-.\" $OpenLDAP$
-.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
-.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2004-2011 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
.SH NAME
-slapo-ppolicy \- Password Policy overlay
+slapo\-ppolicy \- Password Policy overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
use of a backend database, changes to user password fields, etc.
.P
The overlay provides a variety of password control mechanisms. They
-include password aging--both minimum and maximum ages, password
+include password aging -- both minimum and maximum ages, password
reuse and duplication control, account time-outs, mandatory password
resets, acceptable password content, and even grace logins.
Different groups of users may be associated with different password
set on a given user's entry. If there is no specific policy for an entry
and no default is given, then no policies will be enforced.
.TP
+.B ppolicy_forward_updates
+Specify that policy state changes that result from Bind operations (such
+as recording failures, lockout, etc.) on a consumer should be forwarded
+to a master instead of being written directly into the consumer's local
+database. This setting is only useful on a replication consumer, and
+also requires the
+.B updateref
+setting and
+.B chain
+overlay to be appropriately configured.
+.TP
.B ppolicy_hash_cleartext
Specify that cleartext passwords present in Add and Modify requests should
be hashed before being stored in the database. This violates the X.500/LDAP
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMaxAge
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdInHistory
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdCheckQuality
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMinLength
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdExpireWarning
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdGraceAuthnLimit
NAME 'pwdGraceAuthnLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdLockout
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdLockoutDuration
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMaxFailure
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdFailureCountInterval
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdMustChange
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdAllowUserChange
allowed to change their own passwords. If its value is "FALSE",
users will not be allowed to change their own passwords.
.LP
+Note: this implies that when
+.B pwdAllowUserChange
+is set to "TRUE",
+users will still be able to change the password of another user,
+subjected to access control.
+This restriction only applies to modifications of ones's own password.
+It should also be noted that
+.B pwdAllowUserChange
+was defined in the specification to provide rough access control
+to the password attribute in implementations that do not allow fine-grain
+access control.
+Since OpenLDAP provides fine-grain access control, the use of this attribute
+is discouraged; ACLs should be used instead
+(see
+.BR slapd.access (5)
+for details).
+.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.14
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdSafeModify
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.B pwdCheckModule
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- SINGLE-VALUE )
+ SINGLE\-VALUE )
.RE
.P
Note:
.SH OPERATIONAL ATTRIBUTES
.P
The operational attributes used by the
-.B passwd_policy
+.B ppolicy
module are stored in the user's entry. Most of these attributes
are not intended to be changed directly by users; they are there
to track user activity. They have been detailed here so that
.B ppolicy
module.
+.P
+Note that the current IETF Password Policy proposal does not define
+how these operational attributes are expected to behave in a
+replication environment. In general, authentication attempts on
+a slave server only affect the copy of the operational attributes
+on that slave and will not affect any attributes for
+a user's entry on the master server. Operational attribute changes
+resulting from authentication attempts on a master server
+will usually replicate to the slaves (and also overwrite
+any changes that originated on the slave).
+These behaviors are not guaranteed and are subject to change
+when a formal specification emerges.
+
.B userPassword
.P
The
-.b userPassword
+.B userPassword
attribute is not strictly part of the
.B ppolicy
module. It is, however, the attribute that is tracked and controlled
this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
- SINGLE-VALUE
- NO-USER-MODIFICATION
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
- SINGLE-VALUE
- NO-USER-MODIFICATION
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
authenticate the user to the directory. If
.B pwdAccountLockedTime
is set to 000001010000Z, the user's account has been permanently locked
-and may only be unlocked by an administrator.
+and may only be unlocked by an administrator. Note that account locking
+only takes effect when the
+.B pwdLockout
+password policy attribute is set to "TRUE".
.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.17
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
- SINGLE-VALUE
- NO-USER-MODIFICATION
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
- NO-USER-MODIFICATION
+ NO\-USER\-MODIFICATION
USAGE directoryOperation )
.RE
DESC 'The history of user passwords'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
EQUALITY octetStringMatch
- NO-USER-MODIFICATION
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
DESC 'The timestamps of the grace login once the password has expired'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
- NO-USER-MODIFICATION
+ NO\-USER\-MODIFICATION
USAGE directoryOperation)
.RE
been reset'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE
+ SINGLE\-VALUE
USAGE directoryOperation)
.RE
.nf
database bdb
suffix dc=example,dc=com
-\...
+\|...
overlay ppolicy
ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
.fi
.SH SEE ALSO
.BR ldap (3),
.BR slapd.conf (5),
+.BR slapd\-config (5),
+.BR slapo\-chain (5).
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.LP
projects / openldap / blobdiff