X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;ds=sidebyside;f=doc%2Fdrafts%2Fdraft-behera-ldap-password-policy-xx.txt;h=616a41837964d74a7a60777b7adc0aa12f116221;hb=fd0bdcb6c68c3eb28281f5ea4a5083be66822972;hp=ebf4893dda40a0a9a414aab1b5f7d91004c8ac27;hpb=52a0b4f83c34de4966870af62db829c913993fdf;p=openldap diff --git a/doc/drafts/draft-behera-ldap-password-policy-xx.txt b/doc/drafts/draft-behera-ldap-password-policy-xx.txt index ebf4893dda..616a418379 100644 --- a/doc/drafts/draft-behera-ldap-password-policy-xx.txt +++ b/doc/drafts/draft-behera-ldap-password-policy-xx.txt @@ -4,70 +4,70 @@ Network Working Group J. Sermersheim Internet-Draft Novell, Inc Intended status: Standards Track L. Poitou -Expires: February 10, 2010 Sun Microsystems +Expires: January 19, 2015 Sun Microsystems H. Chu, Ed. Symas Corp. - August 9, 2009 + July 18, 2014 Password Policy for LDAP Directories - draft-behera-ldap-password-policy-10.txt + draft-behera-ldap-password-policy-11 + +Abstract + + Password policy as described in this document is a set of rules that + controls how passwords are used and administered in Lightweight + Directory Access Protocol (LDAP) based directories. In order to + improve the security of LDAP directories and make it difficult for + password cracking programs to break into directories, it is desirable + to enforce a set of rules on password usage. These rules are made to + ensure that users change their passwords periodically, passwords meet + construction requirements, the re-use of old password is restricted, + and to deter password guessing attacks. Status of this Memo - This Internet-Draft is submitted to IETF in full conformance with the + This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. + Task Force (IETF). Note that other groups may also distribute + working documents as Internet-Drafts. The list of current Internet- + Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on February 10, 2010. + This Internet-Draft will expire on January 19, 2015. Copyright Notice - Copyright (c) 2009 IETF Trust and the persons identified as the + Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal - Provisions Relating to IETF Documents in effect on the date of - publication of this document (http://trustee.ietf.org/license-info). - Please review these documents carefully, as they describe your rights - and restrictions with respect to this document. + Provisions Relating to IETF Documents +Sermersheim, et al. Expires January 19, 2015 [Page 1] + +Internet-Draft Password Policy for LDAP Directories July 2014 + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. -Sermersheim, et al. Expires February 10, 2010 [Page 1] - -Internet-Draft Password Policy for LDAP Directories August 2009 -Abstract - Password policy as described in this document is a set of rules that - controls how passwords are used and administered in Lightweight - Directory Access Protocol (LDAP) based directories. In order to - improve the security of LDAP directories and make it difficult for - password cracking programs to break into directories, it is desirable - to enforce a set of rules on password usage. These rules are made to - ensure that users change their passwords periodically, passwords meet - construction requirements, the re-use of old password is restricted, - and to deter password guessing attacks. @@ -108,9 +108,9 @@ Abstract -Sermersheim, et al. Expires February 10, 2010 [Page 2] +Sermersheim, et al. Expires January 19, 2015 [Page 2] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 Table of Contents @@ -125,7 +125,7 @@ Table of Contents 5. Schema used for Password Policy . . . . . . . . . . . . . . 12 5.1. The pwdPolicy Object Class . . . . . . . . . . . . . . . . . 12 5.2. Attribute Types used in the pwdPolicy ObjectClass . . . . . 12 - 5.3. Attribute Types for Password Policy State Information . . . 18 + 5.3. Attribute Types for Password Policy State Information . . . 19 6. Controls used for Password Policy . . . . . . . . . . . . . 24 6.1. Request Control . . . . . . . . . . . . . . . . . . . . . . 24 6.2. Response Control . . . . . . . . . . . . . . . . . . . . . . 24 @@ -136,7 +136,7 @@ Table of Contents 7.4. Remaining Grace AuthN Check . . . . . . . . . . . . . . . . 27 7.5. Time Before Expiration Check . . . . . . . . . . . . . . . . 27 7.6. Intruder Lockout Check . . . . . . . . . . . . . . . . . . . 27 - 7.7. Intruder Delay Check . . . . . . . . . . . . . . . . . . . . 27 + 7.7. Intruder Delay Check . . . . . . . . . . . . . . . . . . . . 28 7.8. Password Too Young Check . . . . . . . . . . . . . . . . . . 28 8. Server Policy Enforcement Points . . . . . . . . . . . . . . 29 8.1. Password-based Authentication . . . . . . . . . . . . . . . 29 @@ -152,21 +152,21 @@ Table of Contents 11. Password Policy and Replication . . . . . . . . . . . . . . 40 12. Security Considerations . . . . . . . . . . . . . . . . . . 42 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . 43 - 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 44 - 15. Normative References . . . . . . . . . . . . . . . . . . . . 45 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 46 - - - - + 13.1. Object Identifiers . . . . . . . . . . . . . . . . . . . . . 43 + 13.2. LDAP Protocol Mechanisms . . . . . . . . . . . . . . . . . . 43 + 13.3. LDAP Descriptors . . . . . . . . . . . . . . . . . . . . . . 43 + 13.4. LDAP AttributeDescription Options . . . . . . . . . . . . . 45 + 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 46 + 15. Normative References . . . . . . . . . . . . . . . . . . . . 47 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 48 -Sermersheim, et al. Expires February 10, 2010 [Page 3] +Sermersheim, et al. Expires January 19, 2015 [Page 3] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 1. Overview @@ -220,9 +220,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 4] +Sermersheim, et al. Expires January 19, 2015 [Page 4] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 2. Conventions @@ -276,9 +276,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 5] +Sermersheim, et al. Expires January 19, 2015 [Page 5] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 3. Application of Password Policy @@ -332,9 +332,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 6] +Sermersheim, et al. Expires January 19, 2015 [Page 6] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 4. Articles of Password Policy @@ -388,9 +388,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 7] +Sermersheim, et al. Expires January 19, 2015 [Page 7] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 o An amount of time the account is locked (if it is to be locked). @@ -444,9 +444,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 8] +Sermersheim, et al. Expires January 19, 2015 [Page 8] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 o The user may bind to the directory a preset number of times after @@ -500,9 +500,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 9] +Sermersheim, et al. Expires January 19, 2015 [Page 9] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 o If the password to be added or updated is encrypted by the client @@ -556,9 +556,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 10] +Sermersheim, et al. Expires January 19, 2015 [Page 10] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 contains one and only one password value. @@ -612,9 +612,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 11] +Sermersheim, et al. Expires January 19, 2015 [Page 11] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 5. Schema used for Password Policy @@ -668,14 +668,15 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 12] +Sermersheim, et al. Expires January 19, 2015 [Page 12] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -691,6 +692,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -706,6 +708,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -718,17 +721,17 @@ Internet-Draft Password Policy for LDAP Directories August 2009 {TODO: Note that even though this is meant to be a check that happens during password modification, it may also be allowed to happen during authN. This is useful for situations where the password is encrypted - when modified, but decrypted when used to authN.} - - This attribute indicates how the password quality will be verified -Sermersheim, et al. Expires February 10, 2010 [Page 13] +Sermersheim, et al. Expires January 19, 2015 [Page 13] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 + + when modified, but decrypted when used to authN.} + This attribute indicates how the password quality will be verified while being modified or added. If this attribute is not present, or if the value is '0', quality checking will not be enforced. A value of '1' indicates that the server will check the quality, and if the @@ -740,6 +743,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -756,6 +760,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -769,22 +774,24 @@ Internet-Draft Password Policy for LDAP Directories August 2009 value of the pwdCheckQuality attribute, either accept the password without checking it ('0' or '1') or refuse it ('2'). - ( 1.3.6.1.4.1.42.2.27.8.1.31 - NAME 'pwdMaxLength' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) -Sermersheim, et al. Expires February 10, 2010 [Page 14] +Sermersheim, et al. Expires January 19, 2015 [Page 14] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 + ( 1.3.6.1.4.1.42.2.27.8.1.31 + NAME 'pwdMaxLength' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + 5.2.8. pwdExpireWarning This attribute specifies the maximum number of seconds before a @@ -798,6 +805,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -810,6 +818,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -822,7 +831,16 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdGraceExpire' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + + + +Sermersheim, et al. Expires January 19, 2015 [Page 15] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + SINGLE-VALUE ) 5.2.11. pwdLockout @@ -833,14 +851,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the value is "FALSE", the - - - -Sermersheim, et al. Expires February 10, 2010 [Page 15] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - password may be used to authenticate when the number of failed bind attempts has been reached. @@ -861,6 +871,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -875,8 +886,17 @@ Internet-Draft Password Policy for LDAP Directories August 2009 NAME 'pwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ORDERING integerOrderingMatch SINGLE-VALUE ) + + + +Sermersheim, et al. Expires January 19, 2015 [Page 16] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + 5.2.14. pwdFailureCountInterval This attribute holds the number of seconds after which the password @@ -886,21 +906,11 @@ Internet-Draft Password Policy for LDAP Directories August 2009 If this attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication. - - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 16] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ORDERING integerOrderingMatch SINGLE-VALUE ) 5.2.15. pwdMustChange @@ -934,6 +944,15 @@ Internet-Draft Password Policy for LDAP Directories August 2009 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 17] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + 5.2.17. pwdSafeModify This attribute specifies whether or not the existing password must be @@ -946,13 +965,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - - -Sermersheim, et al. Expires February 10, 2010 [Page 17] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - 5.2.18. pwdMinDelay This attribute specifies the number of seconds to delay responding to @@ -963,6 +975,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.24 NAME 'pwdMinDelay' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -978,6 +991,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.25 NAME 'pwdMaxDelay' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -987,9 +1001,18 @@ Internet-Draft Password Policy for LDAP Directories August 2009 unused before it becomes locked. If this attribute is not set or is 0, no check is performed. + + + +Sermersheim, et al. Expires January 19, 2015 [Page 18] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + ( 1.3.6.1.4.1.42.2.27.8.1.26 NAME 'pwdMaxIdle' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -1002,13 +1025,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 pwdReset, pwdPolicySubEntry, pwdStartTime, pwdEndTime, pwdLastSuccess. - - -Sermersheim, et al. Expires February 10, 2010 [Page 18] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - 5.3.1. Password Policy State Attribute Option Since the password policy could apply to several attributes used to @@ -1018,7 +1034,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 pwd- - where passwordAttribute a string following the OID syntax + where passwordAttribute is a string following the OID syntax (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor (short name) MUST be used. @@ -1039,6 +1055,16 @@ Internet-Draft Password Policy for LDAP Directories August 2009 changed. This is used by the password expiration policy. If this attribute does not exist, the password will never expire. + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 19] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + ( 1.3.6.1.4.1.42.2.27.8.1.16 NAME 'pwdChangedTime' DESC 'The time the password was last changed' @@ -1057,14 +1083,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 locked permanently, and that only a password administrator can unlock the account. - - - -Sermersheim, et al. Expires February 10, 2010 [Page 19] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DESC 'The time an user account was locked' @@ -1096,6 +1114,13 @@ Internet-Draft Password Policy for LDAP Directories August 2009 of this attribute are transmitted in string format as given by the following ABNF: + + +Sermersheim, et al. Expires January 19, 2015 [Page 20] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + pwdHistory = time "#" syntaxOID "#" length "#" data time = GeneralizedTime @@ -1113,14 +1138,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 number are specified in 1.4 of [RFC4512]. This format allows the server to store, and transmit a history of - - - -Sermersheim, et al. Expires February 10, 2010 [Page 20] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - passwords that have been used. In order for equality matching to function properly, the time field needs to adhere to a consistent format. For this purpose, the time field MUST be in GMT format. @@ -1153,6 +1170,13 @@ Internet-Draft Password Policy for LDAP Directories August 2009 has been updated by the password administrator and must be changed by the user. + + +Sermersheim, et al. Expires January 19, 2015 [Page 21] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + ( 1.3.6.1.4.1.42.2.27.8.1.22 NAME 'pwdReset' DESC 'The indication that the password has been reset' @@ -1166,17 +1190,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 This attribute points to the pwdPolicy subentry in effect for this object. - - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 21] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC 'The pwdPolicy subentry in effect for this object' @@ -1210,6 +1223,16 @@ Internet-Draft Password Policy for LDAP Directories August 2009 time will fail, regardless of expiration or grace settings. If this attribute does not exist, then this restriction does not apply. + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 22] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + ( 1.3.6.1.4.1.42.2.27.8.1.28 NAME 'pwdEndTime' DESC 'The time the password becomes disabled' @@ -1223,16 +1246,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 Note that pwdStartTime may be set to a time greater than or equal to pwdEndTime; this simply disables the account. - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 22] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - 5.3.11. pwdLastSuccess This attribute holds the timestamp of the last successful @@ -1271,22 +1284,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 - - - - - - - - - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 23] +Sermersheim, et al. Expires January 19, 2015 [Page 23] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 6. Controls used for Password Policy @@ -1340,9 +1340,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 24] +Sermersheim, et al. Expires January 19, 2015 [Page 24] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 before a password will expire. The graceAuthNsRemaining warning @@ -1396,9 +1396,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 25] +Sermersheim, et al. Expires January 19, 2015 [Page 25] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 7. Policy Decision Points @@ -1452,9 +1452,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 26] +Sermersheim, et al. Expires January 19, 2015 [Page 26] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 7.3. Password Expiration Check @@ -1467,6 +1467,10 @@ Internet-Draft Password Policy for LDAP Directories August 2009 7.4. Remaining Grace AuthN Check + If the pwdGraceExpiry attribute is present, and the current time is + greater than the password expiration time plus the pwdGraceExpiry + value, zero is returned. + If the pwdGraceUseTime attribute is present, the number of values in that attribute subtracted from the value of pwdGraceAuthNLimit is returned. Otherwise zero is returned. A positive result specifies @@ -1501,17 +1505,17 @@ Internet-Draft Password Policy for LDAP Directories August 2009 While performing this check, values of pwdFailureTime that are old by more than pwdFailureCountInterval are purged and not counted. -7.7. Intruder Delay Check - If the pwdMinDelay attribute is 0 or not set, zero is returned. +Sermersheim, et al. Expires January 19, 2015 [Page 27] + +Internet-Draft Password Policy for LDAP Directories July 2014 -Sermersheim, et al. Expires February 10, 2010 [Page 27] - -Internet-Draft Password Policy for LDAP Directories August 2009 +7.7. Intruder Delay Check + If the pwdMinDelay attribute is 0 or not set, zero is returned. Otherwise, a delay time is computed based on the number of values in the pwdFailureTime attribute. If the computed value is greater than @@ -1560,13 +1564,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 28] +Sermersheim, et al. Expires January 19, 2015 [Page 28] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 8. Server Policy Enforcement Points @@ -1620,9 +1620,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 29] +Sermersheim, et al. Expires January 19, 2015 [Page 29] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 Set the value of the pwdLastSuccess attribute to the current time. @@ -1676,9 +1676,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 30] +Sermersheim, et al. Expires January 19, 2015 [Page 30] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 8.1.2.4. Expiration Warning @@ -1732,9 +1732,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 31] +Sermersheim, et al. Expires January 19, 2015 [Page 31] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 8.2.1. Safe Modification @@ -1788,9 +1788,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 32] +Sermersheim, et al. Expires January 19, 2015 [Page 32] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 8.2.5. Password Quality @@ -1806,28 +1806,32 @@ Internet-Draft Password Policy for LDAP Directories August 2009 sends a response message to the client with the resultCode: constraintViolation (19), and includes the passwordPolicyResponse in the controls field of the response message with the error: - insufficientPasswordQuality (5). If the server is able to check - the password quality, and the check fails, the server sends a - response message to the client with the resultCode: - constraintViolation (19), and includes the passwordPolicyResponse - in the controls field of the response message with the error: insufficientPasswordQuality (5). + If the server is able to check the password quality, and the check + fails, the server sends a response message to the client with the + resultCode: constraintViolation (19), and includes the + passwordPolicyResponse in the controls field of the response + message with the error: insufficientPasswordQuality (5). + o checks the value of the pwdMinLength attribute. If the value is non-zero, it ensures that the new password is of at least the - minimum length. If the server is unable to check the length (due - to a hashed password or otherwise), the value of pwdCheckQuality - is evaluated. If the value is 1, operation continues. If the - value is 2, the server sends a response message to the client with - the resultCode: constraintViolation (19), and includes the - passwordPolicyResponse in the controls field of the response - message with the error: passwordTooShort (6). If the server is - able to check the password length, and the check fails, the server - sends a response message to the client with the resultCode: + minimum length. + + If the server is unable to check the length (due to a hashed + password or otherwise), the value of pwdCheckQuality is evaluated. + If the value is 1, operation continues. If the value is 2, the + server sends a response message to the client with the resultCode: constraintViolation (19), and includes the passwordPolicyResponse in the controls field of the response message with the error: passwordTooShort (6). + If the server is able to check the password length, and the check + fails, the server sends a response message to the client with the + resultCode: constraintViolation (19), and includes the + passwordPolicyResponse in the controls field of the response + message with the error: passwordTooShort (6). + 8.2.6. Invalid Reuse If pwdInHistory is present and its value is non-zero, the server @@ -1837,18 +1841,16 @@ Internet-Draft Password Policy for LDAP Directories August 2009 attribute, the server sends a response message to the client with the resultCode: constraintViolation (19), and includes the passwordPolicyResponse in the controls field of the response message - with the error: passwordInHistory (8). - - - -Sermersheim, et al. Expires February 10, 2010 [Page 33] +Sermersheim, et al. Expires January 19, 2015 [Page 33] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 + with the error: passwordInHistory (8). + 8.2.7. Policy State Updates If the steps have completed without causing an error condition, the @@ -1898,11 +1900,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 - - -Sermersheim, et al. Expires February 10, 2010 [Page 34] +Sermersheim, et al. Expires January 19, 2015 [Page 34] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 9. Client Policy Enforcement Points @@ -1956,9 +1956,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 35] +Sermersheim, et al. Expires January 19, 2015 [Page 35] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 9.2. Modify Operations @@ -2012,9 +2012,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 36] +Sermersheim, et al. Expires January 19, 2015 [Page 36] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 9.3. Add Operation @@ -2068,22 +2068,16 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 37] +Sermersheim, et al. Expires January 19, 2015 [Page 37] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 9.5. Other Operations For operations other than bind, unbind, abandon or StartTLS, the - client checks the result code and control to determine if any other - actions are needed. - - o .resultCode = insufficientAccessRights (50), - passwordPolicyResponse.error = accountLocked (1) : The password - failure limit has been reached and the account is locked. The - user needs to retry later or contact the password administrator to - reset the password. + client checks the result code and control to determine if the user + needs to change the password immediately. o .resultCode = insufficientAccessRights (50), passwordPolicyResponse.error = changeAfterReset (2) : The user @@ -2124,9 +2118,15 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 38] + + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 38] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 10. Administration of the Password Policy @@ -2180,9 +2180,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 39] +Sermersheim, et al. Expires January 19, 2015 [Page 39] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 11. Password Policy and Replication @@ -2236,9 +2236,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 40] +Sermersheim, et al. Expires January 19, 2015 [Page 40] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 Servers participating in a loosely consistent multi-master @@ -2292,9 +2292,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 41] +Sermersheim, et al. Expires January 19, 2015 [Page 41] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 12. Security Considerations @@ -2348,50 +2348,152 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 42] +Sermersheim, et al. Expires January 19, 2015 [Page 42] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 13. IANA Considerations - <<>> + In accordance with [RFC4520] the following registrations are + requested. +13.1. Object Identifiers + The OIDs used in this specification are derived from iso(1) + identified-organization(3) dod(6) internet(1) private(4) + enterprise(1) Sun(42) products(2) LDAP(27) ppolicy(8). These OIDs + have been in use since at least July 2001 when version 04 of this + draft was published. No additional OID assignment is being + requested. +13.2. LDAP Protocol Mechanisms + Registration of the protocol mechanisms specified in this document is + requested. + Subject: Request for LDAP Protocol Mechanism Registration + Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1 + Description: Password Policy Request and Response Control + Person & email address to contact for further information: + Howard Chu + Usage: Control + Specification: (I-D) draft-behera-ldap-password-policy + Author/Change Controller: IESG + Comments: +13.3. LDAP Descriptors + Registration of the descriptors specified in this document is + requested. + Subject: Request for LDAP Descriptor Registration + Descriptor (short name): see table + Object Identifier: see table +Sermersheim, et al. Expires January 19, 2015 [Page 43] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + + Description: see table + + Person & email address to contact for further information: + + Howard Chu + + Specification: (I-D) draft-behera-ldap-password-policy + + Author/Change Controller: IESG + + Comments: + Name Type OID + ----------------------- ---- ------------------------------ + pwdPolicy O 1.3.6.1.4.1.42.2.27.8.2.1 + pwdAttribute A 1.3.6.1.4.1.42.2.27.8.1.1 + pwdMinAge A 1.3.6.1.4.1.42.2.27.8.1.2 + pwdMaxAge A 1.3.6.1.4.1.42.2.27.8.1.3 + pwdInHistory A 1.3.6.1.4.1.42.2.27.8.1.4 + pwdCheckQuality A 1.3.6.1.4.1.42.2.27.8.1.5 + pwdMinLength A 1.3.6.1.4.1.42.2.27.8.1.6 + pwdMaxLength A 1.3.6.1.4.1.42.2.27.8.1.31 + pwdExpireWarning A 1.3.6.1.4.1.42.2.27.8.1.7 + pwdGraceAuthNLimit A 1.3.6.1.4.1.42.2.27.8.1.8 + pwdGraceExpiry A 1.3.6.1.4.1.42.2.27.8.1.30 + pwdLockout A 1.3.6.1.4.1.42.2.27.8.1.9 + pwdLockoutDuration A 1.3.6.1.4.1.42.2.27.8.1.10 + pwdMaxFailure A 1.3.6.1.4.1.42.2.27.8.1.11 + pwdFailureCountInterval A 1.3.6.1.4.1.42.2.27.8.1.12 + pwdMustChange A 1.3.6.1.4.1.42.2.27.8.1.13 + pwdAllowUserChange A 1.3.6.1.4.1.42.2.27.8.1.14 + pwdSafeModify A 1.3.6.1.4.1.42.2.27.8.1.15 + pwdMinDelay A 1.3.6.1.4.1.42.2.27.8.1.24 + pwdMaxDelay A 1.3.6.1.4.1.42.2.27.8.1.25 + pwdMaxIdle A 1.3.6.1.4.1.42.2.27.8.1.26 + pwdChangedTime A 1.3.6.1.4.1.42.2.27.8.1.16 + pwdAccountLockedTime A 1.3.6.1.4.1.42.2.27.8.1.17 + pwdFailureTime A 1.3.6.1.4.1.42.2.27.8.1.19 + pwdHistory A 1.3.6.1.4.1.42.2.27.8.1.20 + pwdGraceUseTime A 1.3.6.1.4.1.42.2.27.8.1.21 + pwdReset A 1.3.6.1.4.1.42.2.27.8.1.22 + pwdPolicySubEntry A 1.3.6.1.4.1.42.2.27.8.1.23 + pwdStartTime A 1.3.6.1.4.1.42.2.27.8.1.27 + pwdEndTime A 1.3.6.1.4.1.42.2.27.8.1.28 + pwdLastSuccess A 1.3.6.1.4.1.42.2.27.8.1.29 + + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 44] + +Internet-Draft Password Policy for LDAP Directories July 2014 + Legend + -------------------- + A => Attribute Type + O => Object Class +13.4. LDAP AttributeDescription Options + Registration of the AttributeDescription option specified in this + document is requested. + Subject: Request for LDAP Attribute Description Option + Registration + Option Name: pwd- + Family of Options: YES + Person & email address to contact for further information: + Howard Chu + Specification: (I-D) draft-behera-ldap-password-policy + Author/Change Controller: IESG + Comments: + Used with policy state attributes to specify to which password + attribute the state belongs. @@ -2404,9 +2506,19 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 43] + + + + + + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 45] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 14. Acknowledgement @@ -2460,9 +2572,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 44] +Sermersheim, et al. Expires January 19, 2015 [Page 46] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 15. Normative References @@ -2480,10 +2592,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 [RFC3062] Zeilenga, K., "LDAP Password Modify Extended Operation", RFC 3062, February 2001. - [RFC3383] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) - Considerations for the Lightweight Directory Access - Protocol (LDAP)", RFC 3383, September 2002. - [RFC3672] Zeilenga, K., "Subentries in the Lightweight Directory Access Protocol (LDAP)", RFC 3672, December 2003. @@ -2504,6 +2612,10 @@ Internet-Draft Password Policy for LDAP Directories August 2009 [RFC4517] Legg, S., "Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules", RFC 4517, June 2006. + [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) + Considerations for the Lightweight Directory Access + Protocol (LDAP)", BCP 64, RFC 4520, June 2006. + [X.680] International Telecommunications Union, "Abstract Syntax Notation One (ASN.1): Specification of basic notation", ITU-T Recommendation X.680, July 2002. @@ -2516,9 +2628,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 45] +Sermersheim, et al. Expires January 19, 2015 [Page 47] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 Authors' Addresses @@ -2572,5 +2684,5 @@ Authors' Addresses -Sermersheim, et al. Expires February 10, 2010 [Page 46] +Sermersheim, et al. Expires January 19, 2015 [Page 48]