Password policy schema from draft 7

[openldap] / servers / slapd / schema / ppolicy.schema

# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 2004 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#
## Portions Copyright (C) The Internet Society (2004).  All Rights Reserved.
## Please see full copyright statement below.

# Definitions from Draft behera-ldap-password-policy-07
#       Password Policy for LDAP Directories

# With extensions from Hewlett-Packard:
#       pwdCheckModule etc.

# 
# Internet-Draft                                                P. Behera
# draft behera-ldap-password-policy-07.txt                      L. Poitou
# Intended Category: Proposed Standard                   Sun Microsystems
# Expires: August 2004                                     J. Sermersheim
#                                                                  Novell
# 
#                                                           February 2004
#  
#  
#                   Password Policy for LDAP Directories 
#  
#  
# Status of this Memo 
#  
#    This document is an Internet-Draft and is in full conformance with 
#    all provisions of Section 10 of RFC 2026.  
#     
#    Internet-Drafts are working documents of the Internet Engineering 
#    Task Force (IETF), its areas, and its working groups. Note that 
#    other groups may also distribute working documents as Internet-
#    Drafts. 
#     
#    Internet-Drafts are draft documents valid for a maximum of six 
#    months and may be updated, replaced, or obsoleted by other documents 
#    at any time. It is inappropriate to use Internet- Drafts as 
#    reference material or to cite them other than as "work in progress." 
#      
#    The list of current Internet-Drafts can be accessed at 
#    http://www.ietf.org/ietf/1id-abstracts.txt  
#     
#    The list of Internet-Draft Shadow Directories can be accessed at 
#    http://www.ietf.org/shadow.html. 
#     
#    Technical discussions of this draft are held on the LDAPEXT Working 
#    Group mailing list at ietf-ldapext@netscape.com. Editorial comments 
#    may be sent to the authors listed in Section 13. 
#     
#    Copyright (C) The Internet Society (2004). All rights Reserved. 
#     
#    Please see the Copyright Section near the end of this document for 
#    more information. 
#     
#     
# 1. Abstract 
#     
#    Password policy as described in this document is a set of rules that 
#    controls how passwords are used and administered in LDAP 
#    directories. In order to improve the security of LDAP directories 
#    and make it difficult for password cracking programs to break into 
#    directories, it is desirable to enforce a set of rules on password 
#    usage.  These rules are made to ensure that users change their 
#    passwords periodically, passwords meet construction requirements, 
#    the re-use of old password is restricted, and users are locked out 
#    after a certain number of failed attempts. 
#     
# [trimmed]
# 
#     
# 4.2. Attribute Types used in the pwdPolicy ObjectClass 
#     
#    Following are the attribute types used by the pwdPolicy object 
#    class. 
#     
# 4.2.1. pwdAttribute 
#     
#    This holds the name of the attribute to which the password policy is 
#    applied. For example, the password policy may be applied to the 
#    userPassword attribute. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.1 
      NAME 'pwdAttribute' 
      EQUALITY objectIdentifierMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 
    
# 4.2.2. pwdMinAge  
#     
#    This attribute holds the number of seconds that must elapse between 
#    modifications to the password. If this attribute is not present, 0 
#    seconds is assumed. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.2 
      NAME 'pwdMinAge' 
      EQUALITY integerMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  
      SINGLE-VALUE ) 
    
# 4.2.3. pwdMaxAge 
#     
#    This attribute holds the number of seconds after which a modified 
#    password will expire. 
#     
#    If this attribute is not present, or if the value is 0 the password 
#    does not expire. If not 0, the value must be greater than or equal 
#    to the value of the pwdMinAge. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.3 
      NAME 'pwdMaxAge' 
      EQUALITY integerMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
      SINGLE-VALUE ) 
    
# 4.2.4. pwdInHistory 
#     
#    This attribute specifies the maximum number of used passwords stored 
#    in the pwdHistory attribute. 
#     
#    If this attribute is not present, or if the value is 0, used 
#    passwords are not stored in the pwdHistory attribute and thus may be 
#    reused. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.4 
      NAME 'pwdInHistory' 
      EQUALITY integerMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
      SINGLE-VALUE ) 
    
# 4.2.5. pwdCheckQuality 
#     
#    This attribute indicates how the password quality will be verified 
#    while being modified or added. If this attribute is not present, or 
#    if the value is '0', quality checking will not be enforced. A value 
#    of '1' indicates that the server will check the quality, and if the 
#    server is unable to check it (due to a hashed password or other 
#    reasons) it will be accepted. A value of '2' indicates that the 
#    server will check the quality, and if the server is unable to verify 
#    it, it will return an error refusing the password. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.5 
      NAME 'pwdCheckQuality' 
      EQUALITY integerMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  
      SINGLE-VALUE ) 
    
# 4.2.6. pwdMinLength 
#     
#    When quality checking is enabled, this attribute holds the minimum 
#    number of characters that must be used in a password. If this 
#    attribute is not present, no minimum password length will be 
#    enforced. If the server is unable to check the length (due to a 
#    hashed password or otherwise), the server will, depending on the 
#    value of the pwdCheckQuality attribute, either accept the password 
#    without checking it ('0' or '1') or refuse it ('2'). 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.6 
      NAME 'pwdMinLength' 
      EQUALITY integerMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 
      SINGLE-VALUE ) 
    
# 4.2.7. pwdExpireWarning 
#     
#    This attribute specifies the maximum number of seconds before a 
#    password is due to expire that expiration warning messages will be 
#    returned to an authenticating user. If this attribute is not 
#    present, or if the value is 0 no warnings will be sent. If not 0, 
#    the value must be smaller than the value of the pwdMaxAge attribute. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.7 
      NAME 'pwdExpireWarning' 
      EQUALITY integerMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  
      SINGLE-VALUE ) 
    
# 4.2.8. pwdGraceLoginLimit 
#     
#    This attribute specifies the number of times an expired password can 
#    be used to authenticate. If this attribute is not present or if the 
#    value is 0, authentication will fail. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.8 
      NAME 'pwdGraceLoginLimit' 
      EQUALITY integerMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  
      SINGLE-VALUE ) 
    
# 4.2.9. pwdLockout 
#     
#    This attribute indicates, when its value is "TRUE", that the 
#    password may not be used to authenticate after a specified number of 
#    consecutive failed bind attempts. The maximum number of consecutive 
#    failed bind attempts is specified in pwdMaxFailure. 
#     
#    If this attribute is not present, or if the value is "FALSE", the 
#    password may be used to authenticate when the number of failed bind 
#    attempts has been reached. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.9 
      NAME 'pwdLockout' 
      EQUALITY booleanMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7  
      SINGLE-VALUE ) 

# 4.2.10. pwdLockoutDuration 
#     
#    This attribute holds the number of seconds that the password cannot 
#    be used to authenticate due to too many failed bind attempts. If 
#    this attribute is not present, or if the value is 0 the password 
#    cannot be used to authenticate until reset by an administrator. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.10 
      NAME 'pwdLockoutDuration' 
      EQUALITY integerMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  
      SINGLE-VALUE ) 
    
# 4.2.11. pwdMaxFailure 
#     
#    This attribute specifies the number of consecutive failed bind 
#    attempts after which the password may not be used to authenticate. 
#    If this attribute is not present, or if the value is 0, this policy 
#    is not checked, and the value of pwdLockout will be ignored. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.11 
      NAME 'pwdMaxFailure' 
      EQUALITY integerMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  
      SINGLE-VALUE ) 
    
# 4.2.12. pwdFailureCountInterval 
#     
#    This attribute holds the number of seconds after which the password 
#    failures are purged from the failure counter, even though no 
#    successful authentication occurred. 
#     
#    If this attribute is not present, or if its value is 0, the failure 
#    counter is only reset by a successful authentication. 
     
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.12 
      NAME 'pwdFailureCountInterval' 
      EQUALITY integerMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27  
      SINGLE-VALUE ) 
    
# 4.2.13. pwdMustChange 
#     
#    This attribute specifies with a value of "TRUE" that users must 
#    change their passwords when they first bind to the directory after a 
#    password is set or reset by the administrator. If this attribute is 
#    not present, or if the value is "FALSE", users are not required to 
#    change their password upon binding after the administrator sets or 
#    resets the password. 
 
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.13 
      NAME 'pwdMustChange' 
      EQUALITY booleanMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7  
      SINGLE-VALUE ) 
    
# 4.2.14. pwdAllowUserChange 
#     
#    This attribute indicates whether users can change their own 
#    passwords, although the change operation is still subject to access 
#    control. If this attribute is not present, a value of "TRUE" is 
#    assumed. 
    
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.14 
      NAME 'pwdAllowUserChange' 
      EQUALITY booleanMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7  
      SINGLE-VALUE ) 
    
# 4.2.15. pwdSafeModify 
#     
#    This attribute specifies whether or not the existing password must 
#    be sent when changing a password. If this attribute is not present, 
#    a "FALSE" value is assumed. 
#     
attributetype   (  1.3.6.1.4.1.42.2.27.8.1.15 
      NAME 'pwdSafeModify' 
      EQUALITY booleanMatch 
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7  
      SINGLE-VALUE ) 

# HP extensions
#
# pwdCheckModule
#
#    This attribute names a user-defined loadable module that provides
#    a check_password() function. If pwdCheckQuality is set to '1' or '2'
#    this function will be called after all of the internal password
#    quality checks have been passed. The function has this prototype:
#
#    int check_password( char *password, char **errormessage, void *arg )
#
#    The function should return LDAP_SUCCESS for a valid password.

attributetype  (  1.3.6.1.4.1.42.2.27.8.1.99
     NAME 'pwdCheckModule'
     EQUALITY caseExactIA5Match
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
     DESC 'Loadable module that instantiates "check_password() function'
     SINGLE-VALUE )

# 4.1. The pwdPolicy Object Class 
#     
#    This object class contains the attributes defining a password policy 
#    in effect for a set of users. Section 8 describes the administration 
#    of this object, and the relationship between it and particular 
#    objects. 
    
objectclass   (  1.3.6.1.4.1.42.2.27.8.2.1 
      NAME 'pwdPolicy'  
      SUP top 
      AUXILIARY  
      MUST ( pwdAttribute ) 
      MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ 
      pwdMinLength $ pwdExpireWarning $ pwdGraceLoginLimit $ pwdLockout 
      $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ 
      pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ pwdCheckModule ) ) 

# 4.3. Attribute Types for Password Policy State Information 
#     
#    Password policy state information must be maintained for each user. 
#    The information is located in each user entry as a set of 
#    operational attributes. These operational attributes are: 
#    pwdChangedTime, pwdAccountLockedTime, pwdExpirationWarned, 
#    pwdFailureTime, pwdHistory, pwdGraceUseTime, pwdReset, 
#    pwdPolicySubEntry. 
#     
# 4.3.1. Password Policy State Attribute Option 
#     
#    Since the password policy could apply to several attributes used to 
#    store passwords, each of the above operational attributes must have 
#    an option to specify which pwdAttribute is applies to.  
#    The password policy option is defined as the following: 
#         pwd-<passwordAttribute> 
#     
#    where passwordAttribute a string following the OID syntax 
#    (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor 
#    (short name) MUST be used. 
#     
#    For example, if the pwdPolicy object has for pwdAttribute 
#    "userPassword" then the pwdChangedTime operational attribute, in a 
#    user entry, will be: 
#    pwdChangedTime;pwd-userPassword: 20000103121520Z 
#     
#    This attribute option follows sub-typing semantics. If a client 
#    requests a password policy state attribute to be returned in a 
#    search operation, and does not specify an option, all subtypes of 
#    that policy state attribute are returned. 
#          
# 4.3.2. pwdChangedTime 
#     
#    This attribute specifies the last time the entry's password was 
#    changed. This is used by the password expiration policy. If this 
#    attribute does not exist, the password will never expire. 
#     
#    (  1.3.6.1.4.1.42.2.27.8.1.16 
#       NAME 'pwdChangedTime' 
#       DESC 'The time the password was last changed' 
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 
#       EQUALITY generalizedTimeMatch 
#       ORDERING generalizedTimeOrderingMatch 
#       SINGLE-VALUE 
#       USAGE directoryOperation) 
#     
# 4.3.3. pwdAccountLockedTime 
#     
#    This attribute holds the time that the user's account was locked. A 
#    locked account means that the password may no longer be used to 
#    authenticate. A 0 value means that the account has been locked 
#    permanently, and that only an administrator can unlock the account. 
#     
#    (  1.3.6.1.4.1.42.2.27.8.1.17 
#       NAME 'pwdAccountLockedTime' 
#       DESC 'The time an user account was locked' 
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 
#       EQUALITY generalizedTimeMatch 
#       ORDERING generalizedTimeOrderingMatch 
#       SINGLE-VALUE 
#       USAGE directoryOperation) 
#      
# 4.3.4. pwdExpirationWarned 
#  
#    This attribute contains the time when the password expiration 
#    warning was first sent to the client. The password will expire in 
#    the pwdExpireWarning time. 
#     
#    (  1.3.6.1.4.1.42.2.27.8.1.18 
#       NAME 'pwdExpirationWarned' 
#       DESC 'The time the user was first warned about the coming 
#               expiration of the password' 
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 
#       EQUALITY generalizedTimeMatch 
#       ORDERING generalizedTimeOrderingMatch 
#       SINGLE-VALUE 
#       USAGE directoryOperation ) 
#     
# 4.3.5. pwdFailureTime 
#     
#    This attribute holds the timestamps of the consecutive 
#    authentication failures. 
#     
#    (  1.3.6.1.4.1.42.2.27.8.1.19 
#       NAME 'pwdFailureTime' 
#       DESC 'The timestamps of the last consecutive authentication 
#               failures' 
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 
#       EQUALITY generalizedTimeMatch 
#       ORDERING generalizedTimeOrderingMatch 
#       USAGE directoryOperation ) 
#     
# 4.3.6. pwdHistory 
#     
#    This attribute holds a history of previously used passwords. 
#     
#    Values of this attribute are transmitted in string format as given 
#    by the following ABNF: 
#     
#    pwdHistory = time "#" syntaxOID "#" length "#" data 
#     
#    time         = <generalizedTimeString as specified in 6.14 of 
#                   [RFC2252]> 
#     
#    syntaxOID    = numericoid     ; the string representation of the  
#                                  ; dotted-decimal OID that defines the 
#                                  ; syntax used to store the password. 
#                                  ; numericoid is described in 4.1 of 
#                                  ; [RFC2252]. 
#       
#    length       = numericstring  ; the number of octets in data. 
#                                  ; numericstring is described in 4.1 of 
#                                  ; [RFC2252]. 
#     
#    data         = <octets representing the password in the format      
#                 specified by syntaxOID>. 
#     
#    This format allows the server to store, and transmit a history of 
#    passwords that have been used. In order for equality matching to 
#    function properly, the time field needs to adhere to a consistent 
#    format. For this purpose, the time field MUST be in GMT format. 
#     
#    (  1.3.6.1.4.1.42.2.27.8.1.20 
#       NAME 'pwdHistory' 
#       DESC 'The history of user s passwords' 
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 
#       EQUALITY octetStringMatch 
#       USAGE directoryOperation) 
#     
# 4.3.7. pwdGraceUseTime 
#     
#    This attribute holds the timestamps of grace login once a password 
#    has expired. 
#     
#    (  1.3.6.1.4.1.42.2.27.8.1.21 
#       NAME 'pwdGraceUseTime' 
#       DESC 'The timestamps of the grace login once the password has 
#       expired' 
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 
#       EQUALITY generalizedTimeMatch 
#        
#       USAGE directoryOperation) 
#     
# 4.3.8. pwdReset 
#     
#    This attribute holds a flag to indicate (when TRUE) that the 
#    password has been reset and therefore must be changed by the user on 
#    first authentication. 
#     
#    (  1.3.6.1.4.1.42.2.27.8.1.22 
#       NAME 'pwdReset' 
#       DESC 'The indication that the password has been reset' 
#       EQUALITY booleanMatch 
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 
#       SINGLE-VALUE 
#       USAGE directoryOperation) 
#     
# 4.3.9. pwdPolicySubentry 
#     
#    This attribute points to the pwdPolicy subentry in effect for this 
#    object. 
#     
#    (  1.3.6.1.4.1.42.2.27.8.1.23 
#       NAME 'pwdPolicySubentry' 
#       DESC 'The pwdPolicy subentry in effect for this object' 
#       EQUALITY distinguishedNameMatch 
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
#       SINGLE-VALUE 
#       USAGE directoryOperation) 
#     
# 14. Copyright Notice 
#     
#    Copyright (C) The Internet Society (2004). All Rights  
#    Reserved.   
#      
#    This document and translations of it may be copied and furnished to 
#    others, and derivative works that comment on or otherwise explain it 
#    or assist in its implementation may be prepared, copied, published 
#    and distributed, in whole or in part, without restriction of any 
#    kind, provided that the above copyright notice and this paragraph 
#    are included on all such copies and derivative works. However, this 
#    document itself may not be modified in any way, such as by removing 
#    the copyright notice or references to the Internet Society or other 
#    Internet organizations, except as needed for the purpose of 
#    developing Internet standards in which case the procedures for 
#    copyrights defined in the Internet Standards process must be 
#    followed, or as required to translate it into languages other than 
#    English.  
#      
#    The limited permissions granted above are perpetual and will not be 
#    revoked by the Internet Society or its successors or assigns.  
#      
#    This document and the information contained herein is provided on an 
#    "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
#    TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
#    BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
#    HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF  
#    MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."