1 INTERNET-DRAFT Kurt D. Zeilenga
2 Intended Category: Standard Track OpenLDAP Foundation
3 Expires: 13 December 2000 13 June 2000
6 LDAP Password Modify Extended Operation
7 <draft-zeilenga-ldap-passwd-exop-03.txt>
10 1. Status of this Memo
12 This document is an Internet-Draft and is in full conformance with all
13 provisions of Section 10 of RFC2026.
15 This document is intended to be, after appropriate review and
16 revision, submitted to the RFC Editor as a Standard Track document.
17 Distribution of this memo is unlimited. Technical discussion of this
18 document will take place on the IETF LDAP Extension Working Group
19 mailing list <ietf-ldapext@netscape.com>. Please send editorial
20 comments directly to the author <Kurt@OpenLDAP.org>.
22 Internet-Drafts are working documents of the Internet Engineering Task
23 Force (IETF), its areas, and its working groups. Note that other
24 groups may also distribute working documents as Internet-Drafts.
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as ``work in progress.''
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft
32 Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
34 Copyright 2000, The Internet Society. All Rights Reserved.
36 Please see the Copyright section near the end of this document for
42 The integration of LDAP [RFC2251] and external authentication services
43 has introduced non-DN authentication identities and allowed for
44 non-directory storage of passwords. As such, mechanisms which update
45 the directory, such as Modify operation, cannot be used to change a
46 user's password. This document describes an LDAP extended operation
47 to allow allow modification of user passwords which is not dependent
48 upon the form of the authentication identity nor the password storage
54 INTERNET-DRAFT draft-zeilenga-ldap-passwd-exop-03 13 June 2000
59 The key words ``MUST'', ``MUST NOT'', ``REQUIRED'', ``SHALL'', ``SHALL
60 NOT'', ``SHOULD'', ``SHOULD NOT'', ``RECOMMENDED'', and ``MAY'' in
61 this document are to be interpreted as described in RFC 2119
65 3. Background and Intent of Use
67 Lightweight Directory Access Protocol (LDAP) [RFC2251] is designed to
68 support an number of authentication mechanisms including simple user
69 name/password pairs. Traditionally LDAP users where identified by the
70 Distinguished Name [RFC2253] of a directory entry and this entry
71 contained a userPassword [RFC2256] attribute containing one or more
74 The protocol does not mandate that passwords associated with a user be
75 stored in the directory server. The server may use any attribute
76 suitable for password storage, such as userPassword or authPassword
77 [AuthPasswd], or use non-directory storage.
79 The integration of application neutral SASL [RFC2222] services which
80 support simple username/password mechanisms (such as DIGEST-MD5) has
81 introduced non-LDAP DN authentication identity forms and made storage
82 of passwords the responsibility of the SASL service provider.
84 LDAP update operations are designed to act upon attributes of an entry
85 within the directory. LDAP update operations cannot be used to modify
86 a user's password when the user is not represented by a DN, does not
87 have a entry, or when that password used by the server is not stored
88 as an attribute of an entry. An alternative mechanism are needed.
90 This document describes an LDAP Extended Operation intended to be
91 allow directory clients to update user passwords. The user may or may
92 not have be associated with a directory entry. The user may or may not
93 be represented as an LDAP DN. The user's password may or may not be
94 stored in the directory.
96 The operation SHOULD NOT be used without adequate security protection
97 as the operation affords no privacy or integrity protect itself. This
98 operation SHOULD NOT be used by "anonymous" clients.
101 4. Password Modify Request and Response
103 The Password Modify operation is an LDAPv3 Extended Operation
104 [RFC2251, Section 4.12] and is identified by the OBJECT IDENTIFIER
110 INTERNET-DRAFT draft-zeilenga-ldap-passwd-exop-03 13 June 2000
113 passwdModifyOID. This section details the syntax of the protocol
114 request and response.
116 passwdModifyOID OBJECT IDENTIFIER ::= 1.3.6.1.4.1.4203.666.6.1
118 [Editor's Note: this OID is temporary. A permanent OID
119 will be assigned to this object before this document is
120 progressed as an RFC.]
122 PasswdModifyRequestValue ::= SEQUENCE {
123 userIdentity [0] OCTET STRING OPTIONAL
124 oldPasswd [1] OCTET STRING OPTIONAL
125 newPasswd [2] OCTET STRING OPTIONAL }
127 PasswordModifyResponseValue ::= SEQUENCE {
128 genPasswd [0] OCTET STRING OPTIONAL }
131 4.1. Password Modify Request
133 A Password Modify request is an ExtendedRequest with the requestName
134 field containing passwdModifyOID OID and optionally provides a
135 requestValue field. If the requestValue field is provided, it SHALL
136 contain a PasswdModifyRequestValue with one or more fields present.
138 The userIdentity field, if present, SHALL contain an octet string
139 representation of the user associated with the request. This string
140 may or may not be an LDAPDN [RFC2253]. If no userIdentity field is
141 present, the request acts up upon the password of the user currently
142 associated with the LDAP session.
144 The oldPasswd field, if present, SHALL contain the user's current
147 The newPasswd field, if present, SHALL contain the desired password
151 4.2. Password Modify Response
153 A Password Modify response is an ExtendedResponse where the
154 responseName field is absent and the response field is optional. The
155 response field, if present, SHALL contain a PasswdModifyResponseValue
156 with genPasswd field present.
158 The genPasswd field, if present, SHALL contain a generated password
166 INTERNET-DRAFT draft-zeilenga-ldap-passwd-exop-03 13 June 2000
169 If an resultCode other than success (0) is indicated in the response,
170 the response field MUST be absent.
173 5. Operation Requirements
175 Clients SHOULD NOT submit a Password Modification request without
176 ensuring adequate security safeguards are in place. Servers SHOULD
177 return a non-success resultCode if sufficient security protection are
180 Servers SHOULD indicate their support for this extended operation by
181 providing PasswordModifyOID as a value of the supportedExtensions
182 attribute type in their root DSE. Clients SHOULD verify the server
183 implements this extended operation prior to attempting the operation
184 by asserting the supportedExtensions attribute contains a value of
187 The server SHALL only return success upon successfully changing the
188 user's password. The server SHALL leave the password unmodified and
189 return a non-success resultCode otherwise.
191 If the server does not recognize provided fields or does not support
192 the combination of fields provided, it SHALL NOT change the user
195 If the provided oldPasswd value cannot be verified or is incorrect,
196 the server SHALL NOT change the user password.
198 The server SHALL NOT generate a password on behalf of the client if
199 the client has provided a newPassword. In absence of a client
200 provided newPassword, the server SHALL either generate a password on
201 behalf of the client or return a non-success result code. The server
202 MUST provide the generated password upon success as the value of the
205 The server MAY return adminLimitExceeded, busy,
206 confidentialityRequired, operationsError, unavailable,
207 unwillingToPerform, or other non-success resultCode as appropriate to
208 indicate that it was unable to successfully complete the operation.
210 Servers MAY implement administrative policies which restrict this
214 6. Other requirements
216 A server which supports this operation SHOULD provide a
222 INTERNET-DRAFT draft-zeilenga-ldap-passwd-exop-03 13 June 2000
225 supportedExtension attribute in the Root DSE which contains as one of
226 its values the passwdModifyOID OID. A server MAY advertise the
227 extension only when the client is authorized and/or has established
228 the necessary security protections to use this operation. Clients
229 SHOULD verify the server has advertised the extension before
230 attempting the operation.
233 7. Security Considerations
235 This operation is used to modify user passwords. The operation itself
236 does not provide any security protection to ensure integrity and/or
237 confidentiality of the information. Use of this operation is strongly
238 discouraged when privacy protections are not in place to guarantee
239 confidentiality and may result in the disclosure of the password to
240 unauthorized parties.
245 Copyright 2000, The Internet Society. All Rights Reserved.
247 This document and translations of it may be copied and furnished to
248 others, and derivative works that comment on or otherwise explain it
249 or assist in its implementation may be prepared, copied, published and
250 distributed, in whole or in part, without restriction of any kind,
251 provided that the above copyright notice and this paragraph are
252 included on all such copies and derivative works. However, this
253 document itself may not be modified in any way, such as by removing
254 the copyright notice or references to the Internet Society or other
255 Internet organizations, except as needed for the purpose of
256 developing Internet standards in which case the procedures for
257 copyrights defined in the Internet Standards process must be followed,
258 or as required to translate it into languages other than English.
260 The limited permissions granted above are perpetual and will not be
261 revoked by the Internet Society or its successors or assigns.
263 This document and the information contained herein is provided on an
264 "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
265 ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
266 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
267 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
268 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
278 INTERNET-DRAFT draft-zeilenga-ldap-passwd-exop-03 13 June 2000
281 [RFC2219] S. Bradner, "Key words for use in RFCs to Indicate
282 Requirement Levels", RFC 2119, March 1997.
284 [RFC2222] J. Myers, "Simple Authentication and Security
285 Layer (SASL)", RFC 2222, October 1997.
287 [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight
288 Directory Access Protocol (v3)", RFC 2251,
291 [RFC2252] M. Wahl, A. Coulbeck, T. Howes, S. Kille,
292 "Lightweight Directory Access Protocol (v3):
293 Attribute Syntax Definitions", RFC 2252,
296 [RFC2253] M. Wahl, S. Kille, T. Howes, "Lightweight
297 Directory Access Protocol (v3): UTF-8 String
298 Representation of Distinguished Names", RFC 2253,
301 [RFC2256] M. Wahl, "A Summary of the X.500(96) User Schema
302 for use with LDAPv3", RFC 2256, December 1997.
304 [AuthPasswd] K. Zeilenga, "LDAP Authentication Password
305 Attribute", draft-zeilenga-ldap-authpasswd-xx.txt,
310 This document borrows from a number of IETF documents and is based
311 upon input from the IETF LDAPext working group.