.\" $OpenLDAP$
-.\" Copyright 2004 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2005 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
-.TH SLAPD_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.SH NAME
slapo-ppolicy \- Password Policy overlay
.SH SYNOPSIS
set on a given user's entry. If there is no specific policy for an entry
and no default is given, then no policies will be enforced.
.TP
+.B ppolicy_hash_cleartext
+Specify that cleartext passwords present in Add and Modify requests should
+be hashed before being stored in the database. This violates the X.500
+information model, but may be needed to compensate for LDAP clients that
+don't use the PasswordModify exop to manage passwords.
+.TP
.B ppolicy_use_lockout
A client will always receive an LDAP
.B InvalidCredentials
MAY (
pwdMinAge $ pwdMaxAge $ pwdInHistory $
pwdCheckSyntax $ pwdMinLength $
- pwdExpireWarning $ pwdGraceLoginLimit $
+ pwdExpireWarning $ pwdGraceAuthnLimit $
pwdLockout $ pwdLockoutDuration $
pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $
SINGLE-VALUE )
.RE
-.B pwdGraceLoginLimit
+.B pwdGraceAuthnLimit
.P
This attribute contains the number of times that an expired password
may be used to authenticate a user to the directory. If this
.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.8
- NAME 'pwdGraceLoginLimit'
+ NAME 'pwdGraceAuthnLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
.RS 4
int
.I check_password
-(char *pPasswd, char **ppErrStr, void *pArg);
+(char *pPasswd, char **ppErrStr, Entry *pEntry);
.RE
The
.B pPasswd
.B ppErrStr
parameter contains a double pointer that allows the function
to return human-readable details about any error it encounters.
-The
-.B pArg
-parameter is currently unused.
+The optional
+.B pEntry
+parameter, if non-NULL, carries a pointer to the
+entry whose password is being checked.
If
.B ppErrStr
is NULL, then
unacceptable, the server will return an error to the client, and
.B ppErrStr
may be used to return a human-readable textual explanation of the
-error.
+error. The error string must be dynamically allocated as it will
+be free()'d by slapd.
.LP
.RS 4
( 1.3.6.1.4.1.4754.1.99.1
USAGE directoryOperation)
.RE
-.B pwdExpirationWarned
-.P
-This attribute denotes the time when the first password
-expiration warning was sent to the client regarding this account.
-The amount of time between when this warning is sent and when
-the password actually expires is the amount of time stored in
-the
-.B pwdExpireWarning
-password policy attribute.
-.LP
-.RS 4
-( 1.3.6.1.4.1.42.2.27.8.1.18
- NAME 'pwdExpirationWarned'
- DESC 'The time the user was first warned about the
- coming expiration of their password'
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SINGLE-VALUE
- USAGE directoryOperation )
-.RE
-
.B pwdFailureTime
.P
This attribute contains the timestamps of each of the consecutive
.LP
IETF LDAP password policy proposal by P. Behera, L. Poitou and J.
Sermersheim: documented in IETF document
-"draft-behera-ldap-password-policy-07.txt".
+"draft-behera-ldap-password-policy-08.txt".
.SH BUGS
The LDAP Password Policy specification is not yet an approved standard,
Poitou and J. Sermersheim.
The proposal is fully documented in
the
-IETF document named draft-behera-ldap-password-policy-07.txt,
-written in February of 2004.
+IETF document named draft-behera-ldap-password-policy-08.txt,
+written in October of 2004.
.P
.B OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).