2 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 ## Copyright 2004 The OpenLDAP Foundation.
5 ## All rights reserved.
7 ## Redistribution and use in source and binary forms, with or without
8 ## modification, are permitted only as authorized by the OpenLDAP
11 ## A copy of this license is available in the file LICENSE in the
12 ## top-level directory of the distribution or, alternatively, at
13 ## <http://www.OpenLDAP.org/license.html>.
15 ## Portions Copyright (C) The Internet Society (2004). All Rights Reserved.
16 ## Please see full copyright statement below.
18 # Definitions from Draft behera-ldap-password-policy-07
19 # Password Policy for LDAP Directories
21 # With extensions from Hewlett-Packard:
25 # Internet-Draft P. Behera
26 # draft behera-ldap-password-policy-07.txt L. Poitou
27 # Intended Category: Proposed Standard Sun Microsystems
28 # Expires: August 2004 J. Sermersheim
34 # Password Policy for LDAP Directories
39 # This document is an Internet-Draft and is in full conformance with
40 # all provisions of Section 10 of RFC 2026.
42 # Internet-Drafts are working documents of the Internet Engineering
43 # Task Force (IETF), its areas, and its working groups. Note that
44 # other groups may also distribute working documents as Internet-
47 # Internet-Drafts are draft documents valid for a maximum of six
48 # months and may be updated, replaced, or obsoleted by other documents
49 # at any time. It is inappropriate to use Internet- Drafts as
50 # reference material or to cite them other than as "work in progress."
52 # The list of current Internet-Drafts can be accessed at
53 # http://www.ietf.org/ietf/1id-abstracts.txt
55 # The list of Internet-Draft Shadow Directories can be accessed at
56 # http://www.ietf.org/shadow.html.
58 # Technical discussions of this draft are held on the LDAPEXT Working
59 # Group mailing list at ietf-ldapext@netscape.com. Editorial comments
60 # may be sent to the authors listed in Section 13.
62 # Copyright (C) The Internet Society (2004). All rights Reserved.
64 # Please see the Copyright Section near the end of this document for
70 # Password policy as described in this document is a set of rules that
71 # controls how passwords are used and administered in LDAP
72 # directories. In order to improve the security of LDAP directories
73 # and make it difficult for password cracking programs to break into
74 # directories, it is desirable to enforce a set of rules on password
75 # usage. These rules are made to ensure that users change their
76 # passwords periodically, passwords meet construction requirements,
77 # the re-use of old password is restricted, and users are locked out
78 # after a certain number of failed attempts.
83 # 4.2. Attribute Types used in the pwdPolicy ObjectClass
85 # Following are the attribute types used by the pwdPolicy object
90 # This holds the name of the attribute to which the password policy is
91 # applied. For example, the password policy may be applied to the
92 # userPassword attribute.
94 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
96 EQUALITY objectIdentifierMatch
97 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
101 # This attribute holds the number of seconds that must elapse between
102 # modifications to the password. If this attribute is not present, 0
103 # seconds is assumed.
105 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
107 EQUALITY integerMatch
108 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
113 # This attribute holds the number of seconds after which a modified
114 # password will expire.
116 # If this attribute is not present, or if the value is 0 the password
117 # does not expire. If not 0, the value must be greater than or equal
118 # to the value of the pwdMinAge.
120 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
122 EQUALITY integerMatch
123 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
126 # 4.2.4. pwdInHistory
128 # This attribute specifies the maximum number of used passwords stored
129 # in the pwdHistory attribute.
131 # If this attribute is not present, or if the value is 0, used
132 # passwords are not stored in the pwdHistory attribute and thus may be
135 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
137 EQUALITY integerMatch
138 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
141 # 4.2.5. pwdCheckQuality
143 # This attribute indicates how the password quality will be verified
144 # while being modified or added. If this attribute is not present, or
145 # if the value is '0', quality checking will not be enforced. A value
146 # of '1' indicates that the server will check the quality, and if the
147 # server is unable to check it (due to a hashed password or other
148 # reasons) it will be accepted. A value of '2' indicates that the
149 # server will check the quality, and if the server is unable to verify
150 # it, it will return an error refusing the password.
152 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
153 NAME 'pwdCheckQuality'
154 EQUALITY integerMatch
155 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
158 # 4.2.6. pwdMinLength
160 # When quality checking is enabled, this attribute holds the minimum
161 # number of characters that must be used in a password. If this
162 # attribute is not present, no minimum password length will be
163 # enforced. If the server is unable to check the length (due to a
164 # hashed password or otherwise), the server will, depending on the
165 # value of the pwdCheckQuality attribute, either accept the password
166 # without checking it ('0' or '1') or refuse it ('2').
168 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
170 EQUALITY integerMatch
171 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
174 # 4.2.7. pwdExpireWarning
176 # This attribute specifies the maximum number of seconds before a
177 # password is due to expire that expiration warning messages will be
178 # returned to an authenticating user. If this attribute is not
179 # present, or if the value is 0 no warnings will be sent. If not 0,
180 # the value must be smaller than the value of the pwdMaxAge attribute.
182 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
183 NAME 'pwdExpireWarning'
184 EQUALITY integerMatch
185 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
188 # 4.2.8. pwdGraceLoginLimit
190 # This attribute specifies the number of times an expired password can
191 # be used to authenticate. If this attribute is not present or if the
192 # value is 0, authentication will fail.
194 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
195 NAME 'pwdGraceLoginLimit'
196 EQUALITY integerMatch
197 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
202 # This attribute indicates, when its value is "TRUE", that the
203 # password may not be used to authenticate after a specified number of
204 # consecutive failed bind attempts. The maximum number of consecutive
205 # failed bind attempts is specified in pwdMaxFailure.
207 # If this attribute is not present, or if the value is "FALSE", the
208 # password may be used to authenticate when the number of failed bind
209 # attempts has been reached.
211 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
213 EQUALITY booleanMatch
214 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
217 # 4.2.10. pwdLockoutDuration
219 # This attribute holds the number of seconds that the password cannot
220 # be used to authenticate due to too many failed bind attempts. If
221 # this attribute is not present, or if the value is 0 the password
222 # cannot be used to authenticate until reset by an administrator.
224 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
225 NAME 'pwdLockoutDuration'
226 EQUALITY integerMatch
227 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
230 # 4.2.11. pwdMaxFailure
232 # This attribute specifies the number of consecutive failed bind
233 # attempts after which the password may not be used to authenticate.
234 # If this attribute is not present, or if the value is 0, this policy
235 # is not checked, and the value of pwdLockout will be ignored.
237 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
239 EQUALITY integerMatch
240 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
243 # 4.2.12. pwdFailureCountInterval
245 # This attribute holds the number of seconds after which the password
246 # failures are purged from the failure counter, even though no
247 # successful authentication occurred.
249 # If this attribute is not present, or if its value is 0, the failure
250 # counter is only reset by a successful authentication.
252 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
253 NAME 'pwdFailureCountInterval'
254 EQUALITY integerMatch
255 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
258 # 4.2.13. pwdMustChange
260 # This attribute specifies with a value of "TRUE" that users must
261 # change their passwords when they first bind to the directory after a
262 # password is set or reset by the administrator. If this attribute is
263 # not present, or if the value is "FALSE", users are not required to
264 # change their password upon binding after the administrator sets or
265 # resets the password.
267 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
269 EQUALITY booleanMatch
270 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
273 # 4.2.14. pwdAllowUserChange
275 # This attribute indicates whether users can change their own
276 # passwords, although the change operation is still subject to access
277 # control. If this attribute is not present, a value of "TRUE" is
280 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
281 NAME 'pwdAllowUserChange'
282 EQUALITY booleanMatch
283 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
286 # 4.2.15. pwdSafeModify
288 # This attribute specifies whether or not the existing password must
289 # be sent when changing a password. If this attribute is not present,
290 # a "FALSE" value is assumed.
292 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
294 EQUALITY booleanMatch
295 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
302 # This attribute names a user-defined loadable module that provides
303 # a check_password() function. If pwdCheckQuality is set to '1' or '2'
304 # this function will be called after all of the internal password
305 # quality checks have been passed. The function has this prototype:
307 # int check_password( char *password, char **errormessage, void *arg )
309 # The function should return LDAP_SUCCESS for a valid password.
311 attributetype ( 1.3.6.1.4.1.4754.1.99.1
312 NAME 'pwdCheckModule'
313 EQUALITY caseExactIA5Match
314 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
315 DESC 'Loadable module that instantiates "check_password() function'
318 # 4.1. The pwdPolicy Object Class
320 # This object class contains the attributes defining a password policy
321 # in effect for a set of users. Section 8 describes the administration
322 # of this object, and the relationship between it and particular
325 objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
329 MUST ( pwdAttribute )
330 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
331 pwdMinLength $ pwdExpireWarning $ pwdGraceLoginLimit $ pwdLockout
332 $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
333 pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
335 objectclass ( 1.3.6.1.4.1.4754.2.99.1
336 NAME 'pwdPolicyChecker'
339 MAY ( pwdCheckModule ) )
341 # 4.3. Attribute Types for Password Policy State Information
343 # Password policy state information must be maintained for each user.
344 # The information is located in each user entry as a set of
345 # operational attributes. These operational attributes are:
346 # pwdChangedTime, pwdAccountLockedTime, pwdExpirationWarned,
347 # pwdFailureTime, pwdHistory, pwdGraceUseTime, pwdReset,
350 # 4.3.1. Password Policy State Attribute Option
352 # Since the password policy could apply to several attributes used to
353 # store passwords, each of the above operational attributes must have
354 # an option to specify which pwdAttribute is applies to.
355 # The password policy option is defined as the following:
356 # pwd-<passwordAttribute>
358 # where passwordAttribute a string following the OID syntax
359 # (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
360 # (short name) MUST be used.
362 # For example, if the pwdPolicy object has for pwdAttribute
363 # "userPassword" then the pwdChangedTime operational attribute, in a
364 # user entry, will be:
365 # pwdChangedTime;pwd-userPassword: 20000103121520Z
367 # This attribute option follows sub-typing semantics. If a client
368 # requests a password policy state attribute to be returned in a
369 # search operation, and does not specify an option, all subtypes of
370 # that policy state attribute are returned.
372 # 4.3.2. pwdChangedTime
374 # This attribute specifies the last time the entry's password was
375 # changed. This is used by the password expiration policy. If this
376 # attribute does not exist, the password will never expire.
378 # ( 1.3.6.1.4.1.42.2.27.8.1.16
379 # NAME 'pwdChangedTime'
380 # DESC 'The time the password was last changed'
381 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
382 # EQUALITY generalizedTimeMatch
383 # ORDERING generalizedTimeOrderingMatch
385 # USAGE directoryOperation)
387 # 4.3.3. pwdAccountLockedTime
389 # This attribute holds the time that the user's account was locked. A
390 # locked account means that the password may no longer be used to
391 # authenticate. A 0 value means that the account has been locked
392 # permanently, and that only an administrator can unlock the account.
394 # ( 1.3.6.1.4.1.42.2.27.8.1.17
395 # NAME 'pwdAccountLockedTime'
396 # DESC 'The time an user account was locked'
397 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
398 # EQUALITY generalizedTimeMatch
399 # ORDERING generalizedTimeOrderingMatch
401 # USAGE directoryOperation)
403 # 4.3.4. pwdExpirationWarned
405 # This attribute contains the time when the password expiration
406 # warning was first sent to the client. The password will expire in
407 # the pwdExpireWarning time.
409 # ( 1.3.6.1.4.1.42.2.27.8.1.18
410 # NAME 'pwdExpirationWarned'
411 # DESC 'The time the user was first warned about the coming
412 # expiration of the password'
413 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
414 # EQUALITY generalizedTimeMatch
415 # ORDERING generalizedTimeOrderingMatch
417 # USAGE directoryOperation )
419 # 4.3.5. pwdFailureTime
421 # This attribute holds the timestamps of the consecutive
422 # authentication failures.
424 # ( 1.3.6.1.4.1.42.2.27.8.1.19
425 # NAME 'pwdFailureTime'
426 # DESC 'The timestamps of the last consecutive authentication
428 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
429 # EQUALITY generalizedTimeMatch
430 # ORDERING generalizedTimeOrderingMatch
431 # USAGE directoryOperation )
435 # This attribute holds a history of previously used passwords.
437 # Values of this attribute are transmitted in string format as given
438 # by the following ABNF:
440 # pwdHistory = time "#" syntaxOID "#" length "#" data
442 # time = <generalizedTimeString as specified in 6.14 of
445 # syntaxOID = numericoid ; the string representation of the
446 # ; dotted-decimal OID that defines the
447 # ; syntax used to store the password.
448 # ; numericoid is described in 4.1 of
451 # length = numericstring ; the number of octets in data.
452 # ; numericstring is described in 4.1 of
455 # data = <octets representing the password in the format
456 # specified by syntaxOID>.
458 # This format allows the server to store, and transmit a history of
459 # passwords that have been used. In order for equality matching to
460 # function properly, the time field needs to adhere to a consistent
461 # format. For this purpose, the time field MUST be in GMT format.
463 # ( 1.3.6.1.4.1.42.2.27.8.1.20
465 # DESC 'The history of user s passwords'
466 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
467 # EQUALITY octetStringMatch
468 # USAGE directoryOperation)
470 # 4.3.7. pwdGraceUseTime
472 # This attribute holds the timestamps of grace login once a password
475 # ( 1.3.6.1.4.1.42.2.27.8.1.21
476 # NAME 'pwdGraceUseTime'
477 # DESC 'The timestamps of the grace login once the password has
479 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
480 # EQUALITY generalizedTimeMatch
482 # USAGE directoryOperation)
486 # This attribute holds a flag to indicate (when TRUE) that the
487 # password has been reset and therefore must be changed by the user on
488 # first authentication.
490 # ( 1.3.6.1.4.1.42.2.27.8.1.22
492 # DESC 'The indication that the password has been reset'
493 # EQUALITY booleanMatch
494 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
496 # USAGE directoryOperation)
498 # 4.3.9. pwdPolicySubentry
500 # This attribute points to the pwdPolicy subentry in effect for this
503 # ( 1.3.6.1.4.1.42.2.27.8.1.23
504 # NAME 'pwdPolicySubentry'
505 # DESC 'The pwdPolicy subentry in effect for this object'
506 # EQUALITY distinguishedNameMatch
507 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
509 # USAGE directoryOperation)
511 # 14. Copyright Notice
513 # Copyright (C) The Internet Society (2004). All Rights
516 # This document and translations of it may be copied and furnished to
517 # others, and derivative works that comment on or otherwise explain it
518 # or assist in its implementation may be prepared, copied, published
519 # and distributed, in whole or in part, without restriction of any
520 # kind, provided that the above copyright notice and this paragraph
521 # are included on all such copies and derivative works. However, this
522 # document itself may not be modified in any way, such as by removing
523 # the copyright notice or references to the Internet Society or other
524 # Internet organizations, except as needed for the purpose of
525 # developing Internet standards in which case the procedures for
526 # copyrights defined in the Internet Standards process must be
527 # followed, or as required to translate it into languages other than
530 # The limited permissions granted above are perpetual and will not be
531 # revoked by the Internet Society or its successors or assigns.
533 # This document and the information contained herein is provided on an
534 # "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
535 # TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
536 # BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
537 # HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
538 # MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."