Network Working Group J. Sermersheim
Internet-Draft Novell, Inc
Intended status: Standards Track L. Poitou
-Expires: February 10, 2010 Sun Microsystems
+Expires: January 19, 2015 Sun Microsystems
H. Chu, Ed.
Symas Corp.
- August 9, 2009
+ July 18, 2014
Password Policy for LDAP Directories
- draft-behera-ldap-password-policy-10.txt
+ draft-behera-ldap-password-policy-11
+
+Abstract
+
+ Password policy as described in this document is a set of rules that
+ controls how passwords are used and administered in Lightweight
+ Directory Access Protocol (LDAP) based directories. In order to
+ improve the security of LDAP directories and make it difficult for
+ password cracking programs to break into directories, it is desirable
+ to enforce a set of rules on password usage. These rules are made to
+ ensure that users change their passwords periodically, passwords meet
+ construction requirements, the re-use of old password is restricted,
+ and to deter password guessing attacks.
Status of this Memo
- This Internet-Draft is submitted to IETF in full conformance with the
+ This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
+ Task Force (IETF). Note that other groups may also distribute
+ working documents as Internet-Drafts. The list of current Internet-
+ Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on February 10, 2010.
+ This Internet-Draft will expire on January 19, 2015.
Copyright Notice
- Copyright (c) 2009 IETF Trust and the persons identified as the
+ Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
- Provisions Relating to IETF Documents in effect on the date of
- publication of this document (http://trustee.ietf.org/license-info).
- Please review these documents carefully, as they describe your rights
- and restrictions with respect to this document.
+ Provisions Relating to IETF Documents
+Sermersheim, et al. Expires January 19, 2015 [Page 1]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
-Sermersheim, et al. Expires February 10, 2010 [Page 1]
-\f
-Internet-Draft Password Policy for LDAP Directories August 2009
-Abstract
- Password policy as described in this document is a set of rules that
- controls how passwords are used and administered in Lightweight
- Directory Access Protocol (LDAP) based directories. In order to
- improve the security of LDAP directories and make it difficult for
- password cracking programs to break into directories, it is desirable
- to enforce a set of rules on password usage. These rules are made to
- ensure that users change their passwords periodically, passwords meet
- construction requirements, the re-use of old password is restricted,
- and to deter password guessing attacks.
-Sermersheim, et al. Expires February 10, 2010 [Page 2]
+Sermersheim, et al. Expires January 19, 2015 [Page 2]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
Table of Contents
5. Schema used for Password Policy . . . . . . . . . . . . . . 12
5.1. The pwdPolicy Object Class . . . . . . . . . . . . . . . . . 12
5.2. Attribute Types used in the pwdPolicy ObjectClass . . . . . 12
- 5.3. Attribute Types for Password Policy State Information . . . 18
+ 5.3. Attribute Types for Password Policy State Information . . . 19
6. Controls used for Password Policy . . . . . . . . . . . . . 24
6.1. Request Control . . . . . . . . . . . . . . . . . . . . . . 24
6.2. Response Control . . . . . . . . . . . . . . . . . . . . . . 24
7.4. Remaining Grace AuthN Check . . . . . . . . . . . . . . . . 27
7.5. Time Before Expiration Check . . . . . . . . . . . . . . . . 27
7.6. Intruder Lockout Check . . . . . . . . . . . . . . . . . . . 27
- 7.7. Intruder Delay Check . . . . . . . . . . . . . . . . . . . . 27
+ 7.7. Intruder Delay Check . . . . . . . . . . . . . . . . . . . . 28
7.8. Password Too Young Check . . . . . . . . . . . . . . . . . . 28
8. Server Policy Enforcement Points . . . . . . . . . . . . . . 29
8.1. Password-based Authentication . . . . . . . . . . . . . . . 29
11. Password Policy and Replication . . . . . . . . . . . . . . 40
12. Security Considerations . . . . . . . . . . . . . . . . . . 42
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . 43
- 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 44
- 15. Normative References . . . . . . . . . . . . . . . . . . . . 45
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 46
-
-
-
-
+ 13.1. Object Identifiers . . . . . . . . . . . . . . . . . . . . . 43
+ 13.2. LDAP Protocol Mechanisms . . . . . . . . . . . . . . . . . . 43
+ 13.3. LDAP Descriptors . . . . . . . . . . . . . . . . . . . . . . 43
+ 13.4. LDAP AttributeDescription Options . . . . . . . . . . . . . 45
+ 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 46
+ 15. Normative References . . . . . . . . . . . . . . . . . . . . 47
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 48
-Sermersheim, et al. Expires February 10, 2010 [Page 3]
+Sermersheim, et al. Expires January 19, 2015 [Page 3]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
1. Overview
-Sermersheim, et al. Expires February 10, 2010 [Page 4]
+Sermersheim, et al. Expires January 19, 2015 [Page 4]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
2. Conventions
-Sermersheim, et al. Expires February 10, 2010 [Page 5]
+Sermersheim, et al. Expires January 19, 2015 [Page 5]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
3. Application of Password Policy
-Sermersheim, et al. Expires February 10, 2010 [Page 6]
+Sermersheim, et al. Expires January 19, 2015 [Page 6]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
4. Articles of Password Policy
-Sermersheim, et al. Expires February 10, 2010 [Page 7]
+Sermersheim, et al. Expires January 19, 2015 [Page 7]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
o An amount of time the account is locked (if it is to be locked).
-Sermersheim, et al. Expires February 10, 2010 [Page 8]
+Sermersheim, et al. Expires January 19, 2015 [Page 8]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
o The user may bind to the directory a preset number of times after
-Sermersheim, et al. Expires February 10, 2010 [Page 9]
+Sermersheim, et al. Expires January 19, 2015 [Page 9]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
o If the password to be added or updated is encrypted by the client
-Sermersheim, et al. Expires February 10, 2010 [Page 10]
+Sermersheim, et al. Expires January 19, 2015 [Page 10]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
contains one and only one password value.
-Sermersheim, et al. Expires February 10, 2010 [Page 11]
+Sermersheim, et al. Expires January 19, 2015 [Page 11]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
5. Schema used for Password Policy
-Sermersheim, et al. Expires February 10, 2010 [Page 12]
+Sermersheim, et al. Expires January 19, 2015 [Page 12]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
( 1.3.6.1.4.1.42.2.27.8.1.2
NAME 'pwdMinAge'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.8.1.3
NAME 'pwdMaxAge'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.8.1.4
NAME 'pwdInHistory'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
{TODO: Note that even though this is meant to be a check that happens
during password modification, it may also be allowed to happen during
authN. This is useful for situations where the password is encrypted
- when modified, but decrypted when used to authN.}
-
- This attribute indicates how the password quality will be verified
-Sermersheim, et al. Expires February 10, 2010 [Page 13]
+Sermersheim, et al. Expires January 19, 2015 [Page 13]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
+
+ when modified, but decrypted when used to authN.}
+ This attribute indicates how the password quality will be verified
while being modified or added. If this attribute is not present, or
if the value is '0', quality checking will not be enforced. A value
of '1' indicates that the server will check the quality, and if the
( 1.3.6.1.4.1.42.2.27.8.1.5
NAME 'pwdCheckQuality'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.8.1.6
NAME 'pwdMinLength'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
value of the pwdCheckQuality attribute, either accept the password
without checking it ('0' or '1') or refuse it ('2').
- ( 1.3.6.1.4.1.42.2.27.8.1.31
- NAME 'pwdMaxLength'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-Sermersheim, et al. Expires February 10, 2010 [Page 14]
+Sermersheim, et al. Expires January 19, 2015 [Page 14]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
+ ( 1.3.6.1.4.1.42.2.27.8.1.31
+ NAME 'pwdMaxLength'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
5.2.8. pwdExpireWarning
This attribute specifies the maximum number of seconds before a
( 1.3.6.1.4.1.42.2.27.8.1.7
NAME 'pwdExpireWarning'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.8.1.8
NAME 'pwdGraceAuthNLimit'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.8.1.30
NAME 'pwdGraceExpire'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 15]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+
+
SINGLE-VALUE )
5.2.11. pwdLockout
failed bind attempts is specified in pwdMaxFailure.
If this attribute is not present, or if the value is "FALSE", the
-
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 15]
-\f
-Internet-Draft Password Policy for LDAP Directories August 2009
-
-
password may be used to authenticate when the number of failed bind
attempts has been reached.
( 1.3.6.1.4.1.42.2.27.8.1.10
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ ORDERING integerOrderingMatch
SINGLE-VALUE )
+
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 16]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+
+
5.2.14. pwdFailureCountInterval
This attribute holds the number of seconds after which the password
If this attribute is not present, or if its value is 0, the failure
counter is only reset by a successful authentication.
-
-
-
-
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 16]
-\f
-Internet-Draft Password Policy for LDAP Directories August 2009
-
-
( 1.3.6.1.4.1.42.2.27.8.1.12
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ ORDERING integerOrderingMatch
SINGLE-VALUE )
5.2.15. pwdMustChange
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
+
+
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 17]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+
+
5.2.17. pwdSafeModify
This attribute specifies whether or not the existing password must be
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 17]
-\f
-Internet-Draft Password Policy for LDAP Directories August 2009
-
-
5.2.18. pwdMinDelay
This attribute specifies the number of seconds to delay responding to
( 1.3.6.1.4.1.42.2.27.8.1.24
NAME 'pwdMinDelay'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
( 1.3.6.1.4.1.42.2.27.8.1.25
NAME 'pwdMaxDelay'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
unused before it becomes locked. If this attribute is not set or is
0, no check is performed.
+
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 18]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+
+
( 1.3.6.1.4.1.42.2.27.8.1.26
NAME 'pwdMaxIdle'
EQUALITY integerMatch
+ ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdReset, pwdPolicySubEntry, pwdStartTime, pwdEndTime,
pwdLastSuccess.
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 18]
-\f
-Internet-Draft Password Policy for LDAP Directories August 2009
-
-
5.3.1. Password Policy State Attribute Option
Since the password policy could apply to several attributes used to
pwd-<passwordAttribute>
- where passwordAttribute a string following the OID syntax
+ where passwordAttribute is a string following the OID syntax
(1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
(short name) MUST be used.
changed. This is used by the password expiration policy. If this
attribute does not exist, the password will never expire.
+
+
+
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 19]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+
+
( 1.3.6.1.4.1.42.2.27.8.1.16
NAME 'pwdChangedTime'
DESC 'The time the password was last changed'
locked permanently, and that only a password administrator can unlock
the account.
-
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 19]
-\f
-Internet-Draft Password Policy for LDAP Directories August 2009
-
-
( 1.3.6.1.4.1.42.2.27.8.1.17
NAME 'pwdAccountLockedTime'
DESC 'The time an user account was locked'
of this attribute are transmitted in string format as given by the
following ABNF:
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 20]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+
+
pwdHistory = time "#" syntaxOID "#" length "#" data
time = GeneralizedTime
number are specified in 1.4 of [RFC4512].
This format allows the server to store, and transmit a history of
-
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 20]
-\f
-Internet-Draft Password Policy for LDAP Directories August 2009
-
-
passwords that have been used. In order for equality matching to
function properly, the time field needs to adhere to a consistent
format. For this purpose, the time field MUST be in GMT format.
has been updated by the password administrator and must be changed by
the user.
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 21]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+
+
( 1.3.6.1.4.1.42.2.27.8.1.22
NAME 'pwdReset'
DESC 'The indication that the password has been reset'
This attribute points to the pwdPolicy subentry in effect for this
object.
-
-
-
-
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 21]
-\f
-Internet-Draft Password Policy for LDAP Directories August 2009
-
-
( 1.3.6.1.4.1.42.2.27.8.1.23
NAME 'pwdPolicySubentry'
DESC 'The pwdPolicy subentry in effect for this object'
time will fail, regardless of expiration or grace settings. If this
attribute does not exist, then this restriction does not apply.
+
+
+
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 22]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+
+
( 1.3.6.1.4.1.42.2.27.8.1.28
NAME 'pwdEndTime'
DESC 'The time the password becomes disabled'
Note that pwdStartTime may be set to a time greater than or equal to
pwdEndTime; this simply disables the account.
-
-
-
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 22]
-\f
-Internet-Draft Password Policy for LDAP Directories August 2009
-
-
5.3.11. pwdLastSuccess
This attribute holds the timestamp of the last successful
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 23]
+Sermersheim, et al. Expires January 19, 2015 [Page 23]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
6. Controls used for Password Policy
-Sermersheim, et al. Expires February 10, 2010 [Page 24]
+Sermersheim, et al. Expires January 19, 2015 [Page 24]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
before a password will expire. The graceAuthNsRemaining warning
-Sermersheim, et al. Expires February 10, 2010 [Page 25]
+Sermersheim, et al. Expires January 19, 2015 [Page 25]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
7. Policy Decision Points
-Sermersheim, et al. Expires February 10, 2010 [Page 26]
+Sermersheim, et al. Expires January 19, 2015 [Page 26]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
7.3. Password Expiration Check
7.4. Remaining Grace AuthN Check
+ If the pwdGraceExpiry attribute is present, and the current time is
+ greater than the password expiration time plus the pwdGraceExpiry
+ value, zero is returned.
+
If the pwdGraceUseTime attribute is present, the number of values in
that attribute subtracted from the value of pwdGraceAuthNLimit is
returned. Otherwise zero is returned. A positive result specifies
While performing this check, values of pwdFailureTime that are old by
more than pwdFailureCountInterval are purged and not counted.
-7.7. Intruder Delay Check
- If the pwdMinDelay attribute is 0 or not set, zero is returned.
+Sermersheim, et al. Expires January 19, 2015 [Page 27]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
-Sermersheim, et al. Expires February 10, 2010 [Page 27]
-\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+7.7. Intruder Delay Check
+ If the pwdMinDelay attribute is 0 or not set, zero is returned.
Otherwise, a delay time is computed based on the number of values in
the pwdFailureTime attribute. If the computed value is greater than
-
-
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 28]
+Sermersheim, et al. Expires January 19, 2015 [Page 28]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
8. Server Policy Enforcement Points
-Sermersheim, et al. Expires February 10, 2010 [Page 29]
+Sermersheim, et al. Expires January 19, 2015 [Page 29]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
Set the value of the pwdLastSuccess attribute to the current time.
-Sermersheim, et al. Expires February 10, 2010 [Page 30]
+Sermersheim, et al. Expires January 19, 2015 [Page 30]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
8.1.2.4. Expiration Warning
-Sermersheim, et al. Expires February 10, 2010 [Page 31]
+Sermersheim, et al. Expires January 19, 2015 [Page 31]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
8.2.1. Safe Modification
-Sermersheim, et al. Expires February 10, 2010 [Page 32]
+Sermersheim, et al. Expires January 19, 2015 [Page 32]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
8.2.5. Password Quality
sends a response message to the client with the resultCode:
constraintViolation (19), and includes the passwordPolicyResponse
in the controls field of the response message with the error:
- insufficientPasswordQuality (5). If the server is able to check
- the password quality, and the check fails, the server sends a
- response message to the client with the resultCode:
- constraintViolation (19), and includes the passwordPolicyResponse
- in the controls field of the response message with the error:
insufficientPasswordQuality (5).
+ If the server is able to check the password quality, and the check
+ fails, the server sends a response message to the client with the
+ resultCode: constraintViolation (19), and includes the
+ passwordPolicyResponse in the controls field of the response
+ message with the error: insufficientPasswordQuality (5).
+
o checks the value of the pwdMinLength attribute. If the value is
non-zero, it ensures that the new password is of at least the
- minimum length. If the server is unable to check the length (due
- to a hashed password or otherwise), the value of pwdCheckQuality
- is evaluated. If the value is 1, operation continues. If the
- value is 2, the server sends a response message to the client with
- the resultCode: constraintViolation (19), and includes the
- passwordPolicyResponse in the controls field of the response
- message with the error: passwordTooShort (6). If the server is
- able to check the password length, and the check fails, the server
- sends a response message to the client with the resultCode:
+ minimum length.
+
+ If the server is unable to check the length (due to a hashed
+ password or otherwise), the value of pwdCheckQuality is evaluated.
+ If the value is 1, operation continues. If the value is 2, the
+ server sends a response message to the client with the resultCode:
constraintViolation (19), and includes the passwordPolicyResponse
in the controls field of the response message with the error:
passwordTooShort (6).
+ If the server is able to check the password length, and the check
+ fails, the server sends a response message to the client with the
+ resultCode: constraintViolation (19), and includes the
+ passwordPolicyResponse in the controls field of the response
+ message with the error: passwordTooShort (6).
+
8.2.6. Invalid Reuse
If pwdInHistory is present and its value is non-zero, the server
attribute, the server sends a response message to the client with the
resultCode: constraintViolation (19), and includes the
passwordPolicyResponse in the controls field of the response message
- with the error: passwordInHistory (8).
-
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 33]
+Sermersheim, et al. Expires January 19, 2015 [Page 33]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
+ with the error: passwordInHistory (8).
+
8.2.7. Policy State Updates
If the steps have completed without causing an error condition, the
-
-
-Sermersheim, et al. Expires February 10, 2010 [Page 34]
+Sermersheim, et al. Expires January 19, 2015 [Page 34]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
9. Client Policy Enforcement Points
-Sermersheim, et al. Expires February 10, 2010 [Page 35]
+Sermersheim, et al. Expires January 19, 2015 [Page 35]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
9.2. Modify Operations
-Sermersheim, et al. Expires February 10, 2010 [Page 36]
+Sermersheim, et al. Expires January 19, 2015 [Page 36]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
9.3. Add Operation
-Sermersheim, et al. Expires February 10, 2010 [Page 37]
+Sermersheim, et al. Expires January 19, 2015 [Page 37]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
9.5. Other Operations
For operations other than bind, unbind, abandon or StartTLS, the
- client checks the result code and control to determine if any other
- actions are needed.
-
- o <Response>.resultCode = insufficientAccessRights (50),
- passwordPolicyResponse.error = accountLocked (1) : The password
- failure limit has been reached and the account is locked. The
- user needs to retry later or contact the password administrator to
- reset the password.
+ client checks the result code and control to determine if the user
+ needs to change the password immediately.
o <Response>.resultCode = insufficientAccessRights (50),
passwordPolicyResponse.error = changeAfterReset (2) : The user
-Sermersheim, et al. Expires February 10, 2010 [Page 38]
+
+
+
+
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 38]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
10. Administration of the Password Policy
-Sermersheim, et al. Expires February 10, 2010 [Page 39]
+Sermersheim, et al. Expires January 19, 2015 [Page 39]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
11. Password Policy and Replication
-Sermersheim, et al. Expires February 10, 2010 [Page 40]
+Sermersheim, et al. Expires January 19, 2015 [Page 40]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
Servers participating in a loosely consistent multi-master
-Sermersheim, et al. Expires February 10, 2010 [Page 41]
+Sermersheim, et al. Expires January 19, 2015 [Page 41]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
12. Security Considerations
-Sermersheim, et al. Expires February 10, 2010 [Page 42]
+Sermersheim, et al. Expires January 19, 2015 [Page 42]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
13. IANA Considerations
- <<<TBD>>>
+ In accordance with [RFC4520] the following registrations are
+ requested.
+13.1. Object Identifiers
+ The OIDs used in this specification are derived from iso(1)
+ identified-organization(3) dod(6) internet(1) private(4)
+ enterprise(1) Sun(42) products(2) LDAP(27) ppolicy(8). These OIDs
+ have been in use since at least July 2001 when version 04 of this
+ draft was published. No additional OID assignment is being
+ requested.
+13.2. LDAP Protocol Mechanisms
+ Registration of the protocol mechanisms specified in this document is
+ requested.
+ Subject: Request for LDAP Protocol Mechanism Registration
+ Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
+ Description: Password Policy Request and Response Control
+ Person & email address to contact for further information:
+ Howard Chu <hyc@symas.com>
+ Usage: Control
+ Specification: (I-D) draft-behera-ldap-password-policy
+ Author/Change Controller: IESG
+ Comments:
+13.3. LDAP Descriptors
+ Registration of the descriptors specified in this document is
+ requested.
+ Subject: Request for LDAP Descriptor Registration
+ Descriptor (short name): see table
+ Object Identifier: see table
+Sermersheim, et al. Expires January 19, 2015 [Page 43]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+
+
+ Description: see table
+
+ Person & email address to contact for further information:
+
+ Howard Chu <hyc@symas.com>
+
+ Specification: (I-D) draft-behera-ldap-password-policy
+
+ Author/Change Controller: IESG
+
+ Comments:
+ Name Type OID
+ ----------------------- ---- ------------------------------
+ pwdPolicy O 1.3.6.1.4.1.42.2.27.8.2.1
+ pwdAttribute A 1.3.6.1.4.1.42.2.27.8.1.1
+ pwdMinAge A 1.3.6.1.4.1.42.2.27.8.1.2
+ pwdMaxAge A 1.3.6.1.4.1.42.2.27.8.1.3
+ pwdInHistory A 1.3.6.1.4.1.42.2.27.8.1.4
+ pwdCheckQuality A 1.3.6.1.4.1.42.2.27.8.1.5
+ pwdMinLength A 1.3.6.1.4.1.42.2.27.8.1.6
+ pwdMaxLength A 1.3.6.1.4.1.42.2.27.8.1.31
+ pwdExpireWarning A 1.3.6.1.4.1.42.2.27.8.1.7
+ pwdGraceAuthNLimit A 1.3.6.1.4.1.42.2.27.8.1.8
+ pwdGraceExpiry A 1.3.6.1.4.1.42.2.27.8.1.30
+ pwdLockout A 1.3.6.1.4.1.42.2.27.8.1.9
+ pwdLockoutDuration A 1.3.6.1.4.1.42.2.27.8.1.10
+ pwdMaxFailure A 1.3.6.1.4.1.42.2.27.8.1.11
+ pwdFailureCountInterval A 1.3.6.1.4.1.42.2.27.8.1.12
+ pwdMustChange A 1.3.6.1.4.1.42.2.27.8.1.13
+ pwdAllowUserChange A 1.3.6.1.4.1.42.2.27.8.1.14
+ pwdSafeModify A 1.3.6.1.4.1.42.2.27.8.1.15
+ pwdMinDelay A 1.3.6.1.4.1.42.2.27.8.1.24
+ pwdMaxDelay A 1.3.6.1.4.1.42.2.27.8.1.25
+ pwdMaxIdle A 1.3.6.1.4.1.42.2.27.8.1.26
+ pwdChangedTime A 1.3.6.1.4.1.42.2.27.8.1.16
+ pwdAccountLockedTime A 1.3.6.1.4.1.42.2.27.8.1.17
+ pwdFailureTime A 1.3.6.1.4.1.42.2.27.8.1.19
+ pwdHistory A 1.3.6.1.4.1.42.2.27.8.1.20
+ pwdGraceUseTime A 1.3.6.1.4.1.42.2.27.8.1.21
+ pwdReset A 1.3.6.1.4.1.42.2.27.8.1.22
+ pwdPolicySubEntry A 1.3.6.1.4.1.42.2.27.8.1.23
+ pwdStartTime A 1.3.6.1.4.1.42.2.27.8.1.27
+ pwdEndTime A 1.3.6.1.4.1.42.2.27.8.1.28
+ pwdLastSuccess A 1.3.6.1.4.1.42.2.27.8.1.29
+
+
+
+
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 44]
+\f
+Internet-Draft Password Policy for LDAP Directories July 2014
+ Legend
+ --------------------
+ A => Attribute Type
+ O => Object Class
+13.4. LDAP AttributeDescription Options
+ Registration of the AttributeDescription option specified in this
+ document is requested.
+ Subject: Request for LDAP Attribute Description Option
+ Registration
+ Option Name: pwd-
+ Family of Options: YES
+ Person & email address to contact for further information:
+ Howard Chu <hyc@symas.com>
+ Specification: (I-D) draft-behera-ldap-password-policy
+ Author/Change Controller: IESG
+ Comments:
+ Used with policy state attributes to specify to which password
+ attribute the state belongs.
-Sermersheim, et al. Expires February 10, 2010 [Page 43]
+
+
+
+
+
+
+
+
+
+
+Sermersheim, et al. Expires January 19, 2015 [Page 45]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
14. Acknowledgement
-Sermersheim, et al. Expires February 10, 2010 [Page 44]
+Sermersheim, et al. Expires January 19, 2015 [Page 46]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
15. Normative References
[RFC3062] Zeilenga, K., "LDAP Password Modify Extended Operation",
RFC 3062, February 2001.
- [RFC3383] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
- Considerations for the Lightweight Directory Access
- Protocol (LDAP)", RFC 3383, September 2002.
-
[RFC3672] Zeilenga, K., "Subentries in the Lightweight Directory
Access Protocol (LDAP)", RFC 3672, December 2003.
[RFC4517] Legg, S., "Lightweight Directory Access Protocol (LDAP):
Syntaxes and Matching Rules", RFC 4517, June 2006.
+ [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
+ Considerations for the Lightweight Directory Access
+ Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
+
[X.680] International Telecommunications Union, "Abstract Syntax
Notation One (ASN.1): Specification of basic notation",
ITU-T Recommendation X.680, July 2002.
-Sermersheim, et al. Expires February 10, 2010 [Page 45]
+Sermersheim, et al. Expires January 19, 2015 [Page 47]
\f
-Internet-Draft Password Policy for LDAP Directories August 2009
+Internet-Draft Password Policy for LDAP Directories July 2014
Authors' Addresses
-Sermersheim, et al. Expires February 10, 2010 [Page 46]
+Sermersheim, et al. Expires January 19, 2015 [Page 48]
\f
projects / openldap / blobdiff