized. In this document, the term "modify
236 password operation" refers to any operation that is used to add or
237 modify a password attribute. Often this is done by updating the
238 password attribute during an add or modify operation, but MAY be done
239 by other means such as an extended operation.</t>
241 <section title="Password Expiration, Expiration Warning, and Grace
244 <t>One of the key properties of a password is the fact that it is not
245 well known. If a password is frequently changed, the chances of that
246 user's account being broken into are minimized.</t>
248 <t>Password policy administrators may deploy a password policy that
249 causes passwords to expire after a given amount of time - thus
250 forcing users to change their passwords periodically.</t>
252 <t>As a side effect, there needs to be a way in which users are made
253 aware of this need to change their password before actually being
254 locked out of their accounts. One or both of the following methods
256 <list style="symbols">
258 <t>A warning may be returned to the user sometime before his password
259 is due to expire. If the user fails to heed this warning before
260 the expiration time, his account will be locked.</t>
262 <t>The user may bind to the directory a preset number of times after
263 her password has expired. If she fails to change her password
264 during one of her 'grace' authentications, her account will be
270 <section title="Password History">
272 <t>When the Password Expiration policy is used, an additional mechanism
273 may be employed to prevent users from simply re-using a previous
274 password (as this would effectively circumvent the expiration
277 <t>In order to do this; a history of used passwords is kept. The
278 password policy administrator sets the number of passwords to be
279 stored at any given time. Passwords are stored in this history
280 whenever the password is changed. Users aren't allowed to specify
281 any passwords that are in the history list while changing passwords.</t>
285 <section title="Password Minimum Age">
287 <t>Users may circumvent the Password History mechanism by quickly
288 performing a series of password changes. If they change their
289 password enough times, their 'favorite' password will be pushed out
290 of the history list.</t>
292 <t>This process may be made less attractive to users by employing a
293 minimum age for passwords. If users are forced to wait 24 hours
294 between password changes, they may be less likely to cycle through a
295 history of 10 passwords.</t>
299 <section title="Password Quality and Minimum length">
301 <t>In order to prevent users from creating or updating passwords that
302 are easy to guess, a password quality policy may be employed. This
303 policy consists of two general mechanisms - ensuring that passwords
304 conform to a defined quality criterion and ensuring that they are of
305 a minimum length.</t>
307 <t>Forcing a password to comply with the quality policy may imply a
308 variety of things including:
309 <list style="symbols">
311 <t>Disallowing trivial or well-known words make up the password.</t>
313 <t>Forcing a certain number of digits be used.</t>
315 <t>Disallowing anagrams of the user's name.</t></list></t>
317 <t>The implementation of this policy meets with the following problems:
318 <list style="symbols">
320 <t>If the password to be added or updated is encrypted by the client
321 before being sent, the server has no way of enforcing this policy.
322 Therefore, the onus of enforcing this policy falls upon client
325 <t>There are no specific definitions of what 'quality checking'
326 means. This can lead to unexpected behavior in a heterogeneous
327 environment.</t></list></t>
331 <section title="User Defined Passwords">
333 <t>In some cases, it is desirable to disallow users from adding and
334 updating their own passwords. This policy makes this functionality
338 <section title="Password Change after Reset">
340 <t>This policy forces the user to update her password after it has been
341 set for the first time, or has been reset by a password
344 <t>This is needed in scenarios where a password administrator has set or
345 reset the password to a well-known value.</t>
349 <section title="Safe Modification">
351 <t>As directories become more commonly used, it will not be unusual for
352 clients to connect to a directory and leave the connection open for
353 an extended period. This opens up the possibility for an intruder to
354 make modifications to a user's password while that user's computer is
355 connected but unattended.</t>
357 <t>This policy forces the user to prove his identity by specifying the
358 old password during a password modify operation.</t>
360 <t>{TODO: This allows a dictionary attack unless we specify that this is
361 also subject to intruder detection. One solution is to require users
362 to authN prior to changing password. Another solution is to perform
363 intruder detection checks when the password for a non-authenticated
364 identity is being updated}</t>
369 <section title="Restriction of the Password Policy">
371 <t>The password policy defined in this document can apply to any
372 attribute containing a password. Password policy state information
373 is held in the user's entry, and applies to a password attribute, not
374 a particular password attribute value. Thus the server SHOULD
375 enforce that the password attribute subject to password policy,
376 contains one and only one password value.</t>
381 <section title="Schema used for Password Policy">
383 <t>The schema elements defined here fall into two general categories. A
384 password policy object class is defined which contains a set of
385 administrative password policy attributes, and a set of operational
386 attributes are defined that hold general password policy state
387 information for each user.</t>
389 <section title="The pwdPolicy Object Class">
391 <t>This object class contains the attributes defining a password policy
392 in effect for a set of users. <xref target="admin"/> describes the
393 administration of this object, and the relationship between it and
394 particular objects.</t>
397 ( 1.3.6.1.4.1.42.2.27.8.2.1
401 MUST ( pwdAttribute )
402 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
403 pwdMinLength $ pwdMaxLength $ pwdExpireWarning $
404 pwdGraceAuthNLimit $ pwdGraceExpiry $ pwdLockout $
405 pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
406 pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $
407 pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
412 <section title="Attribute Types used in the pwdPolicy ObjectClass">
414 <t>Following are the attribute types used by the pwdPolicy object class.</t>
416 <section title="pwdAttribute">
418 <t>This holds the name of the attribute to which the password policy is
419 applied. For example, the password policy may be applied to the
420 userPassword attribute.</t>
423 ( 1.3.6.1.4.1.42.2.27.8.1.1
425 EQUALITY objectIdentifierMatch
426 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
431 <section title="pwdMinAge">
433 <t>This attribute holds the number of seconds that must elapse between
434 modifications to the password. If this attribute is not present, 0
435 seconds is assumed.</t>
438 ( 1.3.6.1.4.1.42.2.27.8.1.2
440 EQUALITY integerMatch
441 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
447 <section title="pwdMaxAge">
449 <t>This attribute holds the number of seconds after which a modified
450 password will expire.</t>
452 <t>If this attribute is not present, or if the value is 0 the password
453 does not expire. If not 0, the value must be greater than or equal
454 to the value of the pwdMinAge.</t>
457 ( 1.3.6.1.4.1.42.2.27.8.1.3
459 EQUALITY integerMatch
460 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
466 <section title="pwdInHistory">
468 <t>This attribute specifies the maximum number of used passwords stored
469 in the pwdHistory attribute.</t>
471 <t>If this attribute is not present, or if the value is 0, used
472 passwords are not stored in the pwdHistory attribute and thus may be
476 ( 1.3.6.1.4.1.42.2.27.8.1.4
478 EQUALITY integerMatch
479 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
485 <section title="pwdCheckQuality">
487 <t>{TODO: Consider changing the syntax to OID. Each OID will list a
488 quality rule (like min len, # of special characters, etc). These
489 rules can be specified outside this document.}</t>
491 <t>{TODO: Note that even though this is meant to be a check that happens
492 during password modification, it may also be allowed to happen during
493 authN. This is useful for situations where the password is encrypted
494 when modified, but decrypted when used to authN.}</t>
496 <t>This attribute indicates how the password quality will be verified
497 while being modified or added. If this attribute is not present, or
498 if the value is '0', quality checking will not be enforced. A value
499 of '1' indicates that the server will check the quality, and if the
500 server is unable to check it (due to a hashed password or other
501 reasons) it will be accepted. A value of '2' indicates that the
502 server will check the quality, and if the server is unable to verify
503 it, it will return an error refusing the password.</t>
506 ( 1.3.6.1.4.1.42.2.27.8.1.5
507 NAME 'pwdCheckQuality'
508 EQUALITY integerMatch
509 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
515 <section title="pwdMinLength">
517 <t>When quality checking is enabled, this attribute holds the minimum
518 number of characters that must be used in a password. If this
519 attribute is not present, no minimum password length will be
520 enforced. If the server is unable to check the length (due to a
521 hashed password or otherwise), the server will, depending on the
522 value of the pwdCheckQuality attribute, either accept the password
523 without checking it ('0' or '1') or refuse it ('2').</t>
526 ( 1.3.6.1.4.1.42.2.27.8.1.6
528 EQUALITY integerMatch
529 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
535 <section title="pwdMaxLength">
537 <t>When quality checking is enabled, this attribute holds the maximum
538 number of characters that may be used in a password. If this
539 attribute is not present, no maximum password length will be
540 enforced. If the server is unable to check the length (due to a
541 hashed password or otherwise), the server will, depending on the
542 value of the pwdCheckQuality attribute, either accept the password
543 without checking it ('0' or '1') or refuse it ('2').</t>
546 ( 1.3.6.1.4.1.42.2.27.8.1.31
548 EQUALITY integerMatch
549 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
555 <section title="pwdExpireWarning">
557 <t>This attribute specifies the maximum number of seconds before a
558 password is due to expire that expiration warning messages will be
559 returned to an authenticating user.</t>
561 <t>If this attribute is not present, or if the value is 0 no warnings
562 will be returned. If not 0, the value must be smaller than the value
563 of the pwdMaxAge attribute.</t>
566 ( 1.3.6.1.4.1.42.2.27.8.1.7
567 NAME 'pwdExpireWarning'
568 EQUALITY integerMatch
569 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
575 <section title="pwdGraceAuthNLimit">
577 <t>This attribute specifies the number of times an expired password can
578 be used to authenticate. If this attribute is not present or if the
579 value is 0, authentication will fail.</t>
582 ( 1.3.6.1.4.1.42.2.27.8.1.8
583 NAME 'pwdGraceAuthNLimit'
584 EQUALITY integerMatch
585 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
591 <section title="pwdGraceExpiry">
593 <t>This attribute specifies the number of seconds the grace
594 authentications are valid. If this attribute is not present
595 or if the value is 0, there is no time limit on the grace
599 ( 1.3.6.1.4.1.42.2.27.8.1.30
600 NAME 'pwdGraceExpire'
601 EQUALITY integerMatch
602 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
608 <section title="pwdLockout">
610 <t>This attribute indicates, when its value is "TRUE", that the password
611 may not be used to authenticate after a specified number of
612 consecutive failed bind attempts. The maximum number of consecutive
613 failed bind attempts is specified in pwdMaxFailure.</t>
615 <t>If this attribute is not present, or if the value is "FALSE", the
616 password may be used to authenticate when the number of failed bind
617 attempts has been reached.</t>
620 ( 1.3.6.1.4.1.42.2.27.8.1.9
622 EQUALITY booleanMatch
623 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
629 <section title="pwdLockoutDuration">
631 <t>This attribute holds the number of seconds that the password cannot
632 be used to authenticate due to too many failed bind attempts. If
633 this attribute is not present, or if the value is 0 the password
634 cannot be used to authenticate until reset by a password
638 ( 1.3.6.1.4.1.42.2.27.8.1.10
639 NAME 'pwdLockoutDuration'
640 EQUALITY integerMatch
641 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
647 <section title="pwdMaxFailure">
649 <t>This attribute specifies the number of consecutive failed bind
650 attempts after which the password may not be used to authenticate.
651 If this attribute is not present, or if the value is 0, this policy
652 is not checked, and the value of pwdLockout will be ignored.</t>
655 ( 1.3.6.1.4.1.42.2.27.8.1.11
657 EQUALITY integerMatch
658 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
664 <section title="pwdFailureCountInterval">
666 <t>This attribute holds the number of seconds after which the password
667 failures are purged from the failure counter, even though no
668 successful authentication occurred.</t>
670 <t>If this attribute is not present, or if its value is 0, the failure
671 counter is only reset by a successful authentication.</t>
674 ( 1.3.6.1.4.1.42.2.27.8.1.12
675 NAME 'pwdFailureCountInterval'
676 EQUALITY integerMatch
677 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
683 <section title="pwdMustChange">
685 <t>This attribute specifies with a value of "TRUE" that users must
686 change their passwords when they first bind to the directory after a
687 password is set or reset by a password administrator. If this
688 attribute is not present, or if the value is "FALSE", users are not
689 required to change their password upon binding after the password
690 administrator sets or resets the password. This attribute is not set
691 due to any actions specified by this document, it is typically set by
692 a password administrator after resetting a user's password.</t>
695 ( 1.3.6.1.4.1.42.2.27.8.1.13
697 EQUALITY booleanMatch
698 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
704 <section title="pwdAllowUserChange">
706 <t>This attribute indicates whether users can change their own
707 passwords, although the change operation is still subject to access
708 control. If this attribute is not present, a value of "TRUE" is
709 assumed. This attribute is intended to be used in the absence of an
710 access control mechanism.</t>
713 ( 1.3.6.1.4.1.42.2.27.8.1.14
714 NAME 'pwdAllowUserChange'
715 EQUALITY booleanMatch
716 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
722 <section title="pwdSafeModify">
724 <t>This attribute specifies whether or not the existing password must be
725 sent along with the new password when being changed. If this
726 attribute is not present, a "FALSE" value is assumed.</t>
729 ( 1.3.6.1.4.1.42.2.27.8.1.15
731 EQUALITY booleanMatch
732 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
738 <section title="pwdMinDelay">
740 <t>This attribute specifies the number of seconds to delay responding
741 to the first failed authentication attempt. If this attribute is not
742 set or is 0, no delays will be used. pwdMaxDelay must also be specified
743 if pwdMinDelay is set.</t>
746 ( 1.3.6.1.4.1.42.2.27.8.1.24
748 EQUALITY integerMatch
749 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
755 <section title="pwdMaxDelay">
757 <t>This attribute specifies the maximum number of seconds to delay
758 when responding to a failed authentication attempt. The time specified
759 in pwdMinDelay is used as the starting time and is then doubled on
760 each failure until the delay time is greater than or equal to pwdMaxDelay
761 (or a successful authentication occurs, which resets the failure counter).
762 pwdMinDelay must be specified if pwdMaxDelay is set.</t>
765 ( 1.3.6.1.4.1.42.2.27.8.1.25
767 EQUALITY integerMatch
768 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
774 <section title="pwdMaxIdle">
776 <t>This attribute specifies the number of seconds an account may
777 remain unused before it becomes locked. If this attribute is not
778 set or is 0, no check is performed.</t>
781 ( 1.3.6.1.4.1.42.2.27.8.1.26
783 EQUALITY integerMatch
784 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
792 <section title="Attribute Types for Password Policy State Information">
794 <t>Password policy state information must be maintained for each user.
795 The information is located in each user entry as a set of operational
796 attributes. These operational attributes are: pwdChangedTime,
797 pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
798 pwdReset, pwdPolicySubEntry, pwdStartTime, pwdEndTime, pwdLastSuccess.</t>
800 <section title="Password Policy State Attribute Option">
802 <t>Since the password policy could apply to several attributes used to
803 store passwords, each of the above operational attributes must have
804 an option to specify which pwdAttribute it applies to. The password
805 policy option is defined as the following:</t>
808 pwd-<passwordAttribute></t>
810 <t>where passwordAttribute a string following the OID syntax
811 (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
812 (short name) MUST be used.</t>
814 <t>For example, if the pwdPolicy object has for pwdAttribute
815 "userPassword" then the pwdChangedTime operational attribute, in a
816 user entry, will be:</t>
818 <t>pwdChangedTime;pwd-userPassword: 20000103121520Z</t>
820 <t>This attribute option follows sub-typing semantics. If a client
821 requests a password policy state attribute to be returned in a search
822 operation, and does not specify an option, all subtypes of that
823 policy state attribute are returned.</t>
826 <section title="pwdChangedTime">
828 <t>This attribute specifies the last time the entry's password was
829 changed. This is used by the password expiration policy. If this
830 attribute does not exist, the password will never expire.</t>
833 ( 1.3.6.1.4.1.42.2.27.8.1.16
834 NAME 'pwdChangedTime'
835 DESC 'The time the password was last changed'
836 EQUALITY generalizedTimeMatch
837 ORDERING generalizedTimeOrderingMatch
838 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
841 USAGE directoryOperation )
846 <section title="pwdAccountLockedTime">
848 <t>This attribute holds the time that the user's account was locked. A
849 locked account means that the password may no longer be used to
850 authenticate. A 000001010000Z value means that the account has been
851 locked permanently, and that only a password administrator can unlock
855 ( 1.3.6.1.4.1.42.2.27.8.1.17
856 NAME 'pwdAccountLockedTime'
857 DESC 'The time an user account was locked'
858 EQUALITY generalizedTimeMatch
859 ORDERING generalizedTimeOrderingMatch
860 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
863 USAGE directoryOperation )
868 <section title="pwdFailureTime">
870 <t>This attribute holds the timestamps of the consecutive authentication
874 ( 1.3.6.1.4.1.42.2.27.8.1.19
875 NAME 'pwdFailureTime'
876 DESC 'The timestamps of the last consecutive authentication
878 EQUALITY generalizedTimeMatch
879 ORDERING generalizedTimeOrderingMatch
880 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
882 USAGE directoryOperation )
887 <section title="pwdHistory">
889 <t>This attribute holds a history of previously used passwords. Values
890 of this attribute are transmitted in string format as given by the
894 pwdHistory = time "#" syntaxOID "#" length "#" data
896 time = GeneralizedTime
898 syntaxOID = numericoid ; the string representation of the
899 ; dotted-decimal OID that defines the
900 ; syntax used to store the password.
902 length = number ; the number of octets in data.
904 data = <octets representing the password in the format
905 specified by syntaxOID>.
907 <postamble>GeneralizedTime is specified in 3.3.13 of <xref target="RFC4517"/>. numericoid and number are specified in 1.4 of <xref target="RFC4512"/>.</postamble>
910 <t>This format allows the server to store, and transmit a history of
911 passwords that have been used. In order for equality matching to
912 function properly, the time field needs to adhere to a consistent
913 format. For this purpose, the time field MUST be in GMT format.</t>
916 ( 1.3.6.1.4.1.42.2.27.8.1.20
918 DESC 'The history of user s passwords'
919 EQUALITY octetStringMatch
920 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
922 USAGE directoryOperation )
927 <section title="pwdGraceUseTime">
929 <t>This attribute holds the timestamps of grace authentications after a
930 password has expired.</t>
933 ( 1.3.6.1.4.1.42.2.27.8.1.21
934 NAME 'pwdGraceUseTime'
935 DESC 'The timestamps of the grace authentication after the
936 password has expired'
937 EQUALITY generalizedTimeMatch
938 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
940 USAGE directoryOperation )
945 <section title="pwdReset">
947 <t>This attribute holds a flag to indicate (when TRUE) that the password
948 has been updated by the password administrator and must be changed by
952 ( 1.3.6.1.4.1.42.2.27.8.1.22
954 DESC 'The indication that the password has been reset'
955 EQUALITY booleanMatch
956 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
958 USAGE directoryOperation )
963 <section title="pwdPolicySubentry">
965 <t>This attribute points to the pwdPolicy subentry in effect for this
969 ( 1.3.6.1.4.1.42.2.27.8.1.23
970 NAME 'pwdPolicySubentry'
971 DESC 'The pwdPolicy subentry in effect for this object'
972 EQUALITY distinguishedNameMatch
973 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
976 USAGE directoryOperation )
981 <section title="pwdStartTime">
983 <t>This attribute specifies the time the entry's password becomes
984 valid for authentication. Authentication attempts made before this
985 time will fail. If this attribute does not exist, then no restriction
989 ( 1.3.6.1.4.1.42.2.27.8.1.27
991 DESC 'The time the password becomes enabled'
992 EQUALITY generalizedTimeMatch
993 ORDERING generalizedTimeOrderingMatch
994 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
997 USAGE directoryOperation )
1002 <section title="pwdEndTime">
1004 <t>This attribute specifies the time the entry's password becomes
1005 invalid for authentication. Authentication attempts made after this
1006 time will fail, regardless of expiration or grace settings.
1007 If this attribute does not exist, then this restriction
1011 ( 1.3.6.1.4.1.42.2.27.8.1.28
1013 DESC 'The time the password becomes disabled'
1014 EQUALITY generalizedTimeMatch
1015 ORDERING generalizedTimeOrderingMatch
1016 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
1018 NO-USER-MODIFICATION
1019 USAGE directoryOperation )
1022 <t>Note that pwdStartTime may be set to a time greater than or equal
1023 to pwdEndTime; this simply disables the account.</t>
1026 <section title="pwdLastSuccess">
1028 <t>This attribute holds the timestamp of the last successful
1032 ( 1.3.6.1.4.1.42.2.27.8.1.29
1033 NAME 'pwdLastSuccess'
1034 DESC 'The timestamp of the last successful authentication'
1035 EQUALITY generalizedTimeMatch
1036 ORDERING generalizedTimeOrderingMatch
1037 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
1039 NO-USER-MODIFICATION
1040 USAGE directoryOperation )
1047 <section title="Controls used for Password Policy">
1049 <t>This section details the controls used while enforcing password
1050 policy. A request control is defined that is sent by a client with a
1051 request operation in order to elicit a response control. The
1052 response control contains various warnings and errors associated with
1053 password policy.</t>
1055 <t>{TODO: add a note about advertisement and discovery}</t>
1057 <section title="Request Control">
1059 <t>This control MAY be sent with any LDAP request message in order to
1060 convey to the server that this client is aware of, and can process
1061 the response control described in this document. When a server
1062 receives this control, it will return the response control when
1063 appropriate and with the proper data.</t>
1065 <t>The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the criticality may
1066 be TRUE or FALSE. There is no controlValue.</t>
1069 <section title="Response Control">
1071 <t>If the client has sent a passwordPolicyRequest control, the server
1072 (when solicited by the inclusion of the request control) sends this
1073 control with the following operation responses: bindResponse,
1074 modifyResponse, addResponse, compareResponse and possibly
1075 extendedResponse, to inform of various conditions, and MAY be sent
1076 with other operations (in the case of the changeAfterReset error).
1077 The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the controlValue is
1078 the BER encoding of the following type:</t>
1081 PasswordPolicyResponseValue ::= SEQUENCE {
1082 warning [0] CHOICE {
1083 timeBeforeExpiration [0] INTEGER (0 .. maxInt),
1084 graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
1085 error [1] ENUMERATED {
1086 passwordExpired (0),
1088 changeAfterReset (2),
1089 passwordModNotAllowed (3),
1090 mustSupplyOldPassword (4),
1091 insufficientPasswordQuality (5),
1092 passwordTooShort (6),
1093 passwordTooYoung (7),
1094 passwordInHistory (8) } OPTIONAL }
1097 <t>The timeBeforeExpiration warning specifies the number of seconds
1098 before a password will expire. The graceAuthNsRemaining warning
1099 specifies the remaining number of times a user will be allowed to
1100 authenticate with an expired password. The passwordExpired error
1101 signifies that the password has expired and must be reset. The
1102 changeAfterReset error signifies that the password must be changed
1103 before the user will be allowed to perform any operation other than
1104 bind and modify. The passwordModNotAllowed error is set when a user
1105 is restricted from changing her password. The
1106 insufficientPasswordQuality error is set when a password doesn't pass
1107 quality checking. The passwordTooYoung error is set if the age of
1108 the password to be modified is not yet old enough.</t>
1110 <t>Typically, only either a warning or an error will be encoded though
1111 there may be exceptions. For example, if the user is required to
1112 change a password after the password administrator set it, and the
1113 password will expire in a short amount of time, the control may
1114 include the timeBeforeExpiration warning and the changeAfterReset
1120 <section title="Policy Decision Points">
1122 <t>Following are a number of procedures used to make policy decisions.
1123 These procedures are typically performed by the server while
1124 processing an operation.</t>
1126 <t>The following sections contain detailed instructions that refer to
1127 attributes of the pwdPolicy object class. When doing so, the
1128 attribute of the pwdPolicy object that governs the entry being
1129 discussed is implied.</t>
1131 <section anchor="lockcheck" title="Locked Account Check">
1133 <t>A status of true is returned to indicate that the account is locked
1134 if any of these conditions are met:
1136 <list style="symbols">
1137 <t>The value of the pwdAccountLockedTime attribute is 000001010000Z.</t>
1139 <t>The current time is less than the value of the pwdStartTime
1142 <t>The current time is greater than or equal to the value of the
1143 pwdEndTime attribute.</t>
1145 <t>The current time is greater than or equal to the value of the
1146 pwdLastSuccess attribute added to the value of the pwdMaxIdle
1149 <t>The current time is less than the value of the
1150 pwdAccountLockedTime attribute added to the value of the
1151 pwdLockoutDuration.</t>
1154 <t>Otherwise a status of false is returned.</t>
1158 <section anchor="changenow" title="Password Must be Changed Now Check">
1160 <t>A status of true is returned to indicate that the password must be
1161 changed if all of these conditions are met:
1163 <list style="symbols">
1164 <t>The pwdMustChange attribute is set to TRUE.</t>
1166 <t>The pwdReset attribute is set to TRUE.</t>
1169 <t>Otherwise a status of false is returned.</t>
1172 <section anchor="expcheck" title="Password Expiration Check">
1174 <t>A status of true is returned indicating that the password has expired
1175 if the current time minus the value of pwdChangedTime is greater than
1176 the value of the pwdMaxAge.</t>
1178 <t>Otherwise, a status of false is returned.</t>
1182 <section anchor="gracecheck" title="Remaining Grace AuthN Check">
1184 <t>If the pwdGraceUseTime attribute is present, the number of values in
1185 that attribute subtracted from the value of pwdGraceAuthNLimit is
1186 returned. Otherwise zero is returned. A positive result specifies
1187 the number of remaining grace authentications.</t>
1191 <section anchor="expwarn" title="Time Before Expiration Check">
1193 <t>If the pwdExpireWarning attribute is not present a zero status is
1194 returned. Otherwise the following steps are followed:</t>
1196 <t>Subtract the time stored in pwdChangedTime from the current time to
1197 arrive at the password's age. If the password's age is greater than
1198 than the value of the pwdMaxAge attribute, a zero status is returned.
1199 Subtract the value of the pwdExpireWarning attribute from the value
1200 of the pwdMaxAge attribute to arrive at the warning age. If the
1201 password's age is equal to or greater than the warning age, the value
1202 of pwdMaxAge minus the password's age is returned.</t>
1205 <section anchor="intruderlock" title="Intruder Lockout Check">
1207 <t>A status of true indicating that an intruder has been detected is
1208 returned if the following conditions are met:
1210 <list style="symbols">
1211 <t>The pwdLockout attribute is TRUE.</t>
1213 <t>The number of values in the pwdFailureTime attribute that are
1214 younger than pwdFailureCountInterval is greater or equal to the
1215 pwdMaxFailure attribute.</t>
1218 <t>Otherwise a status of false is returned.</t>
1220 <t>While performing this check, values of pwdFailureTime that are old by
1221 more than pwdFailureCountInterval are purged and not counted.</t>
1225 <section anchor="delaycheck" title="Intruder Delay Check">
1227 <t>If the pwdMinDelay attribute is 0 or not set, zero is returned.</t>
1229 <t>Otherwise, a delay time is computed based on the number of values
1230 in the pwdFailureTime attribute. If the computed value is greater
1231 than the pwdMaxDelay attribute, the pwdMaxDelay value is returned.</t>
1233 <t>While performing this check, values of pwdFailureTime that are old by
1234 more than pwdFailureCountInterval are purged and not counted.</t>
1237 <section anchor="tooyoung" title="Password Too Young Check">
1239 <t>If the <xref target="changenow"/> check returned true then this
1240 check will return false, to allow the password to be changed.</t>
1242 <t>A status of true indicating that not enough time has passed since the
1243 password was last updated is returned if:
1245 <list style="symbols">
1246 <t>The value of pwdMinAge is non-zero and pwdChangedTime is present.</t>
1248 <t>The value of pwdMinAge is greater than the current time minus the
1249 value of pwdChangedTime.</t>
1252 <t>Otherwise a false status is returned.</t>
1256 <section anchor="server_enforce" title="Server Policy Enforcement Points">
1258 <t>The server SHOULD enforce that the password attribute subject to a
1259 password policy as defined in this document, contains one and only
1260 one password value.</t>
1262 <t>Note: The case where a single password value is stored in multiple
1263 formats simultaneously is still considered to be only one
1266 <t>The scenarios in the following operations assume that the client has
1267 attached a passwordPolicyRequest control to the request message of
1268 the operation. In the event that the passwordPolicyRequest control
1269 was not sent, no passwordPolicyResponse control is returned. All
1270 other instructions remain the same.</t>
1272 <t>For successfully completed operations, unless otherwise stated, no
1273 passwordPolicyResponse control is returned.</t>
1275 <section title="Password-based Authentication">
1277 <t>This section contains the policy enforcement rules and policy data
1278 updates used while validating a password. Operations that validate
1279 passwords include, but are not limited to, the Bind operation where
1280 the simple choice specifies a password, and the Compare operation
1281 where the attribute being compared holds a password. Note that while
1282 the Compare operation does not authenticate a user to the LDAP
1283 server, it may be used by an external application for purposes of
1286 <section title="Fail if the account is locked">
1288 <t>If the account is locked as specified in <xref target="lockcheck"/>, the server
1289 fails the operation with an appropriate resultCode (i.e.
1290 invalidCredentials (49) in the case of a bind operation, compareFalse
1291 (5) in the case of a compare operation, etc.). The server MAY set
1292 the error: accountLocked (1) in the passwordPolicyResponse in the
1293 controls field of the message.</t>
1297 <section title="Validated Password Procedures">
1299 <t>If the validation operation indicates that the password validated,
1300 these procedures are followed in order:</t>
1302 <section title="Policy state updates">
1304 <t>Delete the pwdFailureTime and pwdAccountLockedTime attributes.</t>
1306 <t>Set the value of the pwdLastSuccess attribute to the current time.</t>
1308 <t>Note: setting pwdLastSuccess is optional, but it is required if
1309 the policy has pwdMaxIdle defined.</t>
1312 <section title="Password must be changed now">
1314 <t>If the decision in <xref target="changenow"/> returns true, the server sends to the
1315 client a response with an appropriate successful resultCode (i.e.
1316 success (0), compareTrue (6), etc.), and includes the
1317 passwordPolicyResponse in the controls field of the bindResponse
1318 message with the warning: changeAfterReset specified.</t>
1320 <t>For bind, the server MUST then disallow all operations issued by this
1321 user except modify password, bind, unbind, abandon and StartTLS
1322 extended operation.</t>
1325 <section title="Expired password">
1327 <t>If the password has expired as per <xref target="expcheck"/>, the server either
1328 returns a success or failure based on the state of grace
1329 authentications.</t>
1331 <section title="Remaining Grace Authentications">
1333 <t>If there are remaining grace authentications as per <xref target="gracecheck"/>, the
1334 server adds a new value with the current time in pwdGraceUseTime.
1335 Then it sends to the client a response with an appropriate successful
1336 resultCode (i.e. success (0), compareTrue (6), etc.), and includes
1337 the passwordPolicyResponse in the controls field of the response
1338 message with the warning: graceAuthNsRemaining choice set to the
1339 number of grace authentications left.</t>
1341 <t>Implementor's note: The system time of the host machine may be more
1342 granular than is needed to ensure unique values of this attribute.
1343 It is recommended that a mechanism is used to ensure unique
1344 generalized time values. The fractional seconds field may be used
1345 for this purpose.</t>
1349 <section title="No Remaining Grace Authentications">
1351 <t>If there are no remaining grace authentications, the server fails the
1352 operation with an appropriate resultCode (invalidCredentials (49),
1353 compareFalse (5), etc.), and includes the passwordPolicyResponse in
1354 the controls field of the bindResponse message with the error:
1355 passwordExpired (0) set.</t>
1359 <section title="Expiration Warning">
1361 <t>If the result of <xref target="expwarn"/> is a positive number, the server sends
1362 to the client a response with an appropriate successful resultCode
1363 (i.e. success (0), compareTrue (6), etc.), and includes the
1364 passwordPolicyResponse in the controls field of the bindResponse
1365 message with the warning: timeBeforeExiration set to the value as
1366 described above. Otherwise, the server sends a successful response,
1367 and omits the passwordPolicyResponse.</t>
1371 <section title="AuthN Failed Procedures">
1373 <t>If the authentication process indicates that the password failed
1374 validation due to invalid credentials, these procedures are followed:</t>
1376 <section title="Policy state update">
1378 <t>Add the current time as a value of the pwdFailureTime attribute.</t>
1380 <t>Implementor's note: The system time of the host machine may be more
1381 granular than is needed to ensure unique values of this attribute.
1382 It is recommended that a mechanism is used to ensure unique
1383 generalized time values. The fractional seconds field may be used
1384 for this purpose.</t>
1388 <section title="Handle Intruder Detection">
1390 <t>If the check in <xref target="intruderlock"/> returns a true state, the server locks
1391 the account by setting the value of the pwdAccountLockedTime
1392 attribute to the current time. After locking the account, the server
1393 fails the operation with an appropriate resultCode
1394 (invalidCredentials (49), compareFalse (5), etc.), and includes the
1395 passwordPolicyResponse in the controls field of the message with the
1396 error: accountLocked (1).</t>
1398 <t>If the check in <xref target="delaycheck"/> returns a non-zero value,
1399 the server waits that number of seconds before sending the authentication
1400 response back to the client.</t>
1405 <section title="Password Update Operations">
1407 <t>Because the password is stored in an attribute, various operations
1408 (like add and modify) may be used to create or update a password.
1409 But some alternate mechanisms have been defined or may be defined,
1410 such as the LDAP Password Modify Extended Operation <xref target="RFC3062"/>.</t>
1412 <t>While processing a password update, the server performs the following
1415 <section title="Safe Modification">
1417 <t>If pwdSafeModify is set to TRUE and if there is an existing password
1418 value, the server ensures that the password update operation includes
1419 the user's existing password.</t>
1421 <t>When the LDAP modify operation is used to modify a password, this is
1422 done by specifying both a delete action and an add or replace action,
1423 where the delete action specifies the existing password, and the add
1424 or replace action specifies the new password. Other password update
1425 operations SHOULD employ a similar mechanism. Otherwise this policy
1428 <t>If the existing password is not specified, the server does not
1429 process the operation and sends the appropriate response message to
1430 the client with the resultCode: insufficientAccessRights (50), and
1431 includes the passwordPolicyResponse in the controls field of the
1432 response message with the error: mustSupplyOldPassword (4).</t>
1435 <section title="Change After Reset">
1437 <t>If the decision in <xref target="changenow"/> returns true, the server ensures that
1438 the password update operation contains no modifications other than
1439 the modification of the password attribute. If other modifications
1440 exist, the server sends a response message to the client with the
1441 resultCode: insufficientAccessRights (50), and includes the
1442 passwordPolicyResponse in the controls field of the response message
1443 with the error: changeAfterReset (2).</t>
1446 <section title="Rights Check">
1448 <t>Check to see whether the bound identity has sufficient rights to
1449 update the password. If the bound identity is a user changing its
1450 own password, this MAY be done by checking the pwdAllowUserChange
1451 attribute or using an access control mechanism. The determination of
1452 this is implementation specific. If the user is not allowed to
1453 update her password, the server sends a response message to the
1454 client with the resultCode: insufficientAccessRights (50), and
1455 includes the passwordPolicyResponse in the controls field of the
1456 response message with the error: passwordModNotAllowed (3).</t>
1459 <section title="Too Early to Update">
1461 <t>If the check in <xref target="tooyoung"/> results in a true status The server sends
1462 a response message to the client with the resultCode:
1463 constraintViolation (19), and includes the passwordPolicyResponse in
1464 the controls field of the response message with the error:
1465 passwordTooYoung (7).</t>
1468 <section title="Password Quality">
1470 <t>Check the value of the pwdCheckQuality attribute. If the value is
1471 non-zero, the server:
1473 <list style="symbols">
1474 <t>Ensure that the password meets the quality criteria enforced by
1475 the server. This enforcement is implementation specific.
1476 If the server is unable to check the quality (due to a hashed
1477 password or otherwise), the value of pwdCheckQuality is evaluated.
1478 If the value is 1, operation continues. If the value is 2, the
1479 server sends a response message to the client with the resultCode:
1480 constraintViolation (19), and includes the passwordPolicyResponse
1481 in the controls field of the response message with the error:
1482 insufficientPasswordQuality (5).
1483 If the server is able to check the password quality, and the check
1484 fails, the server sends a response message to the client with the
1485 resultCode: constraintViolation (19), and includes the
1486 passwordPolicyResponse in the controls field of the response
1487 message with the error: insufficientPasswordQuality (5).</t>
1489 <t>checks the value of the pwdMinLength attribute. If the value is
1490 non-zero, it ensures that the new password is of at least the
1492 If the server is unable to check the length (due to a hashed
1493 password or otherwise), the value of pwdCheckQuality is evaluated.
1494 If the value is 1, operation continues. If the value is 2, the
1495 server sends a response message to the client with the resultCode:
1496 constraintViolation (19), and includes the passwordPolicyResponse
1497 in the controls field of the response message with the error:
1498 passwordTooShort (6).
1499 If the server is able to check the password length, and the check
1500 fails, the server sends a response message to the client with the
1501 resultCode: constraintViolation (19), and includes the
1502 passwordPolicyResponse in the controls field of the response
1503 message with the error: passwordTooShort (6).</t>
1508 <section title="Invalid Reuse">
1510 <t>If pwdInHistory is present and its value is non-zero, the server
1511 checks whether this password exists in the entry's pwdHistory
1512 attribute or in the current password attribute. If the password does
1513 exist in the pwdHistory attribute or in the current password
1514 attribute, the server sends a response message to the client with the
1515 resultCode: constraintViolation (19), and includes the
1516 passwordPolicyResponse in the controls field of the response message
1517 with the error: passwordInHistory (8).</t>
1520 <section title="Policy State Updates">
1522 <t>If the steps have completed without causing an error condition, the
1523 server performs the following steps in order to update the necessary
1524 password policy state attributes:</t>
1526 <t>If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
1527 updates the pwdChangedTime attribute on the entry to the current
1530 <t>If the value of pwdInHistory is non-zero, the server adds the
1531 previous password (if one existed) to the pwdHistory attribute. If
1532 the number of attributes held in the pwdHistory attribute exceeds the
1533 value of pwdInHistory, the server removes the oldest excess
1536 <t>If the value the pwdMustChange is TRUE and the modification is
1537 performed by a password administrator, then the pwdReset attribute is
1538 set to TRUE. Otherwise, the pwdReset is removed from the user's
1539 entry if it exists.</t>
1541 <t>The pwdFailureTime and pwdGraceUseTime attributes is removed from the
1542 user's entry if they exist.</t>
1546 <section title="Other Operations">
1548 <t>For operations other than bind, password update, unbind, abandon or
1549 StartTLS, if the decision in <xref target="changenow"/> returns true, the server
1550 sends a response message to the client with the resultCode:
1551 insufficientAccessRights (50), and includes the
1552 passwordPolicyResponse in the controls field of the response message
1553 with the error: changeAfterReset (2).</t>
1557 <section anchor="client_enforce" title="Client Policy Enforcement Points">
1559 <t>These sections illustrate possible scenarios for each LDAP operation
1560 and define the types of responses that identify those scenarios.</t>
1562 <t>The scenarios in the following operations assume that the client
1563 attached a passwordPolicyRequest control to the request message of
1564 the operation, and thus may receive a passwordPolicyResponse control
1565 in the response message. In the event that the passwordPolicyRequest
1566 control was not sent, no passwordPolicyResponse control is returned.
1567 All other instructions remain the same.</t>
1569 <section title="Bind Operation">
1571 <t>For every bind response received, the client checks the resultCode of
1572 the bindResponse and checks for a passwordPolicyResponse control to
1573 determine if any of the following conditions are true and MAY prompt
1574 the user accordingly.
1576 <list style="symbols">
1577 <t>bindResponse.resultCode = insufficientAccessRights (50),
1578 passwordPolicyResponse.error = accountLocked (1): The password
1579 failure limit has been reached and the account is locked. The
1580 user needs to retry later or contact the password administrator to
1581 reset the password.</t>
1583 <t>bindResponse.resultCode = success (0),
1584 passwordPolicyResponse.error = changeAfterReset (2): The user is
1585 binding for the first time after the password administrator set
1586 the password. In this scenario, the client SHOULD prompt the user
1587 to change his password immediately.</t>
1589 <t>bindResponse.resultCode = success (0),
1590 passwordPolicyResponse.warning = graceAuthNsRemaining: The
1591 password has expired but there are remaining grace
1592 authentications. The user needs to change it.</t>
1594 <t>bindResponse.resultCode = invalidCredentials (49),
1595 passwordPolicyResponse.error = passwordExpired (0): The password
1596 has expired and there are no more grace authentications. The user
1597 contacts the password administrator in order to have its password
1600 <t>bindResponse.resultCode = success (0),
1601 passwordPolicyResponse.warning = timeBeforeExpiration: The user's
1602 password will expire in n number of seconds.</t>
1606 <section title="Modify Operations">
1608 <section title="Modify Request">
1610 <t>If the application or client encrypts the password prior to sending
1611 it in a password modification operation (whether done through
1612 modifyRequest or another password modification mechanism), it SHOULD
1613 check the values of the pwdMinLength, and pwdCheckQuality attributes
1614 and SHOULD enforce these policies.</t>
1617 <section title="Modify Response">
1619 <t>If the modifyRequest operation was used to change the password, or if
1620 another mechanism is used --such as an extendedRequest-- the
1621 modifyResponse or other appropriate response MAY contain information
1622 pertinent to password policy. The client checks the resultCode of
1623 the response and checks for a passwordPolicyResponse control to
1624 determine if any of the following conditions are true and optionally
1625 notify the user of the condition.
1627 <list style="symbols">
1628 <t>pwdModResponse.resultCode = insufficientAccessRights (50),
1629 passwordPolicyResponse.error = mustSupplyOldPassword (4): The user
1630 attempted to change her password without specifying the old
1631 password but the password policy requires this.</t>
1633 <t>pwdModResponse.resultCode = insufficientAccessRights (50),
1634 passwordPolicyResponse.error = changeAfterReset (2): The user must
1635 change her password before submitting any other LDAP requests.</t>
1637 <t>pwdModResponse.resultCode = insufficientAccessRights (50),
1638 passwordPolicyResponse.error = passwordModNotAllowed (3): The user
1639 doesn't have sufficient rights to change his password.</t>
1641 <t>pwdModResponse.resultCode = constraintViolation (19),
1642 passwordPolicyResponse.error = passwordTooYoung (7): It is too
1643 soon after the last password modification to change the password.</t>
1645 <t>pwdModResponse.resultCode = constraintViolation (19),
1646 passwordPolicyResponse.error = insufficientPasswordQuality (5):
1647 The password failed quality checking.</t>
1649 <t>pwdModResponse.resultCode = constraintViolation (19),
1650 passwordPolicyResponse.error = passwordTooShort (6): The length of
1651 the password is too short.</t>
1653 <t>pwdModResponse.resultCode = constraintViolation (19),
1654 passwordPolicyResponse.error = passwordInHistory (8): The password
1655 has already been used; the user must choose a different one.</t>
1660 <section title="Add Operation">
1662 <t>If a password is specified in an addRequest, the client checks the
1663 resultCode of the addResponse and checks for a passwordPolicyResponse
1664 control to determine if any of the following conditions are true and
1665 may prompt the user accordingly.
1667 <list style="symbols">
1668 <t>addResponse.resultCode = insufficientAccessRights (50),
1669 passwordPolicyResponse.error = passwordModNotAllowed (3): The user
1670 doesn't have sufficient rights to add this password.</t>
1672 <t>addResponse.resultCode = constraintViolation (19),
1673 passwordPolicyResponse.error = insufficientPasswordQuality (5):
1674 The password failed quality checking.</t>
1676 <t>addResponse.resultCode = constraintViolation (19),
1677 passwordPolicyResponse.error = passwordTooShort (6): The length of
1678 the password is too short.</t>
1683 <section title="Compare Operation">
1685 <t>When a compare operation is used to compare a password, the client
1686 checks the resultCode of the compareResponse and checks for a
1687 passwordPolicyResponse to determine if any of the following
1688 conditions are true and MAY prompt the user accordingly. These
1689 conditions assume that the result of the comparison was true.
1691 <list style="symbols">
1692 <t>compareResponse.resultCode = compareFalse (5),
1693 passwordPolicyResponse.error = accountLocked (1): The password
1694 failure limit has been reached and the account is locked. The
1695 user needs to retry later or contact the password administrator to
1696 reset the password.</t>
1698 <t>compareResponse.resultCode = compareTrue (6),
1699 passwordPolicyResponse.warning = graceAuthNsRemaining: The
1700 password has expired but there are remaining grace
1701 authentications. The user needs to change it.</t>
1703 <t>compareResponse.resultCode = compareFalse (5),
1704 passwordPolicyResponse.error = passwordExpired (0): The password
1705 has expired and there are no more grace authentications. The user
1706 must contact the password administrator to reset the password.</t>
1708 <t>compareResponse.resultCode = compareTrue (6),
1709 passwordPolicyResponse.warning = timeBeforeExpiration: The user's
1710 password will expire in n number of seconds.</t>
1715 <section title="Other Operations">
1717 <t>For operations other than bind, unbind, abandon or StartTLS, the
1718 client checks the result code and control to determine if
1719 any other actions are needed.
1721 <list style="symbols">
1722 <t><Response>.resultCode = insufficientAccessRights (50),
1723 passwordPolicyResponse.error = accountLocked (1) : The password
1724 failure limit has been reached and the account is locked. The
1725 user needs to retry later or contact the password administrator
1726 to reset the password.</t>
1728 <t><Response>.resultCode = insufficientAccessRights (50),
1729 passwordPolicyResponse.error = changeAfterReset (2) : The user
1730 needs to change the password immediately.</t>
1735 <section anchor="admin" title="Administration of the Password Policy">
1737 <t>{TODO: Need to define an administrativeRole (need OID). Need to
1738 describe whether pwdPolicy admin areas can overlap}</t>
1740 <t>A password policy is defined for a particular subtree of the DIT by
1741 adding to an LDAP subentry whose immediate superior is the root of
1742 the subtree, the pwdPolicy auxiliary object class. The scope of the
1743 password policy is defined by the SubtreeSpecification attribute of
1744 the LDAP subentry as specified in <xref target="RFC3672"/>.</t>
1746 <t>It is possible to define password policies for different password
1747 attributes within the same pwdPolicy entry, by specifying multiple
1748 values of the pwdAttribute. But password policies could also be in
1749 separate sub entries as long as they are contained under the same
1752 <t>Only one policy may be in effect for a given password attribute
1753 in any entry. If multiple policies exist which overlap in the range
1754 of entries affected, the resulting behavior is undefined.</t>
1756 <t>Modifying the password policy MUST NOT result in any change in users'
1757 entries to which the policy applies.</t>
1759 <t>It SHOULD be possible to overwrite the password policy for one user
1760 by defining a new policy in a subentry of the user entry.</t>
1762 <t>Each object that is controlled by password policy advertises the
1763 subentry that is being used to control its policy in its
1764 pwdPolicySubentry attribute. Clients wishing to examine or manage
1765 password policy for an object may interrogate the pwdPolicySubentry
1766 for that object in order to arrive at the proper pwdPolicy subentry.</t>
1769 <section title="Password Policy and Replication">
1771 <t>{TODO: This section needs to be changed to highlight the pitfalls of
1772 replication, suggest some implementation choices to overcome those
1773 pitfalls, but remove prescriptive language relating to the update of
1774 state information}</t>
1776 <t>The pwdPolicy object defines the password policy for a portion of the
1777 DIT and MUST be replicated on all the replicas of this subtree, as
1778 any subentry would be, in order to have a consistent policy among all
1779 replicated servers.</t>
1781 <t>The elements of the password policy that are related to the users are
1782 stored in the entry themselves as operational attributes. As these
1783 attributes are subject to modifications even on a read-only replica,
1784 replicating them must be carefully considered.</t>
1786 <t>The pwdChangedTime attribute MUST be replicated on all replicas, to
1787 allow expiration of the password.</t>
1789 <t>The pwdReset attribute MUST be replicated on all replicas, to deny
1790 access to operations other than bind and modify password.</t>
1792 <t>The pwdHistory attribute MUST be replicated to writable replicas. It
1793 doesn't have to be replicated to a read-only replica, since the
1794 password will never be directly modified on this server.</t>
1796 <t>The pwdAccountLockedTime, pwdFailureTime and pwdGraceUseTime
1797 attributes SHOULD be replicated to writable replicas, making the
1798 password policy global for all servers. When the user entry is
1799 replicated to a read-only replica, these attributes SHOULD NOT be
1800 replicated. This means that the number of failures, of grace
1801 authentications and the locking will take place on each replicated
1802 server. For example, the effective number of failed attempts on a
1803 user password will be N x M (where N is the number of servers and M
1804 the value of pwdMaxFailure attribute). Replicating these attributes
1805 to a read-only replica MAY reduce the number of tries globally but
1806 MAY also introduce some inconstancies in the way the password policy
1809 <t>Note: there are some situations where global replication of these
1810 state attributes may not be desired. For example, if two clusters of
1811 replicas are geographically remote and joined by a slow network link,
1812 and their users only login from one of the two locations, it may be
1813 unnecessary to propagate all of the state changes from one cluster
1814 to the other. Servers SHOULD allow administrators to control which
1815 attributes are replicated on a case-by-case basis.</t>
1817 <t>Servers participating in a loosely consistent multi-master
1818 replication agreement SHOULD employ a mechanism which ensures
1819 uniqueness of values when populating the attributes pwdFailureTime
1820 and pwdGraceUseTime. The method of achieving this is a local matter
1821 and may consist of using a single authoritative source for the
1822 generation of unique time values, or may consist of the use of the
1823 fractional seconds part to hold a replica identifier.</t>
1826 <section title="Security Considerations">
1828 <t>This document defines a set of rules to implement in an LDAP server,
1829 in order to mitigate some of the security risks associated with the
1830 use of passwords and to make it difficult for password cracking
1831 programs to break into directories.</t>
1833 <t>Authentication with a password MUST follow the recommendations made
1834 in <xref target="RFC4513"/>.</t>
1836 <t>Modifications of passwords SHOULD only occur when the connection is
1837 protected with confidentiality and secure authentication.</t>
1839 <t>Access controls SHOULD be used to restrict access to the password
1840 policy attributes. The attributes defined to maintain the password
1841 policy state information SHOULD only be modifiable by the password
1842 administrator or higher authority. The pwdHistory attribute MUST be
1843 subject to the same level of access control as the attrbute holding
1846 <t>As it is possible to define a password policy for one specific user
1847 by adding a subentry immediately under the user's entry, Access
1848 Controls SHOULD be used to restrict the use of the pwdPolicy object
1849 class or the LDAP subentry object class.</t>
1851 <t>When the intruder detection password policy is enforced, the LDAP
1852 directory is subject to a denial of service attack. A malicious user
1853 could deliberately lock out one specific user's account (or all of
1854 them) by sending bind requests with wrong passwords. There is no way
1855 to protect against this kind of attack. The LDAP directory server
1856 SHOULD log as much information as it can (such as client IP address)
1857 whenever an account is locked, in order to be able to identify the
1858 origin of the attack. Denying anonymous access to the LDAP directory
1859 is also a way to restrict this kind of attack. Using the login
1860 delay instead of the lockout mechanism will also help avoid this
1861 denial of service.</t>
1863 <t>Returning certain status codes (such as passwordPolicyResponse.error
1864 = accountLocked) allows a denial of service attacker to know that it
1865 has successfully denied service to an account. Servers SHOULD
1866 implement additional checks which return the same status when it is
1867 sensed that some number of failed authentication requests has occured
1868 on a single connection, or from a client address. Server
1869 implementors are encouraged to invent other checks similar to this in
1870 order to thwart this type of DoS attack.</t>
1873 <section title="IANA Considerations">
1875 <t><<<TBD>>></t>
1877 <section title="Acknowledgement">
1879 <t>This document is based in part on prior work done by Valerie Chu from
1880 Netscape Communications Corp, published as
1881 draft-vchu-ldap-pwd-policy-00.txt (December 1998). Prasanta Behera
1882 participated in early revisions of this document.</t>
1886 <references title="Normative References">
1899 <reference anchor="X.680">
1901 <title>Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
1903 <organization abbrev="ITU-T">
1904 International Telecommunications Union</organization>
1906 <date month="July" year="2002" />
1908 <seriesInfo name="ITU-T Recommendation" value="X.680" />
1911 <reference anchor="X.690">
1913 <title>Information Technology - ASN.1 encoding rules: Specification of Basic
1914 Encoding Rules (BER), Canonical Encoding Rules (CER) and
1915 Distinguished Encoding Rules (DER)</title>
1917 <organization abbrev="ITU-T">
1918 International Telecommunications Union</organization>
1920 <date month="July" year="2002" />
1922 <seriesInfo name="ITU-T Recommendation" value="X.690" />