2 .\" Copyright 2004-2005 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
4 .TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
6 slapo-ppolicy \- Password Policy overlay
14 is an implementation of the most recent IETF Password
15 Policy proposal for LDAP. When instantiated, it intercepts,
16 decodes and applies specific password policy controls to overall
17 use of a backend database, changes to user password fields, etc.
19 The overlay provides a variety of password control mechanisms. They
20 include password aging--both minimum and maximum ages, password
21 reuse and duplication control, account time-outs, mandatory password
22 resets, acceptable password content, and even grace logins.
23 Different groups of users may be associated with different password
24 policies, and there is no limit to the number of password policies
30 configuration options apply to the ppolicy overlay. They should appear
35 .B ppolicy_default <policyDN>
36 Specify the DN of the pwdPolicy object to use when no specific policy is
37 set on a given user's entry. If there is no specific policy for an entry
38 and no default is given, then no policies will be enforced.
40 .B ppolicy_hash_cleartext
41 Specify that cleartext passwords present in Add and Modify requests should
42 be hashed before being stored in the database. This violates the X.500/LDAP
43 information model, but may be needed to compensate for LDAP clients that
44 don't use the Password Modify extended operation to manage passwords. It
45 is recommended that when this option is used that compare, search, and
46 read access be denied to all directory users.
48 .B ppolicy_use_lockout
49 A client will always receive an LDAP
52 Binding to a locked account. By default, when a Password Policy control
53 was provided on the Bind request, a Password Policy response will be
54 included with no special error code set. This option changes the
55 Password Policy response to include the
60 error code provides useful information
61 to an attacker; sites that are sensitive to security issues should not
67 overlay depends on the
69 object class. The definition of that class is as follows:
72 ( 1.3.6.1.4.1.42.2.27.8.2.1
78 pwdMinAge $ pwdMaxAge $ pwdInHistory $
79 pwdCheckSyntax $ pwdMinLength $
80 pwdExpireWarning $ pwdGraceAuthnLimit $
81 pwdLockout $ pwdLockoutDuration $
82 pwdMaxFailure $ pwdFailureCountInterval $
83 pwdMustChange $ pwdAllowUserChange $
87 This implementation also provides an additional
89 objectclass, used for password quality checking (see below).
92 ( 1.3.6.1.4.1.4754.2.99.1
93 NAME 'pwdPolicyChecker'
96 MAY ( pwdCheckModule ) )
99 Every account that should be subject to password policy control should
103 attribute containing the DN of a valid
105 entry, or they can simply use the configured default.
106 In this way different users may be managed according to
109 .SH OBJECT CLASS ATTRIBUTES
111 Each one of the sections below details the meaning and use of a particular
119 This attribute contains the name of the attribute to which the password
120 policy is applied. For example, the password policy may be applied
125 Note: in this implementation, the only
129 .RI " userPassword ".
132 ( 1.3.6.1.4.1.42.2.27.8.1.1
134 EQUALITY objectIdentifierMatch
135 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
140 This attribute contains the number of seconds that must elapse
141 between modifications allowed to the password. If this attribute
142 is not present, zero seconds is assumed (i.e. the password may be
143 modified whenever and however often is desired).
146 ( 1.3.6.1.4.1.42.2.27.8.1.2
148 EQUALITY integerMatch
149 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
155 This attribute contains the number of seconds after which a modified
156 password will expire. If this attribute is not present, or if its
157 value is zero (0), then passwords will not expire.
160 ( 1.3.6.1.4.1.42.2.27.8.1.3
162 EQUALITY integerMatch
163 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
169 This attribute is used to specify the maximum number of used
170 passwords that will be stored in the
174 attribute is not present, or if its value is
175 zero (0), used passwords will not be stored in
177 and thus any previously-used password may be reused.
180 ( 1.3.6.1.4.1.42.2.27.8.1.4
182 EQUALITY integerMatch
183 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
189 This attribute indicates if and how password syntax will be checked
190 while a password is being modified or added. If this attribute is
191 not present, or its value is zero (0), no syntax checking will be
192 done. If its value is one (1), the server will check the syntax,
193 and if the server is unable to check the syntax,
194 whether due to a client-side hashed password or some other reason,
196 accepted. If its value is two (2), the server will check the syntax,
197 and if the server is unable to check the syntax it will return an
198 error refusing the password.
201 ( 1.3.6.1.4.1.42.2.27.8.1.5
202 NAME 'pwdCheckQuality'
203 EQUALITY integerMatch
204 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
210 When syntax checking is enabled
213 attribute), this attribute contains the minimum
214 number of characters that will be accepted in a password. If this
215 attribute is not present, minimum password length is not
216 enforced. If the server is unable to check the length of the password,
217 whether due to a client-side hashed password or some other reason,
218 the server will, depending on the
221 either accept the password
222 without checking it (if
224 is zero (0) or one (1)) or refuse it (if
229 ( 1.3.6.1.4.1.42.2.27.8.1.6
231 EQUALITY integerMatch
232 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
238 This attribute contains the maximum number of seconds before a
239 password is due to expire that expiration warning messages will be
240 returned to a user who is authenticating to the directory.
241 If this attribute is not
242 present, or if the value is zero (0), no warnings will be sent.
245 ( 1.3.6.1.4.1.42.2.27.8.1.7
246 NAME 'pwdExpireWarning'
247 EQUALITY integerMatch
248 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
252 .B pwdGraceAuthnLimit
254 This attribute contains the number of times that an expired password
255 may be used to authenticate a user to the directory. If this
256 attribute is not present or if its value is zero (0), users with
257 expired passwords will not be allowed to authenticate to the
261 ( 1.3.6.1.4.1.42.2.27.8.1.8
262 NAME 'pwdGraceAuthnLimit'
263 EQUALITY integerMatch
264 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
270 This attribute specifies the action that should be taken
271 by the directory when a user has made a number of failed attempts
272 to authenticate to the directory. If
274 is set (its value is "TRUE"), the user will not be allowed to
275 attempt to authenticate to the directory after there have been a
276 specified number of consecutive failed bind attempts. The maximum
277 number of consecutive failed bind attempts allowed is specified by
282 is not present, or if its value is "FALSE", the password may be
283 used to authenticate no matter how many consecutive failed bind
284 attempts have been made.
287 ( 1.3.6.1.4.1.42.2.27.8.1.9
289 EQUALITY booleanMatch
290 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
294 .B pwdLockoutDuration
296 This attribute contains the number of seconds during
297 which the password cannot be used to authenticate the
298 user to the directory due to too many consecutive failed
305 .B pwdLockoutDuration
306 is not present, or if its value is zero (0), the password
307 cannot be used to authenticate the user to the directory
308 again until it is reset by an administrator.
311 ( 1.3.6.1.4.1.42.2.27.8.1.10
312 NAME 'pwdLockoutDuration'
313 EQUALITY integerMatch
314 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
320 This attribute contains the number of consecutive failed bind
321 attempts after which the password may not be used to authenticate
322 a user to the directory.
325 is not present, or its value is zero (0), then a user will
326 be allowed to continue to attempt to authenticate to
327 the directory, no matter how many consecutive failed
328 bind attempts have occurred with that user's DN.
332 .BR pwdLockoutDuration .)
335 ( 1.3.6.1.4.1.42.2.27.8.1.11
337 EQUALITY integerMatch
338 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
342 .B pwdFailureCountInterval
344 This attribute contains the number of seconds after which old
345 consecutive failed bind attempts are purged from the failure counter,
346 even though no successful authentication has occurred.
348 .B pwdFailureCountInterval
349 is not present, or its value is zero (0), the failure
350 counter will only be reset by a successful authentication.
353 ( 1.3.6.1.4.1.42.2.27.8.1.12
354 NAME 'pwdFailureCountInterval'
355 EQUALITY integerMatch
356 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
362 This attribute specifies whether users must change their passwords
363 when they first bind to the directory after a password is set or
364 reset by the administrator, or not. If
366 has a value of "TRUE", users must change their passwords when they
367 first bind to the directory after a password is set or reset by
368 the administrator. If
370 is not present, or its value is "FALSE",
371 users are not required to change their password upon binding after
372 the administrator sets or resets the password.
375 ( 1.3.6.1.4.1.42.2.27.8.1.13
377 EQUALITY booleanMatch
378 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
382 .B pwdAllowUserChange
384 This attribute specifies whether users are allowed to change their own
386 .B pwdAllowUserChange
387 is set to "TRUE", or if the attribute is not present, users will be
388 allowed to change their own passwords. If its value is "FALSE",
389 users will not be allowed to change their own passwords.
392 ( 1.3.6.1.4.1.42.2.27.8.1.14
393 NAME 'pwdAllowUserChange'
394 EQUALITY booleanMatch
395 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
401 This attribute denotes whether the user's existing password must be sent
402 along with their new password when changing a password. If
404 is set to "TRUE", the existing password must be sent
405 along with the new password. If the attribute is not present, or
406 its value is "FALSE", the existing password need not be sent
407 along with the new password.
410 ( 1.3.6.1.4.1.42.2.27.8.1.15
412 EQUALITY booleanMatch
413 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
419 This attribute names a user-defined loadable module that must
420 instantiate the check_password() function. This function
421 will be called to further check a new password if
423 is set to one (1) or two (2),
424 after all of the built-in password compliance checks have
425 been passed. This function will be called according to this
430 (char *pPasswd, char **ppErrStr, Entry *pEntry);
434 parameter contains the clear-text user password, the
436 parameter contains a double pointer that allows the function
437 to return human-readable details about any error it encounters.
440 parameter, if non-NULL, carries a pointer to the
441 entry whose password is being checked.
446 must NOT attempt to use it/them.
447 A return value of LDAP_SUCCESS from the called
448 function indicates that the password is ok, any other value
449 indicates that the password is unacceptable. If the password is
450 unacceptable, the server will return an error to the client, and
452 may be used to return a human-readable textual explanation of the
453 error. The error string must be dynamically allocated as it will
454 be free()'d by slapd.
457 ( 1.3.6.1.4.1.4754.1.99.1
458 NAME 'pwdCheckModule'
459 EQUALITY caseExactIA5Match
460 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
465 The user-defined loadable module named by
469 standard executable search PATH.
473 is a non-standard extension to the LDAP password
476 .SH OPERATIONAL ATTRIBUTES
478 The operational attributes used by the
480 module are stored in the user's entry. Most of these attributes
481 are not intended to be changed directly by users; they are there
482 to track user activity. They have been detailed here so that
483 administrators and users can both understand the workings of
492 attribute is not strictly part of the
494 module. It is, however, the attribute that is tracked and controlled
495 by the module. Please refer to the standard OpenLDAP schema for
500 This attribute refers directly to the
502 subentry that is to be used for this particular directory user.
505 exists, it must contain the DN of a valid
507 object. If it does not exist, the
509 module will enforce the default password policy rules on the
510 user associated with this authenticating DN. If there is no
511 default, or the referenced subentry does not exist, then no
512 policy rules will be enforced.
515 ( 1.3.6.1.4.1.42.2.27.8.1.23
516 NAME 'pwdPolicySubentry'
517 DESC 'The pwdPolicy subentry in effect for
519 EQUALITY distinguishedNameMatch
520 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
523 USAGE directoryOperation)
528 This attribute denotes the last time that the entry's password was
529 changed. This value is used by the password expiration policy to
530 determine whether the password is too old to be allowed to be used
531 for user authentication. If
533 does not exist, the user's password will not expire.
536 ( 1.3.6.1.4.1.42.2.27.8.1.16
537 NAME 'pwdChangedTime'
538 DESC 'The time the password was last changed'
539 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
540 EQUALITY generalizedTimeMatch
541 ORDERING generalizedTimeOrderingMatch
544 USAGE directoryOperation)
547 .B pwdAccountLockedTime
549 This attribute contains the time that the user's account was locked.
550 If the account has been locked, the password may no longer be used to
551 authenticate the user to the directory. If
552 .B pwdAccountLockedTime
553 is set to zero (0), the user's account has been permanently locked
554 and may only be unlocked by an administrator.
557 ( 1.3.6.1.4.1.42.2.27.8.1.17
558 NAME 'pwdAccountLockedTime'
559 DESC 'The time an user account was locked'
560 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
561 EQUALITY generalizedTimeMatch
562 ORDERING generalizedTimeOrderingMatch
565 USAGE directoryOperation)
570 This attribute contains the timestamps of each of the consecutive
571 authentication failures made upon attempted authentication to this
572 DN (i.e. account). If too many timestamps accumulate here (refer to
575 password policy attribute for details),
578 password policy attribute is set to "TRUE", the
579 account may be locked.
580 (Please also refer to the
582 password policy attribute.)
583 Excess timestamps beyond those allowed by
585 may also be purged. If a successful authentication is made to this
586 DN (i.e. to this user account), then
588 will be cleansed of entries.
591 ( 1.3.6.1.4.1.42.2.27.8.1.19
592 NAME 'pwdFailureTime'
593 DESC 'The timestamps of the last consecutive
594 authentication failures'
595 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
596 EQUALITY generalizedTimeMatch
597 ORDERING generalizedTimeOrderingMatch
599 USAGE directoryOperation )
604 This attribute contains the history of previously used passwords
605 for this DN (i.e. for this user account).
606 The values of this attribute are stored in string format as follows:
612 time "#" syntaxOID "#" length "#" data
617 generalizedTimeString as specified in section 6.14 of [RFC2252]
621 syntaxOID = numericoid
623 This is the string representation of the dotted-decimal OID that
624 defines the syntax used to store the password. numericoid is
625 described in section 4.1 of [RFC2252].
628 length = numericstring
630 The number of octets in the data. numericstring is described in
631 section 4.1 of [RFC2252].
636 Octets representing the password in the format specified by syntaxOID.
641 This format allows the server to store and transmit a history of
642 passwords that have been used. In order for equality matching
643 on the values in this attribute to function properly, the time
644 field is in GMT format.
647 ( 1.3.6.1.4.1.42.2.27.8.1.20
649 DESC 'The history of user passwords'
650 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
651 EQUALITY octetStringMatch
653 USAGE directoryOperation)
657 This attribute contains the list of timestamps of logins made after
658 the user password in the DN has expired. These post-expiration
660 .RI " "grace logins" ."
663 have been used (please refer to the
664 .B pwdGraceLoginLimit
665 password policy attribute), then the DN will no longer be allowed
666 to be used to authenticate the user to the directory until the
667 administrator changes the DN's
672 ( 1.3.6.1.4.1.42.2.27.8.1.21
673 NAME 'pwdGraceUseTime'
674 DESC 'The timestamps of the grace login once the password has expired'
675 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
676 EQUALITY generalizedTimeMatch
678 USAGE directoryOperation)
683 This attribute indicates whether the user's password has been reset
684 by the administrator and thus must be changed upon first use of this
685 DN for authentication to the directory. If
687 is set to "TRUE", then the password was reset and the user must change
688 it upon first authentication. If the attribute does not exist, or
689 is set to "FALSE", the user need not change their password due to
690 administrative reset.
693 ( 1.3.6.1.4.1.42.2.27.8.1.22
695 DESC 'The indication that the password has
697 EQUALITY booleanMatch
698 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
700 USAGE directoryOperation)
708 suffix dc=example,dc=com
711 ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
719 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
721 IETF LDAP password policy proposal by P. Behera, L. Poitou and J.
722 Sermersheim: documented in IETF document
723 "draft-behera-ldap-password-policy-09.txt".
726 The LDAP Password Policy specification is not yet an approved standard,
727 and it is still evolving. This code will continue to be in flux until the
728 specification is finalized.
732 This module was written in 2004 by Howard Chu of Symas Corporation
733 with significant input from Neil Dunbar and Kartik Subbarao of Hewlett-Packard.
735 This manual page borrows heavily and shamelessly from the specification
736 upon which the password policy module it describes is based. This
738 IETF LDAP password policy proposal by P. Behera, L.
739 Poitou and J. Sermersheim.
740 The proposal is fully documented in
742 IETF document named draft-behera-ldap-password-policy-09.txt,
743 written in July of 2005.
746 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
748 is derived from University of Michigan LDAP 3.3 Release.