# $OpenLDAP$ ## This work is part of OpenLDAP Software . ## ## Copyright 2004-2005 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## . # ## Portions Copyright (C) The Internet Society (2004). ## Please see full copyright statement below. # Definitions from Draft behera-ldap-password-policy-07 (a work in progress) # Password Policy for LDAP Directories # With extensions from Hewlett-Packard: # pwdCheckModule etc. # Contents of this file are subject to change (including deletion) # without notice. # # Not recommended for production use! # Use with extreme caution! #Network Working Group J. Sermersheim #Internet-Draft Novell, Inc #Expires: April 24, 2005 L. Poitou # Sun Microsystems # October 24, 2004 # # # Password Policy for LDAP Directories # draft-behera-ldap-password-policy-08.txt # #Status of this Memo # # This document is an Internet-Draft and is subject to all provisions # of section 3 of RFC 3667. By submitting this Internet-Draft, each # author represents that any applicable patent or other IPR claims of # which he or she is aware have been or will be disclosed, and any of # which he or she become aware will be disclosed, in accordance with # RFC 3668. # # Internet-Drafts are working documents of the Internet Engineering # Task Force (IETF), its areas, and its working groups. Note that # other groups may also distribute working documents as # Internet-Drafts. # # Internet-Drafts are draft documents valid for a maximum of six months # and may be updated, replaced, or obsoleted by other documents at any # time. It is inappropriate to use Internet-Drafts as reference # material or to cite them other than as "work in progress." # # The list of current Internet-Drafts can be accessed at # http://www.ietf.org/ietf/1id-abstracts.txt. # # The list of Internet-Draft Shadow Directories can be accessed at # http://www.ietf.org/shadow.html. # # This Internet-Draft will expire on April 24, 2005. # #Copyright Notice # # Copyright (C) The Internet Society (2004). # #Abstract # # Password policy as described in this document is a set of rules that # controls how passwords are used and administered in Lightweight # Directory Access Protocol (LDAP) based directories. In order to # improve the security of LDAP directories and make it difficult for # password cracking programs to break into directories, it is desirable # to enforce a set of rules on password usage. These rules are made to # # [trimmed] # #5. Schema used for Password Policy # # The schema elements defined here fall into two general categories. A # password policy object class is defined which contains a set of # administrative password policy attributes, and a set of operational # attributes are defined that hold general password policy state # information for each user. # #5.2 Attribute Types used in the pwdPolicy ObjectClass # # Following are the attribute types used by the pwdPolicy object class. # #5.2.1 pwdAttribute # # This holds the name of the attribute to which the password policy is # applied. For example, the password policy may be applied to the # userPassword attribute. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) #5.2.2 pwdMinAge # # This attribute holds the number of seconds that must elapse between # modifications to the password. If this attribute is not present, 0 # seconds is assumed. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #5.2.3 pwdMaxAge # # This attribute holds the number of seconds after which a modified # password will expire. # # If this attribute is not present, or if the value is 0 the password # does not expire. If not 0, the value must be greater than or equal # to the value of the pwdMinAge. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #5.2.4 pwdInHistory # # This attribute specifies the maximum number of used passwords stored # in the pwdHistory attribute. # # If this attribute is not present, or if the value is 0, used # passwords are not stored in the pwdHistory attribute and thus may be # reused. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #5.2.5 pwdCheckQuality # # {TODO: Consider changing the syntax to OID. Each OID will list a # quality rule (like min len, # of special characters, etc). These # rules can be specified outsid ethis document.} # # {TODO: Note that even though this is meant to be a check that happens # during password modification, it may also be allowed to happen during # authN. This is useful for situations where the password is encrypted # when modified, but decrypted when used to authN.} # # This attribute indicates how the password quality will be verified # while being modified or added. If this attribute is not present, or # if the value is '0', quality checking will not be enforced. A value # of '1' indicates that the server will check the quality, and if the # server is unable to check it (due to a hashed password or other # reasons) it will be accepted. A value of '2' indicates that the # server will check the quality, and if the server is unable to verify # it, it will return an error refusing the password. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #5.2.6 pwdMinLength # # When quality checking is enabled, this attribute holds the minimum # number of characters that must be used in a password. If this # attribute is not present, no minimum password length will be # enforced. If the server is unable to check the length (due to a # hashed password or otherwise), the server will, depending on the # value of the pwdCheckQuality attribute, either accept the password # without checking it ('0' or '1') or refuse it ('2'). attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #5.2.7 pwdExpireWarning # # This attribute specifies the maximum number of seconds before a # password is due to expire that expiration warning messages will be # returned to an authenticating user. # # If this attribute is not present, or if the value is 0 no warnings # will be returned. If not 0, the value must be smaller than the value # of the pwdMaxAge attribute. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #5.2.8 pwdGraceAuthNLimit # # This attribute specifies the number of times an expired password can # be used to authenticate. If this attribute is not present or if the # value is 0, authentication will fail. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #5.2.9 pwdLockout # # This attribute indicates, when its value is "TRUE", that the password # may not be used to authenticate after a specified number of # consecutive failed bind attempts. The maximum number of consecutive # failed bind attempts is specified in pwdMaxFailure. # # If this attribute is not present, or if the value is "FALSE", the # password may be used to authenticate when the number of failed bind # attempts has been reached. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) #5.2.10 pwdLockoutDuration # # This attribute holds the number of seconds that the password cannot # be used to authenticate due to too many failed bind attempts. If # this attribute is not present, or if the value is 0 the password # cannot be used to authenticate until reset by a password # administrator. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #5.2.11 pwdMaxFailure # # This attribute specifies the number of consecutive failed bind # attempts after which the password may not be used to authenticate. # If this attribute is not present, or if the value is 0, this policy # is not checked, and the value of pwdLockout will be ignored. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #5.2.12 pwdFailureCountInterval # # This attribute holds the number of seconds after which the password # failures are purged from the failure counter, even though no # successful authentication occurred. # # If this attribute is not present, or if its value is 0, the failure # counter is only reset by a successful authentication. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) #5.2.13 pwdMustChange # # This attribute specifies with a value of "TRUE" that users must # change their passwords when they first bind to the directory after a # password is set or reset by a password administrator. If this # attribute is not present, or if the value is "FALSE", users are not # required to change their password upon binding after the password # administrator sets or resets the password. This attribute is not set # due to any actions specified by this document, it is typically set by # a password administrator after resetting a user's password. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) #5.2.14 pwdAllowUserChange # # This attribute indicates whether users can change their own # passwords, although the change operation is still subject to access # control. If this attribute is not present, a value of "TRUE" is # assumed. This attribute is intended to be used in the absense of an # access control mechanism. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) #5.2.15 pwdSafeModify # # This attribute specifies whether or not the existing password must be # sent along with the new password when being changed. If this # attribute is not present, a "FALSE" value is assumed. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # HP extensions # # pwdCheckModule # # This attribute names a user-defined loadable module that provides # a check_password() function. If pwdCheckQuality is set to '1' or '2' # this function will be called after all of the internal password # quality checks have been passed. The function has this prototype: # # int check_password( char *password, char **errormessage, void *arg ) # # The function should return LDAP_SUCCESS for a valid password. attributetype ( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 DESC 'Loadable module that instantiates "check_password() function' SINGLE-VALUE ) objectclass ( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY ( pwdCheckModule ) ) #5.1 The pwdPolicy Object Class # # This object class contains the attributes defining a password policy # in effect for a set of users. Section 10 describes the # administration of this object, and the relationship between it and # particular objects. # objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) #5.3 Attribute Types for Password Policy State Information # # Password policy state information must be maintained for each user. # The information is located in each user entry as a set of operational # attributes. These operational attributes are: pwdChangedTime, # pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime, # pwdReset, pwdPolicySubEntry. # #5.3.1 Password Policy State Attribute Option # # Since the password policy could apply to several attributes used to # store passwords, each of the above operational attributes must have # an option to specify which pwdAttribute it applies to. The password # policy option is defined as the following: # # pwd- # # where passwordAttribute a string following the OID syntax # (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor # (short name) MUST be used. # # For example, if the pwdPolicy object has for pwdAttribute # "userPassword" then the pwdChangedTime operational attribute, in a # user entry, will be: # # pwdChangedTime;pwd-userPassword: 20000103121520Z # # This attribute option follows sub-typing semantics. If a client # requests a password policy state attribute to be returned in a search # operation, and does not specify an option, all subtypes of that # policy state attribute are returned. # #5.3.2 pwdChangedTime # # This attribute specifies the last time the entry's password was # changed. This is used by the password expiration policy. If this # attribute does not exist, the password will never expire. # # ( 1.3.6.1.4.1.42.2.27.8.1.16 # NAME 'pwdChangedTime' # DESC 'The time the password was last changed' # EQUALITY generalizedTimeMatch # ORDERING generalizedTimeOrderingMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 # SINGLE-VALUE # USAGE directoryOperation ) # #5.3.3 pwdAccountLockedTime # # This attribute holds the time that the user's account was locked. A # locked account means that the password may no longer be used to # authenticate. A 000001010000Z value means that the account has been # locked permanently, and that only a password administrator can unlock # the account. # # ( 1.3.6.1.4.1.42.2.27.8.1.17 # NAME 'pwdAccountLockedTime' # DESC 'The time an user account was locked' # EQUALITY generalizedTimeMatch # ORDERING generalizedTimeOrderingMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 # SINGLE-VALUE # USAGE directoryOperation ) # #5.3.4 pwdFailureTime # # This attribute holds the timestamps of the consecutive authentication # failures. # # ( 1.3.6.1.4.1.42.2.27.8.1.19 # NAME 'pwdFailureTime' # DESC 'The timestamps of the last consecutive authentication # failures' # EQUALITY generalizedTimeMatch # ORDERING generalizedTimeOrderingMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 # USAGE directoryOperation ) # #5.3.5 pwdHistory # # This attribute holds a history of previously used passwords. Values # of this attribute are transmitted in string format as given by the # following ABNF: # # pwdHistory = time "#" syntaxOID "#" length "#" data # # time = # # syntaxOID = numericoid ; the string representation of the # ; dotted-decimal OID that defines the # ; syntax used to store the password. # ; numericoid is described in 4.1 # ; of [RFC2252]. # # length = numericstring ; the number of octets in data. # ; numericstring is described in 4.1 # ; of [RFC2252]. # # data = . # # This format allows the server to store, and transmit a history of # passwords that have been used. In order for equality matching to # function properly, the time field needs to adhere to a consistent # format. For this purpose, the time field MUST be in GMT format. # # ( 1.3.6.1.4.1.42.2.27.8.1.20 # NAME 'pwdHistory' # DESC 'The history of user s passwords' # EQUALITY octetStringMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 # USAGE directoryOperation ) # #5.3.6 pwdGraceUseTime # # This attribute holds the timestamps of grace authentications after a # password has expired. # # ( 1.3.6.1.4.1.42.2.27.8.1.21 # NAME 'pwdGraceUseTime' # DESC 'The timestamps of the grace authentication after the # password has expired' # EQUALITY generalizedTimeMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 # #5.3.7 pwdReset # # This attribute holds a flag to indicate (when TRUE) that the password # has been updated by the password administrator and must be changed by # the user on first authentication. # # ( 1.3.6.1.4.1.42.2.27.8.1.22 # NAME 'pwdReset' # DESC 'The indication that the password has been reset' # EQUALITY booleanMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 # SINGLE-VALUE # USAGE directoryOperation ) # #5.3.8 pwdPolicySubentry # # This attribute points to the pwdPolicy subentry in effect for this # object. # # ( 1.3.6.1.4.1.42.2.27.8.1.23 # NAME 'pwdPolicySubentry' # DESC 'The pwdPolicy subentry in effect for this object' # EQUALITY distinguishedNameMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 # SINGLE-VALUE # USAGE directoryOperation ) # # #Disclaimer of Validity # # This document and the information contained herein are provided on an # "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS # OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET # ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, # INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE # INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED # WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. # # #Copyright Statement # # Copyright (C) The Internet Society (2004). This document is subject # to the rights, licenses and restrictions contained in BCP 78, and # except as set forth therein, the authors retain all their rights.