- 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
- 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5
- 3. Application of password policy . . . . . . . . . . . . . . . . 6
- 4. Articles of password policy . . . . . . . . . . . . . . . . . 7
- 4.1 Password Usage Policy . . . . . . . . . . . . . . . . . . . . 7
- 4.2 Password Modification Policy . . . . . . . . . . . . . . . . . 7
- 4.3 Restriction of the Password Policy . . . . . . . . . . . . . . 10
- 5. Schema used for Password Policy . . . . . . . . . . . . . . . 11
- 5.1 The pwdPolicy Object Class . . . . . . . . . . . . . . . . . . 11
- 5.2 Attribute Types used in the pwdPolicy ObjectClass . . . . . . 11
- 5.3 Attribute Types for Password Policy State Information . . . . 16
- 6. Controls used for Password Policy . . . . . . . . . . . . . . 21
- 6.1 Request Control . . . . . . . . . . . . . . . . . . . . . . . 21
- 6.2 Response Control . . . . . . . . . . . . . . . . . . . . . . . 21
- 7. Policy Decision Points . . . . . . . . . . . . . . . . . . . . 23
- 7.1 Locked Account Check . . . . . . . . . . . . . . . . . . . . . 23
- 7.2 Password Must be Changed Now Check . . . . . . . . . . . . . . 23
- 7.3 Password Expiration Check . . . . . . . . . . . . . . . . . . 23
- 7.4 Remaining Grace AuthN Check . . . . . . . . . . . . . . . . . 23
- 7.5 Time Before Expiration Check . . . . . . . . . . . . . . . . . 24
- 7.6 Intruder Detection Check . . . . . . . . . . . . . . . . . . . 24
- 7.7 Password Too Young Check . . . . . . . . . . . . . . . . . . . 24
- 8. Server Policy Enforcement Points . . . . . . . . . . . . . . . 25
- 8.1 Password-based Authentication . . . . . . . . . . . . . . . . 25
- 8.2 Password Update Operations . . . . . . . . . . . . . . . . . . 27
- 8.3 Other Operations . . . . . . . . . . . . . . . . . . . . . . . 30
- 9. Client Policy Enforcement Points . . . . . . . . . . . . . . . 31
- 9.1 Bind Operation . . . . . . . . . . . . . . . . . . . . . . . . 31
- 9.2 Modify Operations . . . . . . . . . . . . . . . . . . . . . . 32
- 9.3 Add Operation . . . . . . . . . . . . . . . . . . . . . . . . 33
- 9.4 Compare Operation . . . . . . . . . . . . . . . . . . . . . . 33
- 9.5 Other Operations . . . . . . . . . . . . . . . . . . . . . . . 34
- 10. Administration of the Password Policy . . . . . . . . . . . . 35
- 11. Password Policy and Replication . . . . . . . . . . . . . . . 36
- 12. Security Considerations . . . . . . . . . . . . . . . . . . . 37
- 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
- 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 39
- 15. Normative References . . . . . . . . . . . . . . . . . . . . . 39
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 40
- Intellectual Property and Copyright Statements . . . . . . . . 41
-
-
-
-
-
-
-
-
-
-Sermersheim & Poitou Expires January 18, 2006 [Page 3]
+ 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3. Application of Password Policy . . . . . . . . . . . . . . . 6
+ 4. Articles of Password Policy . . . . . . . . . . . . . . . . 7
+ 4.1. Password Usage Policy . . . . . . . . . . . . . . . . . . . 7
+ 4.2. Password Modification Policy . . . . . . . . . . . . . . . . 8
+ 4.3. Restriction of the Password Policy . . . . . . . . . . . . . 10
+ 5. Schema used for Password Policy . . . . . . . . . . . . . . 12
+ 5.1. The pwdPolicy Object Class . . . . . . . . . . . . . . . . . 12
+ 5.2. Attribute Types used in the pwdPolicy ObjectClass . . . . . 12
+ 5.3. Attribute Types for Password Policy State Information . . . 18
+ 6. Controls used for Password Policy . . . . . . . . . . . . . 24
+ 6.1. Request Control . . . . . . . . . . . . . . . . . . . . . . 24
+ 6.2. Response Control . . . . . . . . . . . . . . . . . . . . . . 24
+ 7. Policy Decision Points . . . . . . . . . . . . . . . . . . . 26
+ 7.1. Locked Account Check . . . . . . . . . . . . . . . . . . . . 26
+ 7.2. Password Must be Changed Now Check . . . . . . . . . . . . . 26
+ 7.3. Password Expiration Check . . . . . . . . . . . . . . . . . 27
+ 7.4. Remaining Grace AuthN Check . . . . . . . . . . . . . . . . 27
+ 7.5. Time Before Expiration Check . . . . . . . . . . . . . . . . 27
+ 7.6. Intruder Lockout Check . . . . . . . . . . . . . . . . . . . 27
+ 7.7. Intruder Delay Check . . . . . . . . . . . . . . . . . . . . 27
+ 7.8. Password Too Young Check . . . . . . . . . . . . . . . . . . 28
+ 8. Server Policy Enforcement Points . . . . . . . . . . . . . . 29
+ 8.1. Password-based Authentication . . . . . . . . . . . . . . . 29
+ 8.2. Password Update Operations . . . . . . . . . . . . . . . . . 31
+ 8.3. Other Operations . . . . . . . . . . . . . . . . . . . . . . 34
+ 9. Client Policy Enforcement Points . . . . . . . . . . . . . . 35
+ 9.1. Bind Operation . . . . . . . . . . . . . . . . . . . . . . . 35
+ 9.2. Modify Operations . . . . . . . . . . . . . . . . . . . . . 36
+ 9.3. Add Operation . . . . . . . . . . . . . . . . . . . . . . . 37
+ 9.4. Compare Operation . . . . . . . . . . . . . . . . . . . . . 37
+ 9.5. Other Operations . . . . . . . . . . . . . . . . . . . . . . 38
+ 10. Administration of the Password Policy . . . . . . . . . . . 39
+ 11. Password Policy and Replication . . . . . . . . . . . . . . 40
+ 12. Security Considerations . . . . . . . . . . . . . . . . . . 42
+ 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . 43
+ 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 44
+ 15. Normative References . . . . . . . . . . . . . . . . . . . . 45
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 46
+
+
+
+
+
+
+
+
+
+Sermersheim, et al. Expires February 10, 2010 [Page 3]