2 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 ## Copyright 2004-2005 The OpenLDAP Foundation.
5 ## All rights reserved.
7 ## Redistribution and use in source and binary forms, with or without
8 ## modification, are permitted only as authorized by the OpenLDAP
11 ## A copy of this license is available in the file LICENSE in the
12 ## top-level directory of the distribution or, alternatively, at
13 ## <http://www.OpenLDAP.org/license.html>.
15 ## Portions Copyright (C) The Internet Society (2004).
16 ## Please see full copyright statement below.
18 # Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
19 # Password Policy for LDAP Directories
20 # With extensions from Hewlett-Packard:
23 # Contents of this file are subject to change (including deletion)
26 # Not recommended for production use!
27 # Use with extreme caution!
29 # Internet-Draft P. Behera
30 # draft behera-ldap-password-policy-07.txt L. Poitou
31 # Intended Category: Proposed Standard Sun Microsystems
32 # Expires: August 2004 J. Sermersheim
38 # Password Policy for LDAP Directories
43 # This document is an Internet-Draft and is in full conformance with
44 # all provisions of Section 10 of RFC 2026.
46 # Internet-Drafts are working documents of the Internet Engineering
47 # Task Force (IETF), its areas, and its working groups. Note that
48 # other groups may also distribute working documents as Internet-
51 # Internet-Drafts are draft documents valid for a maximum of six
52 # months and may be updated, replaced, or obsoleted by other documents
53 # at any time. It is inappropriate to use Internet- Drafts as
54 # reference material or to cite them other than as "work in progress."
56 # The list of current Internet-Drafts can be accessed at
57 # http://www.ietf.org/ietf/1id-abstracts.txt
59 # The list of Internet-Draft Shadow Directories can be accessed at
60 # http://www.ietf.org/shadow.html.
62 # Technical discussions of this draft are held on the LDAPEXT Working
63 # Group mailing list at ietf-ldapext@netscape.com. Editorial comments
64 # may be sent to the authors listed in Section 13.
66 # Copyright (C) The Internet Society (2004). All rights Reserved.
68 # Please see the Copyright Section near the end of this document for
74 # Password policy as described in this document is a set of rules that
75 # controls how passwords are used and administered in LDAP
76 # directories. In order to improve the security of LDAP directories
77 # and make it difficult for password cracking programs to break into
78 # directories, it is desirable to enforce a set of rules on password
79 # usage. These rules are made to ensure that users change their
80 # passwords periodically, passwords meet construction requirements,
81 # the re-use of old password is restricted, and users are locked out
82 # after a certain number of failed attempts.
87 # 4.2. Attribute Types used in the pwdPolicy ObjectClass
89 # Following are the attribute types used by the pwdPolicy object
94 # This holds the name of the attribute to which the password policy is
95 # applied. For example, the password policy may be applied to the
96 # userPassword attribute.
98 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
100 EQUALITY objectIdentifierMatch
101 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
105 # This attribute holds the number of seconds that must elapse between
106 # modifications to the password. If this attribute is not present, 0
107 # seconds is assumed.
109 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
111 EQUALITY integerMatch
112 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
117 # This attribute holds the number of seconds after which a modified
118 # password will expire.
120 # If this attribute is not present, or if the value is 0 the password
121 # does not expire. If not 0, the value must be greater than or equal
122 # to the value of the pwdMinAge.
124 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
126 EQUALITY integerMatch
127 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
130 # 4.2.4. pwdInHistory
132 # This attribute specifies the maximum number of used passwords stored
133 # in the pwdHistory attribute.
135 # If this attribute is not present, or if the value is 0, used
136 # passwords are not stored in the pwdHistory attribute and thus may be
139 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
141 EQUALITY integerMatch
142 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
145 # 4.2.5. pwdCheckQuality
147 # This attribute indicates how the password quality will be verified
148 # while being modified or added. If this attribute is not present, or
149 # if the value is '0', quality checking will not be enforced. A value
150 # of '1' indicates that the server will check the quality, and if the
151 # server is unable to check it (due to a hashed password or other
152 # reasons) it will be accepted. A value of '2' indicates that the
153 # server will check the quality, and if the server is unable to verify
154 # it, it will return an error refusing the password.
156 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
157 NAME 'pwdCheckQuality'
158 EQUALITY integerMatch
159 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
162 # 4.2.6. pwdMinLength
164 # When quality checking is enabled, this attribute holds the minimum
165 # number of characters that must be used in a password. If this
166 # attribute is not present, no minimum password length will be
167 # enforced. If the server is unable to check the length (due to a
168 # hashed password or otherwise), the server will, depending on the
169 # value of the pwdCheckQuality attribute, either accept the password
170 # without checking it ('0' or '1') or refuse it ('2').
172 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
174 EQUALITY integerMatch
175 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
178 # 4.2.7. pwdExpireWarning
180 # This attribute specifies the maximum number of seconds before a
181 # password is due to expire that expiration warning messages will be
182 # returned to an authenticating user. If this attribute is not
183 # present, or if the value is 0 no warnings will be sent. If not 0,
184 # the value must be smaller than the value of the pwdMaxAge attribute.
186 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
187 NAME 'pwdExpireWarning'
188 EQUALITY integerMatch
189 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
192 # 4.2.8. pwdGraceLoginLimit
194 # This attribute specifies the number of times an expired password can
195 # be used to authenticate. If this attribute is not present or if the
196 # value is 0, authentication will fail.
198 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
199 NAME 'pwdGraceLoginLimit'
200 EQUALITY integerMatch
201 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
206 # This attribute indicates, when its value is "TRUE", that the
207 # password may not be used to authenticate after a specified number of
208 # consecutive failed bind attempts. The maximum number of consecutive
209 # failed bind attempts is specified in pwdMaxFailure.
211 # If this attribute is not present, or if the value is "FALSE", the
212 # password may be used to authenticate when the number of failed bind
213 # attempts has been reached.
215 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
217 EQUALITY booleanMatch
218 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
221 # 4.2.10. pwdLockoutDuration
223 # This attribute holds the number of seconds that the password cannot
224 # be used to authenticate due to too many failed bind attempts. If
225 # this attribute is not present, or if the value is 0 the password
226 # cannot be used to authenticate until reset by an administrator.
228 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
229 NAME 'pwdLockoutDuration'
230 EQUALITY integerMatch
231 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
234 # 4.2.11. pwdMaxFailure
236 # This attribute specifies the number of consecutive failed bind
237 # attempts after which the password may not be used to authenticate.
238 # If this attribute is not present, or if the value is 0, this policy
239 # is not checked, and the value of pwdLockout will be ignored.
241 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
243 EQUALITY integerMatch
244 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
247 # 4.2.12. pwdFailureCountInterval
249 # This attribute holds the number of seconds after which the password
250 # failures are purged from the failure counter, even though no
251 # successful authentication occurred.
253 # If this attribute is not present, or if its value is 0, the failure
254 # counter is only reset by a successful authentication.
256 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
257 NAME 'pwdFailureCountInterval'
258 EQUALITY integerMatch
259 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
262 # 4.2.13. pwdMustChange
264 # This attribute specifies with a value of "TRUE" that users must
265 # change their passwords when they first bind to the directory after a
266 # password is set or reset by the administrator. If this attribute is
267 # not present, or if the value is "FALSE", users are not required to
268 # change their password upon binding after the administrator sets or
269 # resets the password.
271 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
273 EQUALITY booleanMatch
274 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
277 # 4.2.14. pwdAllowUserChange
279 # This attribute indicates whether users can change their own
280 # passwords, although the change operation is still subject to access
281 # control. If this attribute is not present, a value of "TRUE" is
284 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
285 NAME 'pwdAllowUserChange'
286 EQUALITY booleanMatch
287 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
290 # 4.2.15. pwdSafeModify
292 # This attribute specifies whether or not the existing password must
293 # be sent when changing a password. If this attribute is not present,
294 # a "FALSE" value is assumed.
296 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
298 EQUALITY booleanMatch
299 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
306 # This attribute names a user-defined loadable module that provides
307 # a check_password() function. If pwdCheckQuality is set to '1' or '2'
308 # this function will be called after all of the internal password
309 # quality checks have been passed. The function has this prototype:
311 # int check_password( char *password, char **errormessage, void *arg )
313 # The function should return LDAP_SUCCESS for a valid password.
315 attributetype ( 1.3.6.1.4.1.4754.1.99.1
316 NAME 'pwdCheckModule'
317 EQUALITY caseExactIA5Match
318 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
319 DESC 'Loadable module that instantiates "check_password() function'
322 # 4.1. The pwdPolicy Object Class
324 # This object class contains the attributes defining a password policy
325 # in effect for a set of users. Section 8 describes the administration
326 # of this object, and the relationship between it and particular
329 objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
333 MUST ( pwdAttribute )
334 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
335 pwdMinLength $ pwdExpireWarning $ pwdGraceLoginLimit $ pwdLockout
336 $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
337 pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
339 objectclass ( 1.3.6.1.4.1.4754.2.99.1
340 NAME 'pwdPolicyChecker'
343 MAY ( pwdCheckModule ) )
345 # 4.3. Attribute Types for Password Policy State Information
347 # Password policy state information must be maintained for each user.
348 # The information is located in each user entry as a set of
349 # operational attributes. These operational attributes are:
350 # pwdChangedTime, pwdAccountLockedTime, pwdExpirationWarned,
351 # pwdFailureTime, pwdHistory, pwdGraceUseTime, pwdReset,
354 # 4.3.1. Password Policy State Attribute Option
356 # Since the password policy could apply to several attributes used to
357 # store passwords, each of the above operational attributes must have
358 # an option to specify which pwdAttribute is applies to.
359 # The password policy option is defined as the following:
360 # pwd-<passwordAttribute>
362 # where passwordAttribute a string following the OID syntax
363 # (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
364 # (short name) MUST be used.
366 # For example, if the pwdPolicy object has for pwdAttribute
367 # "userPassword" then the pwdChangedTime operational attribute, in a
368 # user entry, will be:
369 # pwdChangedTime;pwd-userPassword: 20000103121520Z
371 # This attribute option follows sub-typing semantics. If a client
372 # requests a password policy state attribute to be returned in a
373 # search operation, and does not specify an option, all subtypes of
374 # that policy state attribute are returned.
376 # 4.3.2. pwdChangedTime
378 # This attribute specifies the last time the entry's password was
379 # changed. This is used by the password expiration policy. If this
380 # attribute does not exist, the password will never expire.
382 # ( 1.3.6.1.4.1.42.2.27.8.1.16
383 # NAME 'pwdChangedTime'
384 # DESC 'The time the password was last changed'
385 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
386 # EQUALITY generalizedTimeMatch
387 # ORDERING generalizedTimeOrderingMatch
389 # USAGE directoryOperation)
391 # 4.3.3. pwdAccountLockedTime
393 # This attribute holds the time that the user's account was locked. A
394 # locked account means that the password may no longer be used to
395 # authenticate. A 0 value means that the account has been locked
396 # permanently, and that only an administrator can unlock the account.
398 # ( 1.3.6.1.4.1.42.2.27.8.1.17
399 # NAME 'pwdAccountLockedTime'
400 # DESC 'The time an user account was locked'
401 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
402 # EQUALITY generalizedTimeMatch
403 # ORDERING generalizedTimeOrderingMatch
405 # USAGE directoryOperation)
407 # 4.3.4. pwdExpirationWarned
409 # This attribute contains the time when the password expiration
410 # warning was first sent to the client. The password will expire in
411 # the pwdExpireWarning time.
413 # ( 1.3.6.1.4.1.42.2.27.8.1.18
414 # NAME 'pwdExpirationWarned'
415 # DESC 'The time the user was first warned about the coming
416 # expiration of the password'
417 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
418 # EQUALITY generalizedTimeMatch
419 # ORDERING generalizedTimeOrderingMatch
421 # USAGE directoryOperation )
423 # 4.3.5. pwdFailureTime
425 # This attribute holds the timestamps of the consecutive
426 # authentication failures.
428 # ( 1.3.6.1.4.1.42.2.27.8.1.19
429 # NAME 'pwdFailureTime'
430 # DESC 'The timestamps of the last consecutive authentication
432 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
433 # EQUALITY generalizedTimeMatch
434 # ORDERING generalizedTimeOrderingMatch
435 # USAGE directoryOperation )
439 # This attribute holds a history of previously used passwords.
441 # Values of this attribute are transmitted in string format as given
442 # by the following ABNF:
444 # pwdHistory = time "#" syntaxOID "#" length "#" data
446 # time = <generalizedTimeString as specified in 6.14 of
449 # syntaxOID = numericoid ; the string representation of the
450 # ; dotted-decimal OID that defines the
451 # ; syntax used to store the password.
452 # ; numericoid is described in 4.1 of
455 # length = numericstring ; the number of octets in data.
456 # ; numericstring is described in 4.1 of
459 # data = <octets representing the password in the format
460 # specified by syntaxOID>.
462 # This format allows the server to store, and transmit a history of
463 # passwords that have been used. In order for equality matching to
464 # function properly, the time field needs to adhere to a consistent
465 # format. For this purpose, the time field MUST be in GMT format.
467 # ( 1.3.6.1.4.1.42.2.27.8.1.20
469 # DESC 'The history of user s passwords'
470 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
471 # EQUALITY octetStringMatch
472 # USAGE directoryOperation)
474 # 4.3.7. pwdGraceUseTime
476 # This attribute holds the timestamps of grace login once a password
479 # ( 1.3.6.1.4.1.42.2.27.8.1.21
480 # NAME 'pwdGraceUseTime'
481 # DESC 'The timestamps of the grace login once the password has
483 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
484 # EQUALITY generalizedTimeMatch
486 # USAGE directoryOperation)
490 # This attribute holds a flag to indicate (when TRUE) that the
491 # password has been reset and therefore must be changed by the user on
492 # first authentication.
494 # ( 1.3.6.1.4.1.42.2.27.8.1.22
496 # DESC 'The indication that the password has been reset'
497 # EQUALITY booleanMatch
498 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
500 # USAGE directoryOperation)
502 # 4.3.9. pwdPolicySubentry
504 # This attribute points to the pwdPolicy subentry in effect for this
507 # ( 1.3.6.1.4.1.42.2.27.8.1.23
508 # NAME 'pwdPolicySubentry'
509 # DESC 'The pwdPolicy subentry in effect for this object'
510 # EQUALITY distinguishedNameMatch
511 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
513 # USAGE directoryOperation)
515 # 14. Copyright Notice
517 # Copyright (C) The Internet Society (2004). All Rights
520 # This document and translations of it may be copied and furnished to
521 # others, and derivative works that comment on or otherwise explain it
522 # or assist in its implementation may be prepared, copied, published
523 # and distributed, in whole or in part, without restriction of any
524 # kind, provided that the above copyright notice and this paragraph
525 # are included on all such copies and derivative works. However, this
526 # document itself may not be modified in any way, such as by removing
527 # the copyright notice or references to the Internet Society or other
528 # Internet organizations, except as needed for the purpose of
529 # developing Internet standards in which case the procedures for
530 # copyrights defined in the Internet Standards process must be
531 # followed, or as required to translate it into languages other than
534 # The limited permissions granted above are perpetual and will not be
535 # revoked by the Internet Society or its successors or assigns.
537 # This document and the information contained herein is provided on an
538 # "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
539 # TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
540 # BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
541 # HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
542 # MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."