.\" $OpenLDAP$
-.\" Copyright 2004 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.SH NAME
Different groups of users may be associated with different password
policies, and there is no limit to the number of password policies
that may be created.
+.P
+Note that some of the policies do not take effect when the operation
+is performed with the
+.B rootdn
+identity; all the operations, when performed with any other identity,
+may be subjected to constraints, like access control.
.SH CONFIGURATION
These
set on a given user's entry. If there is no specific policy for an entry
and no default is given, then no policies will be enforced.
.TP
+.B ppolicy_hash_cleartext
+Specify that cleartext passwords present in Add and Modify requests should
+be hashed before being stored in the database. This violates the X.500/LDAP
+information model, but may be needed to compensate for LDAP clients that
+don't use the Password Modify extended operation to manage passwords. It
+is recommended that when this option is used that compare, search, and
+read access be denied to all directory users.
+.TP
.B ppolicy_use_lockout
A client will always receive an LDAP
.B InvalidCredentials
MAY (
pwdMinAge $ pwdMaxAge $ pwdInHistory $
pwdCheckSyntax $ pwdMinLength $
- pwdExpireWarning $ pwdGraceLoginLimit $
+ pwdExpireWarning $ pwdGraceAuthnLimit $
pwdLockout $ pwdLockoutDuration $
pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $
value accepted for
.B pwdAttribute
is
-.RI " userPassword ".
+.IR " userPassword ".
.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.1
zero (0), used passwords will not be stored in
.B pwdHistory
and thus any previously-used password may be reused.
+No history checking occurs if the password is being modified by the
+.BR rootdn ,
+although the password is saved in the history.
.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.4
SINGLE-VALUE )
.RE
-.B pwdGraceLoginLimit
+.B pwdGraceAuthnLimit
.P
This attribute contains the number of times that an expired password
may be used to authenticate a user to the directory. If this
.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.8
- NAME 'pwdGraceLoginLimit'
+ NAME 'pwdGraceAuthnLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
.RS 4
int
.I check_password
-(char *pPasswd, char **ppErrStr, void *pArg);
+(char *pPasswd, char **ppErrStr, Entry *pEntry);
.RE
The
.B pPasswd
.B ppErrStr
parameter contains a double pointer that allows the function
to return human-readable details about any error it encounters.
-The
-.B pArg
-parameter is currently unused.
+The optional
+.B pEntry
+parameter, if non-NULL, carries a pointer to the
+entry whose password is being checked.
If
.B ppErrStr
is NULL, then
unacceptable, the server will return an error to the client, and
.B ppErrStr
may be used to return a human-readable textual explanation of the
-error.
+error. The error string must be dynamically allocated as it will
+be free()'d by slapd.
.LP
.RS 4
( 1.3.6.1.4.1.4754.1.99.1
module will enforce the default password policy rules on the
user associated with this authenticating DN. If there is no
default, or the referenced subentry does not exist, then no
-policy rules wil be enforced.
+policy rules will be enforced.
.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.23
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
+ NO-USER-MODIFICATION
USAGE directoryOperation)
.RE
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
+ NO-USER-MODIFICATION
USAGE directoryOperation)
.RE
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
+ NO-USER-MODIFICATION
USAGE directoryOperation)
.RE
-.B pwdExpirationWarned
-.P
-This attribute denotes the time when the first password
-expiration warning was sent to the client regarding this account.
-The amount of time between when this warning is sent and when
-the password actually expires is the amount of time stored in
-the
-.B pwdExpireWarning
-password policy attribute.
-.LP
-.RS 4
-( 1.3.6.1.4.1.42.2.27.8.1.18
- NAME 'pwdExpirationWarned'
- DESC 'The time the user was first warned about the
- coming expiration of their password'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SINGLE-VALUE
- USAGE directoryOperation )
-.RE
-
.B pwdFailureTime
.P
This attribute contains the timestamps of each of the consecutive
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
+ NO-USER-MODIFICATION
USAGE directoryOperation )
.RE
DESC 'The history of user passwords'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
EQUALITY octetStringMatch
+ NO-USER-MODIFICATION
USAGE directoryOperation)
.RE
.B pwdGraceUseTime
This attribute contains the list of timestamps of logins made after
the user password in the DN has expired. These post-expiration
-logins are known as
-.RI " "grace logins" ."
+logins are known as "\fIgrace logins\fP".
If too many
.I grace logins
have been used (please refer to the
DESC 'The timestamps of the grace login once the password has expired'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
+ NO-USER-MODIFICATION
USAGE directoryOperation)
.RE
.LP
IETF LDAP password policy proposal by P. Behera, L. Poitou and J.
Sermersheim: documented in IETF document
-"draft-behera-ldap-password-policy-07.txt".
+"draft-behera-ldap-password-policy-09.txt".
.SH BUGS
The LDAP Password Policy specification is not yet an approved standard,
Poitou and J. Sermersheim.
The proposal is fully documented in
the
-IETF document named draft-behera-ldap-password-policy-07.txt,
-written in February of 2004.
+IETF document named draft-behera-ldap-password-policy-09.txt,
+written in July of 2005.
.P
.B OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).