-# Internet-Draft P. Behera
-# draft behera-ldap-password-policy-07.txt L. Poitou
-# Intended Category: Proposed Standard Sun Microsystems
-# Expires: August 2004 J. Sermersheim
-# Novell
-#
-# February 2004
-#
-#
-# Password Policy for LDAP Directories
-#
-#
-# Status of this Memo
-#
-# This document is an Internet-Draft and is in full conformance with
-# all provisions of Section 10 of RFC 2026.
-#
-# Internet-Drafts are working documents of the Internet Engineering
-# Task Force (IETF), its areas, and its working groups. Note that
-# other groups may also distribute working documents as Internet-
-# Drafts.
-#
-# Internet-Drafts are draft documents valid for a maximum of six
-# months and may be updated, replaced, or obsoleted by other documents
-# at any time. It is inappropriate to use Internet- Drafts as
-# reference material or to cite them other than as "work in progress."
-#
-# The list of current Internet-Drafts can be accessed at
-# http://www.ietf.org/ietf/1id-abstracts.txt
-#
-# The list of Internet-Draft Shadow Directories can be accessed at
-# http://www.ietf.org/shadow.html.
-#
-# Technical discussions of this draft are held on the LDAPEXT Working
-# Group mailing list at ietf-ldapext@netscape.com. Editorial comments
-# may be sent to the authors listed in Section 13.
-#
-# Copyright (C) The Internet Society (2004). All rights Reserved.
-#
-# Please see the Copyright Section near the end of this document for
-# more information.
-#
-#
-# 1. Abstract
-#
-# Password policy as described in this document is a set of rules that
-# controls how passwords are used and administered in LDAP
-# directories. In order to improve the security of LDAP directories
-# and make it difficult for password cracking programs to break into
-# directories, it is desirable to enforce a set of rules on password
-# usage. These rules are made to ensure that users change their
-# passwords periodically, passwords meet construction requirements,
-# the re-use of old password is restricted, and users are locked out
-# after a certain number of failed attempts.
-#
-# [trimmed]
-#
-#
-# 4.2. Attribute Types used in the pwdPolicy ObjectClass
-#
-# Following are the attribute types used by the pwdPolicy object
-# class.
-#
-# 4.2.1. pwdAttribute
-#
-# This holds the name of the attribute to which the password policy is
-# applied. For example, the password policy may be applied to the
-# userPassword attribute.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
- NAME 'pwdAttribute'
- EQUALITY objectIdentifierMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
-# 4.2.2. pwdMinAge
-#
-# This attribute holds the number of seconds that must elapse between
-# modifications to the password. If this attribute is not present, 0
-# seconds is assumed.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
- NAME 'pwdMinAge'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.3. pwdMaxAge
-#
-# This attribute holds the number of seconds after which a modified
-# password will expire.
-#
-# If this attribute is not present, or if the value is 0 the password
-# does not expire. If not 0, the value must be greater than or equal
-# to the value of the pwdMinAge.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
- NAME 'pwdMaxAge'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.4. pwdInHistory
-#
-# This attribute specifies the maximum number of used passwords stored
-# in the pwdHistory attribute.
-#
-# If this attribute is not present, or if the value is 0, used
-# passwords are not stored in the pwdHistory attribute and thus may be
-# reused.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
- NAME 'pwdInHistory'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.5. pwdCheckQuality
-#
-# This attribute indicates how the password quality will be verified
-# while being modified or added. If this attribute is not present, or
-# if the value is '0', quality checking will not be enforced. A value
-# of '1' indicates that the server will check the quality, and if the
-# server is unable to check it (due to a hashed password or other
-# reasons) it will be accepted. A value of '2' indicates that the
-# server will check the quality, and if the server is unable to verify
-# it, it will return an error refusing the password.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
- NAME 'pwdCheckQuality'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.6. pwdMinLength
-#
-# When quality checking is enabled, this attribute holds the minimum
-# number of characters that must be used in a password. If this
-# attribute is not present, no minimum password length will be
-# enforced. If the server is unable to check the length (due to a
-# hashed password or otherwise), the server will, depending on the
-# value of the pwdCheckQuality attribute, either accept the password
-# without checking it ('0' or '1') or refuse it ('2').
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
- NAME 'pwdMinLength'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.7. pwdExpireWarning
-#
-# This attribute specifies the maximum number of seconds before a
-# password is due to expire that expiration warning messages will be
-# returned to an authenticating user. If this attribute is not
-# present, or if the value is 0 no warnings will be sent. If not 0,
-# the value must be smaller than the value of the pwdMaxAge attribute.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
- NAME 'pwdExpireWarning'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.8. pwdGraceLoginLimit
-#
-# This attribute specifies the number of times an expired password can
-# be used to authenticate. If this attribute is not present or if the
-# value is 0, authentication will fail.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
- NAME 'pwdGraceLoginLimit'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.9. pwdLockout
-#
-# This attribute indicates, when its value is "TRUE", that the
-# password may not be used to authenticate after a specified number of
-# consecutive failed bind attempts. The maximum number of consecutive
-# failed bind attempts is specified in pwdMaxFailure.
-#
-# If this attribute is not present, or if the value is "FALSE", the
-# password may be used to authenticate when the number of failed bind
-# attempts has been reached.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
- NAME 'pwdLockout'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
-
-# 4.2.10. pwdLockoutDuration
-#
-# This attribute holds the number of seconds that the password cannot
-# be used to authenticate due to too many failed bind attempts. If
-# this attribute is not present, or if the value is 0 the password
-# cannot be used to authenticate until reset by an administrator.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
- NAME 'pwdLockoutDuration'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.11. pwdMaxFailure
-#
-# This attribute specifies the number of consecutive failed bind
-# attempts after which the password may not be used to authenticate.
-# If this attribute is not present, or if the value is 0, this policy
-# is not checked, and the value of pwdLockout will be ignored.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
- NAME 'pwdMaxFailure'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.12. pwdFailureCountInterval
-#
-# This attribute holds the number of seconds after which the password
-# failures are purged from the failure counter, even though no
-# successful authentication occurred.
-#
-# If this attribute is not present, or if its value is 0, the failure
-# counter is only reset by a successful authentication.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
- NAME 'pwdFailureCountInterval'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.13. pwdMustChange
-#
-# This attribute specifies with a value of "TRUE" that users must
-# change their passwords when they first bind to the directory after a
-# password is set or reset by the administrator. If this attribute is
-# not present, or if the value is "FALSE", users are not required to
-# change their password upon binding after the administrator sets or
-# resets the password.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
- NAME 'pwdMustChange'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
-
-# 4.2.14. pwdAllowUserChange
-#
-# This attribute indicates whether users can change their own
-# passwords, although the change operation is still subject to access
-# control. If this attribute is not present, a value of "TRUE" is
-# assumed.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
- NAME 'pwdAllowUserChange'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
-
-# 4.2.15. pwdSafeModify
-#
-# This attribute specifies whether or not the existing password must
-# be sent when changing a password. If this attribute is not present,
-# a "FALSE" value is assumed.
-#
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
- NAME 'pwdSafeModify'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+#Network Working Group J. Sermersheim
+#Internet-Draft Novell, Inc
+#Expires: April 24, 2005 L. Poitou
+# Sun Microsystems
+# October 24, 2004
+#
+#
+# Password Policy for LDAP Directories
+# draft-behera-ldap-password-policy-08.txt
+#
+#Status of this Memo
+#
+# This document is an Internet-Draft and is subject to all provisions
+# of section 3 of RFC 3667. By submitting this Internet-Draft, each
+# author represents that any applicable patent or other IPR claims of
+# which he or she is aware have been or will be disclosed, and any of
+# which he or she become aware will be disclosed, in accordance with
+# RFC 3668.
+#
+# Internet-Drafts are working documents of the Internet Engineering
+# Task Force (IETF), its areas, and its working groups. Note that
+# other groups may also distribute working documents as
+# Internet-Drafts.
+#
+# Internet-Drafts are draft documents valid for a maximum of six months
+# and may be updated, replaced, or obsoleted by other documents at any
+# time. It is inappropriate to use Internet-Drafts as reference
+# material or to cite them other than as "work in progress."
+#
+# The list of current Internet-Drafts can be accessed at
+# http://www.ietf.org/ietf/1id-abstracts.txt.
+#
+# The list of Internet-Draft Shadow Directories can be accessed at
+# http://www.ietf.org/shadow.html.
+#
+# This Internet-Draft will expire on April 24, 2005.
+#
+#Copyright Notice
+#
+# Copyright (C) The Internet Society (2004).
+#
+#Abstract
+#
+# Password policy as described in this document is a set of rules that
+# controls how passwords are used and administered in Lightweight
+# Directory Access Protocol (LDAP) based directories. In order to
+# improve the security of LDAP directories and make it difficult for
+# password cracking programs to break into directories, it is desirable
+# to enforce a set of rules on password usage. These rules are made to
+#
+# [trimmed]
+#
+#5. Schema used for Password Policy
+#
+# The schema elements defined here fall into two general categories. A
+# password policy object class is defined which contains a set of
+# administrative password policy attributes, and a set of operational
+# attributes are defined that hold general password policy state
+# information for each user.
+#
+#5.2 Attribute Types used in the pwdPolicy ObjectClass
+#
+# Following are the attribute types used by the pwdPolicy object class.
+#
+#5.2.1 pwdAttribute
+#
+# This holds the name of the attribute to which the password policy is
+# applied. For example, the password policy may be applied to the
+# userPassword attribute.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
+ NAME 'pwdAttribute'
+ EQUALITY objectIdentifierMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+
+#5.2.2 pwdMinAge
+#
+# This attribute holds the number of seconds that must elapse between
+# modifications to the password. If this attribute is not present, 0
+# seconds is assumed.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
+ NAME 'pwdMinAge'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.3 pwdMaxAge
+#
+# This attribute holds the number of seconds after which a modified
+# password will expire.
+#
+# If this attribute is not present, or if the value is 0 the password
+# does not expire. If not 0, the value must be greater than or equal
+# to the value of the pwdMinAge.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
+ NAME 'pwdMaxAge'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.4 pwdInHistory
+#
+# This attribute specifies the maximum number of used passwords stored
+# in the pwdHistory attribute.
+#
+# If this attribute is not present, or if the value is 0, used
+# passwords are not stored in the pwdHistory attribute and thus may be
+# reused.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
+ NAME 'pwdInHistory'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.5 pwdCheckQuality
+#
+# {TODO: Consider changing the syntax to OID. Each OID will list a
+# quality rule (like min len, # of special characters, etc). These
+# rules can be specified outsid ethis document.}
+#
+# {TODO: Note that even though this is meant to be a check that happens
+# during password modification, it may also be allowed to happen during
+# authN. This is useful for situations where the password is encrypted
+# when modified, but decrypted when used to authN.}
+#
+# This attribute indicates how the password quality will be verified
+# while being modified or added. If this attribute is not present, or
+# if the value is '0', quality checking will not be enforced. A value
+# of '1' indicates that the server will check the quality, and if the
+# server is unable to check it (due to a hashed password or other
+# reasons) it will be accepted. A value of '2' indicates that the
+# server will check the quality, and if the server is unable to verify
+# it, it will return an error refusing the password.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
+ NAME 'pwdCheckQuality'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.6 pwdMinLength
+#
+# When quality checking is enabled, this attribute holds the minimum
+# number of characters that must be used in a password. If this
+# attribute is not present, no minimum password length will be
+# enforced. If the server is unable to check the length (due to a
+# hashed password or otherwise), the server will, depending on the
+# value of the pwdCheckQuality attribute, either accept the password
+# without checking it ('0' or '1') or refuse it ('2').
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
+ NAME 'pwdMinLength'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.7 pwdExpireWarning
+#
+# This attribute specifies the maximum number of seconds before a
+# password is due to expire that expiration warning messages will be
+# returned to an authenticating user.
+#
+# If this attribute is not present, or if the value is 0 no warnings
+# will be returned. If not 0, the value must be smaller than the value
+# of the pwdMaxAge attribute.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
+ NAME 'pwdExpireWarning'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.8 pwdGraceAuthNLimit
+#
+# This attribute specifies the number of times an expired password can
+# be used to authenticate. If this attribute is not present or if the
+# value is 0, authentication will fail.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
+ NAME 'pwdGraceAuthNLimit'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.9 pwdLockout
+#
+# This attribute indicates, when its value is "TRUE", that the password
+# may not be used to authenticate after a specified number of
+# consecutive failed bind attempts. The maximum number of consecutive
+# failed bind attempts is specified in pwdMaxFailure.
+#
+# If this attribute is not present, or if the value is "FALSE", the
+# password may be used to authenticate when the number of failed bind
+# attempts has been reached.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
+ NAME 'pwdLockout'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
+#5.2.10 pwdLockoutDuration
+#
+# This attribute holds the number of seconds that the password cannot
+# be used to authenticate due to too many failed bind attempts. If
+# this attribute is not present, or if the value is 0 the password
+# cannot be used to authenticate until reset by a password
+# administrator.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
+ NAME 'pwdLockoutDuration'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.11 pwdMaxFailure
+#
+# This attribute specifies the number of consecutive failed bind
+# attempts after which the password may not be used to authenticate.
+# If this attribute is not present, or if the value is 0, this policy
+# is not checked, and the value of pwdLockout will be ignored.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
+ NAME 'pwdMaxFailure'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.12 pwdFailureCountInterval
+#
+# This attribute holds the number of seconds after which the password
+# failures are purged from the failure counter, even though no
+# successful authentication occurred.
+#
+# If this attribute is not present, or if its value is 0, the failure
+# counter is only reset by a successful authentication.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
+ NAME 'pwdFailureCountInterval'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.13 pwdMustChange
+#
+# This attribute specifies with a value of "TRUE" that users must
+# change their passwords when they first bind to the directory after a
+# password is set or reset by a password administrator. If this
+# attribute is not present, or if the value is "FALSE", users are not
+# required to change their password upon binding after the password
+# administrator sets or resets the password. This attribute is not set
+# due to any actions specified by this document, it is typically set by
+# a password administrator after resetting a user's password.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
+ NAME 'pwdMustChange'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
+#5.2.14 pwdAllowUserChange
+#
+# This attribute indicates whether users can change their own
+# passwords, although the change operation is still subject to access
+# control. If this attribute is not present, a value of "TRUE" is
+# assumed. This attribute is intended to be used in the absense of an
+# access control mechanism.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
+ NAME 'pwdAllowUserChange'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
+#5.2.15 pwdSafeModify
+#
+# This attribute specifies whether or not the existing password must be
+# sent along with the new password when being changed. If this
+# attribute is not present, a "FALSE" value is assumed.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
+ NAME 'pwdSafeModify'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )