# $OpenLDAP$ ## This work is part of OpenLDAP Software . ## ## Copyright 2004 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## . # ## Portions Copyright (C) The Internet Society (2004). All Rights Reserved. ## Please see full copyright statement below. # Definitions from Draft behera-ldap-password-policy-07 # Password Policy for LDAP Directories # With extensions from Hewlett-Packard: # pwdCheckModule etc. # # Internet-Draft P. Behera # draft behera-ldap-password-policy-07.txt L. Poitou # Intended Category: Proposed Standard Sun Microsystems # Expires: August 2004 J. Sermersheim # Novell # # February 2004 # # # Password Policy for LDAP Directories # # # Status of this Memo # # This document is an Internet-Draft and is in full conformance with # all provisions of Section 10 of RFC 2026. # # Internet-Drafts are working documents of the Internet Engineering # Task Force (IETF), its areas, and its working groups. Note that # other groups may also distribute working documents as Internet- # Drafts. # # Internet-Drafts are draft documents valid for a maximum of six # months and may be updated, replaced, or obsoleted by other documents # at any time. It is inappropriate to use Internet- Drafts as # reference material or to cite them other than as "work in progress." # # The list of current Internet-Drafts can be accessed at # http://www.ietf.org/ietf/1id-abstracts.txt # # The list of Internet-Draft Shadow Directories can be accessed at # http://www.ietf.org/shadow.html. # # Technical discussions of this draft are held on the LDAPEXT Working # Group mailing list at ietf-ldapext@netscape.com. Editorial comments # may be sent to the authors listed in Section 13. # # Copyright (C) The Internet Society (2004). All rights Reserved. # # Please see the Copyright Section near the end of this document for # more information. # # # 1. Abstract # # Password policy as described in this document is a set of rules that # controls how passwords are used and administered in LDAP # directories. In order to improve the security of LDAP directories # and make it difficult for password cracking programs to break into # directories, it is desirable to enforce a set of rules on password # usage. These rules are made to ensure that users change their # passwords periodically, passwords meet construction requirements, # the re-use of old password is restricted, and users are locked out # after a certain number of failed attempts. # # [trimmed] # # # 4.2. Attribute Types used in the pwdPolicy ObjectClass # # Following are the attribute types used by the pwdPolicy object # class. # # 4.2.1. pwdAttribute # # This holds the name of the attribute to which the password policy is # applied. For example, the password policy may be applied to the # userPassword attribute. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) # 4.2.2. pwdMinAge # # This attribute holds the number of seconds that must elapse between # modifications to the password. If this attribute is not present, 0 # seconds is assumed. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # 4.2.3. pwdMaxAge # # This attribute holds the number of seconds after which a modified # password will expire. # # If this attribute is not present, or if the value is 0 the password # does not expire. If not 0, the value must be greater than or equal # to the value of the pwdMinAge. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # 4.2.4. pwdInHistory # # This attribute specifies the maximum number of used passwords stored # in the pwdHistory attribute. # # If this attribute is not present, or if the value is 0, used # passwords are not stored in the pwdHistory attribute and thus may be # reused. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # 4.2.5. pwdCheckQuality # # This attribute indicates how the password quality will be verified # while being modified or added. If this attribute is not present, or # if the value is '0', quality checking will not be enforced. A value # of '1' indicates that the server will check the quality, and if the # server is unable to check it (due to a hashed password or other # reasons) it will be accepted. A value of '2' indicates that the # server will check the quality, and if the server is unable to verify # it, it will return an error refusing the password. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # 4.2.6. pwdMinLength # # When quality checking is enabled, this attribute holds the minimum # number of characters that must be used in a password. If this # attribute is not present, no minimum password length will be # enforced. If the server is unable to check the length (due to a # hashed password or otherwise), the server will, depending on the # value of the pwdCheckQuality attribute, either accept the password # without checking it ('0' or '1') or refuse it ('2'). attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # 4.2.7. pwdExpireWarning # # This attribute specifies the maximum number of seconds before a # password is due to expire that expiration warning messages will be # returned to an authenticating user. If this attribute is not # present, or if the value is 0 no warnings will be sent. If not 0, # the value must be smaller than the value of the pwdMaxAge attribute. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # 4.2.8. pwdGraceLoginLimit # # This attribute specifies the number of times an expired password can # be used to authenticate. If this attribute is not present or if the # value is 0, authentication will fail. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceLoginLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # 4.2.9. pwdLockout # # This attribute indicates, when its value is "TRUE", that the # password may not be used to authenticate after a specified number of # consecutive failed bind attempts. The maximum number of consecutive # failed bind attempts is specified in pwdMaxFailure. # # If this attribute is not present, or if the value is "FALSE", the # password may be used to authenticate when the number of failed bind # attempts has been reached. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # 4.2.10. pwdLockoutDuration # # This attribute holds the number of seconds that the password cannot # be used to authenticate due to too many failed bind attempts. If # this attribute is not present, or if the value is 0 the password # cannot be used to authenticate until reset by an administrator. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # 4.2.11. pwdMaxFailure # # This attribute specifies the number of consecutive failed bind # attempts after which the password may not be used to authenticate. # If this attribute is not present, or if the value is 0, this policy # is not checked, and the value of pwdLockout will be ignored. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # 4.2.12. pwdFailureCountInterval # # This attribute holds the number of seconds after which the password # failures are purged from the failure counter, even though no # successful authentication occurred. # # If this attribute is not present, or if its value is 0, the failure # counter is only reset by a successful authentication. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) # 4.2.13. pwdMustChange # # This attribute specifies with a value of "TRUE" that users must # change their passwords when they first bind to the directory after a # password is set or reset by the administrator. If this attribute is # not present, or if the value is "FALSE", users are not required to # change their password upon binding after the administrator sets or # resets the password. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # 4.2.14. pwdAllowUserChange # # This attribute indicates whether users can change their own # passwords, although the change operation is still subject to access # control. If this attribute is not present, a value of "TRUE" is # assumed. attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # 4.2.15. pwdSafeModify # # This attribute specifies whether or not the existing password must # be sent when changing a password. If this attribute is not present, # a "FALSE" value is assumed. # attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # HP extensions # # pwdCheckModule # # This attribute names a user-defined loadable module that provides # a check_password() function. If pwdCheckQuality is set to '1' or '2' # this function will be called after all of the internal password # quality checks have been passed. The function has this prototype: # # int check_password( char *password, char **errormessage, void *arg ) # # The function should return LDAP_SUCCESS for a valid password. attributetype ( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 DESC 'Loadable module that instantiates "check_password() function' SINGLE-VALUE ) # 4.1. The pwdPolicy Object Class # # This object class contains the attributes defining a password policy # in effect for a set of users. Section 8 describes the administration # of this object, and the relationship between it and particular # objects. objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceLoginLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) objectclass ( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY ( pwdCheckModule ) ) # 4.3. Attribute Types for Password Policy State Information # # Password policy state information must be maintained for each user. # The information is located in each user entry as a set of # operational attributes. These operational attributes are: # pwdChangedTime, pwdAccountLockedTime, pwdExpirationWarned, # pwdFailureTime, pwdHistory, pwdGraceUseTime, pwdReset, # pwdPolicySubEntry. # # 4.3.1. Password Policy State Attribute Option # # Since the password policy could apply to several attributes used to # store passwords, each of the above operational attributes must have # an option to specify which pwdAttribute is applies to. # The password policy option is defined as the following: # pwd- # # where passwordAttribute a string following the OID syntax # (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor # (short name) MUST be used. # # For example, if the pwdPolicy object has for pwdAttribute # "userPassword" then the pwdChangedTime operational attribute, in a # user entry, will be: # pwdChangedTime;pwd-userPassword: 20000103121520Z # # This attribute option follows sub-typing semantics. If a client # requests a password policy state attribute to be returned in a # search operation, and does not specify an option, all subtypes of # that policy state attribute are returned. # # 4.3.2. pwdChangedTime # # This attribute specifies the last time the entry's password was # changed. This is used by the password expiration policy. If this # attribute does not exist, the password will never expire. # # ( 1.3.6.1.4.1.42.2.27.8.1.16 # NAME 'pwdChangedTime' # DESC 'The time the password was last changed' # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 # EQUALITY generalizedTimeMatch # ORDERING generalizedTimeOrderingMatch # SINGLE-VALUE # USAGE directoryOperation) # # 4.3.3. pwdAccountLockedTime # # This attribute holds the time that the user's account was locked. A # locked account means that the password may no longer be used to # authenticate. A 0 value means that the account has been locked # permanently, and that only an administrator can unlock the account. # # ( 1.3.6.1.4.1.42.2.27.8.1.17 # NAME 'pwdAccountLockedTime' # DESC 'The time an user account was locked' # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 # EQUALITY generalizedTimeMatch # ORDERING generalizedTimeOrderingMatch # SINGLE-VALUE # USAGE directoryOperation) # # 4.3.4. pwdExpirationWarned # # This attribute contains the time when the password expiration # warning was first sent to the client. The password will expire in # the pwdExpireWarning time. # # ( 1.3.6.1.4.1.42.2.27.8.1.18 # NAME 'pwdExpirationWarned' # DESC 'The time the user was first warned about the coming # expiration of the password' # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 # EQUALITY generalizedTimeMatch # ORDERING generalizedTimeOrderingMatch # SINGLE-VALUE # USAGE directoryOperation ) # # 4.3.5. pwdFailureTime # # This attribute holds the timestamps of the consecutive # authentication failures. # # ( 1.3.6.1.4.1.42.2.27.8.1.19 # NAME 'pwdFailureTime' # DESC 'The timestamps of the last consecutive authentication # failures' # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 # EQUALITY generalizedTimeMatch # ORDERING generalizedTimeOrderingMatch # USAGE directoryOperation ) # # 4.3.6. pwdHistory # # This attribute holds a history of previously used passwords. # # Values of this attribute are transmitted in string format as given # by the following ABNF: # # pwdHistory = time "#" syntaxOID "#" length "#" data # # time = # # syntaxOID = numericoid ; the string representation of the # ; dotted-decimal OID that defines the # ; syntax used to store the password. # ; numericoid is described in 4.1 of # ; [RFC2252]. # # length = numericstring ; the number of octets in data. # ; numericstring is described in 4.1 of # ; [RFC2252]. # # data = . # # This format allows the server to store, and transmit a history of # passwords that have been used. In order for equality matching to # function properly, the time field needs to adhere to a consistent # format. For this purpose, the time field MUST be in GMT format. # # ( 1.3.6.1.4.1.42.2.27.8.1.20 # NAME 'pwdHistory' # DESC 'The history of user s passwords' # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 # EQUALITY octetStringMatch # USAGE directoryOperation) # # 4.3.7. pwdGraceUseTime # # This attribute holds the timestamps of grace login once a password # has expired. # # ( 1.3.6.1.4.1.42.2.27.8.1.21 # NAME 'pwdGraceUseTime' # DESC 'The timestamps of the grace login once the password has # expired' # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 # EQUALITY generalizedTimeMatch # # USAGE directoryOperation) # # 4.3.8. pwdReset # # This attribute holds a flag to indicate (when TRUE) that the # password has been reset and therefore must be changed by the user on # first authentication. # # ( 1.3.6.1.4.1.42.2.27.8.1.22 # NAME 'pwdReset' # DESC 'The indication that the password has been reset' # EQUALITY booleanMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 # SINGLE-VALUE # USAGE directoryOperation) # # 4.3.9. pwdPolicySubentry # # This attribute points to the pwdPolicy subentry in effect for this # object. # # ( 1.3.6.1.4.1.42.2.27.8.1.23 # NAME 'pwdPolicySubentry' # DESC 'The pwdPolicy subentry in effect for this object' # EQUALITY distinguishedNameMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 # SINGLE-VALUE # USAGE directoryOperation) # # 14. Copyright Notice # # Copyright (C) The Internet Society (2004). All Rights # Reserved. # # This document and translations of it may be copied and furnished to # others, and derivative works that comment on or otherwise explain it # or assist in its implementation may be prepared, copied, published # and distributed, in whole or in part, without restriction of any # kind, provided that the above copyright notice and this paragraph # are included on all such copies and derivative works. However, this # document itself may not be modified in any way, such as by removing # the copyright notice or references to the Internet Society or other # Internet organizations, except as needed for the purpose of # developing Internet standards in which case the procedures for # copyrights defined in the Internet Standards process must be # followed, or as required to translate it into languages other than # English. # # The limited permissions granted above are perpetual and will not be # revoked by the Internet Society or its successors or assigns. # # This document and the information contained herein is provided on an # "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING # TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING # BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION # HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF # MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."