X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapo-ppolicy.5;h=2bb99e4af79211fd0138558a11bb0d53013594d5;hb=80526326891ed511e7842d46b8699e1037c5583e;hp=6f2813d4aec7f21bb3b6d92d2b1302e0d6db2d17;hpb=057a3853462a26b0980c60cdb23da15a10ac01ca;p=openldap diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5 index 6f2813d4ae..2bb99e4af7 100644 --- a/doc/man/man5/slapo-ppolicy.5 +++ b/doc/man/man5/slapo-ppolicy.5 @@ -1,9 +1,9 @@ -.\" $OpenLDAP$ -.\" Copyright 2004 The OpenLDAP Foundation All Rights Reserved. +.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. -.TH SLAPD_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" $OpenLDAP$ .SH NAME -slapo-ppolicy \- Password Policy overlay +slapo\-ppolicy \- Password Policy overlay to slapd .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION @@ -17,12 +17,24 @@ decodes and applies specific password policy controls to overall use of a backend database, changes to user password fields, etc. .P The overlay provides a variety of password control mechanisms. They -include password aging--both minimum and maximum ages, password +include password aging -- both minimum and maximum ages, password reuse and duplication control, account time-outs, mandatory password resets, acceptable password content, and even grace logins. Different groups of users may be associated with different password policies, and there is no limit to the number of password policies that may be created. +.P +Note that some of the policies do not take effect when the operation +is performed with the +.B rootdn +identity; all the operations, when performed with any other identity, +may be subjected to constraints, like access control. +.P +Note that the IETF Password Policy proposal for LDAP makes sense +when considering a single-valued password attribute, while +the userPassword attribute allows multiple values. This implementation +enforces a single value for the userPassword attribute, despite +its specification. .SH CONFIGURATION These @@ -37,6 +49,25 @@ Specify the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry and no default is given, then no policies will be enforced. .TP +.B ppolicy_forward_updates +Specify that policy state changes that result from Bind operations (such +as recording failures, lockout, etc.) on a consumer should be forwarded +to a master instead of being written directly into the consumer's local +database. This setting is only useful on a replication consumer, and +also requires the +.B updateref +setting and +.B chain +overlay to be appropriately configured. +.TP +.B ppolicy_hash_cleartext +Specify that cleartext passwords present in Add and Modify requests should +be hashed before being stored in the database. This violates the X.500/LDAP +information model, but may be needed to compensate for LDAP clients that +don't use the Password Modify extended operation to manage passwords. It +is recommended that when this option is used that compare, search, and +read access be denied to all directory users. +.TP .B ppolicy_use_lockout A client will always receive an LDAP .B InvalidCredentials @@ -68,8 +99,8 @@ object class. The definition of that class is as follows: MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ - pwdCheckSyntax $ pwdMinLength $ - pwdExpireWarning $ pwdGraceLoginLimit $ + pwdCheckQuality $ pwdMinLength $ + pwdExpireWarning $ pwdGraceAuthnLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ @@ -118,7 +149,7 @@ Note: in this implementation, the only value accepted for .B pwdAttribute is -.RI " userPassword ". +.IR " userPassword ". .LP .RS 4 ( 1.3.6.1.4.1.42.2.27.8.1.1 @@ -139,7 +170,7 @@ modified whenever and however often is desired). NAME 'pwdMinAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMaxAge @@ -153,7 +184,7 @@ value is zero (0), then passwords will not expire. NAME 'pwdMaxAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdInHistory @@ -167,13 +198,16 @@ attribute is not present, or if its value is zero (0), used passwords will not be stored in .B pwdHistory and thus any previously-used password may be reused. +No history checking occurs if the password is being modified by the +.BR rootdn , +although the password is saved in the history. .LP .RS 4 ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdCheckQuality @@ -194,14 +228,14 @@ error refusing the password. NAME 'pwdCheckQuality' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMinLength .P When syntax checking is enabled (see also the -.B pwdCheckSyntax +.B pwdCheckQuality attribute), this attribute contains the minimum number of characters that will be accepted in a password. If this attribute is not present, minimum password length is not @@ -209,12 +243,12 @@ enforced. If the server is unable to check the length of the password, whether due to a client-side hashed password or some other reason, the server will, depending on the value of -.BR pwdCheckSyntax , +.BR pwdCheckQuality , either accept the password without checking it (if -.B pwdCheckSyntax +.B pwdCheckQuality is zero (0) or one (1)) or refuse it (if -.B pwdCheckSyntax +.B pwdCheckQuality is two (2)). .LP .RS 4 @@ -222,7 +256,7 @@ is two (2)). NAME 'pwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdExpireWarning @@ -238,10 +272,10 @@ present, or if the value is zero (0), no warnings will be sent. NAME 'pwdExpireWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE -.B pwdGraceLoginLimit +.B pwdGraceAuthnLimit .P This attribute contains the number of times that an expired password may be used to authenticate a user to the directory. If this @@ -251,10 +285,10 @@ directory. .LP .RS 4 ( 1.3.6.1.4.1.42.2.27.8.1.8 - NAME 'pwdGraceLoginLimit' + NAME 'pwdGraceAuthnLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdLockout @@ -280,7 +314,7 @@ attempts have been made. NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdLockoutDuration @@ -304,7 +338,7 @@ again until it is reset by an administrator. NAME 'pwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMaxFailure @@ -328,7 +362,7 @@ and NAME 'pwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdFailureCountInterval @@ -346,7 +380,7 @@ counter will only be reset by a successful authentication. NAME 'pwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMustChange @@ -368,7 +402,7 @@ the administrator sets or resets the password. NAME 'pwdMustChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdAllowUserChange @@ -385,7 +419,7 @@ users will not be allowed to change their own passwords. NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdSafeModify @@ -403,7 +437,7 @@ along with the new password. NAME 'pwdSafeModify' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdCheckModule @@ -419,7 +453,7 @@ function prototype: .RS 4 int .I check_password -(char *pPasswd, char **ppErrStr, void *pArg); +(char *pPasswd, char **ppErrStr, Entry *pEntry); .RE The .B pPasswd @@ -427,9 +461,10 @@ parameter contains the clear-text user password, the .B ppErrStr parameter contains a double pointer that allows the function to return human-readable details about any error it encounters. -The -.B pArg -parameter is currently unused. +The optional +.B pEntry +parameter, if non-NULL, carries a pointer to the +entry whose password is being checked. If .B ppErrStr is NULL, then @@ -441,14 +476,15 @@ indicates that the password is unacceptable. If the password is unacceptable, the server will return an error to the client, and .B ppErrStr may be used to return a human-readable textual explanation of the -error. +error. The error string must be dynamically allocated as it will +be free()'d by slapd. .LP .RS 4 ( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .P Note: @@ -466,7 +502,7 @@ policy proposal. .SH OPERATIONAL ATTRIBUTES .P The operational attributes used by the -.B passwd_policy +.B ppolicy module are stored in the user's entry. Most of these attributes are not intended to be changed directly by users; they are there to track user activity. They have been detailed here so that @@ -475,10 +511,23 @@ the .B ppolicy module. +.P +Note that the current IETF Password Policy proposal does not define +how these operational attributes are expected to behave in a +replication environment. In general, authentication attempts on +a slave server only affect the copy of the operational attributes +on that slave and will not affect any attributes for +a user's entry on the master server. Operational attribute changes +resulting from authentication attempts on a master server +will usually replicate to the slaves (and also overwrite +any changes that originated on the slave). +These behaviors are not guaranteed and are subject to change +when a formal specification emerges. + .B userPassword .P The -.b userPassword +.B userPassword attribute is not strictly part of the .B ppolicy module. It is, however, the attribute that is tracked and controlled @@ -499,7 +548,7 @@ object. If it does not exist, the module will enforce the default password policy rules on the user associated with this authenticating DN. If there is no default, or the referenced subentry does not exist, then no -policy rules wil be enforced. +policy rules will be enforced. .LP .RS 4 ( 1.3.6.1.4.1.42.2.27.8.1.23 @@ -508,7 +557,8 @@ policy rules wil be enforced. this object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - SINGLE-VALUE + SINGLE\-VALUE + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -528,7 +578,8 @@ does not exist, the user's password will not expire. SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch - SINGLE-VALUE + SINGLE\-VALUE + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -538,7 +589,7 @@ This attribute contains the time that the user's account was locked. If the account has been locked, the password may no longer be used to authenticate the user to the directory. If .B pwdAccountLockedTime -is set to zero (0), the user's account has been permanently locked +is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator. .LP .RS 4 @@ -548,32 +599,11 @@ and may only be unlocked by an administrator. SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch - SINGLE-VALUE + SINGLE\-VALUE + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE -.B pwdExpirationWarned -.P -This attribute denotes the time when the first password -expiration warning was sent to the client regarding this account. -The amount of time between when this warning is sent and when -the password actually expires is the amount of time stored in -the -.B pwdExpireWarning -password policy attribute. -.LP -.RS 4 -( 1.3.6.1.4.1.42.2.27.8.1.18 - NAME 'pwdExpirationWarned' - DESC 'The time the user was first warned about the - coming expiration of their password' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SINGLE-VALUE - USAGE directoryOperation ) -.RE - .B pwdFailureTime .P This attribute contains the timestamps of each of the consecutive @@ -604,6 +634,7 @@ will be cleansed of entries. SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch + NO\-USER\-MODIFICATION USAGE directoryOperation ) .RE @@ -622,7 +653,7 @@ time "#" syntaxOID "#" length "#" data time= .RS 4 -generalizedTimeString as specified in section 6.14 of [RFC2252] +GeneralizedTime as specified in section 3.3.13 of [RFC4517] .RE .P @@ -630,13 +661,13 @@ syntaxOID = numericoid .RS 4 This is the string representation of the dotted-decimal OID that defines the syntax used to store the password. numericoid is -described in section 4.1 of [RFC2252]. +described in section 1.4 of [RFC4512]. .RE -length = numericstring +length = NumericString .RS 4 -The number of octets in the data. numericstring is described in -section 4.1 of [RFC2252]. +The number of octets in the data. NumericString is described in +section 3.3.23 of [RFC4517]. .RE data = @@ -657,14 +688,14 @@ field is in GMT format. DESC 'The history of user passwords' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 EQUALITY octetStringMatch + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE .B pwdGraceUseTime This attribute contains the list of timestamps of logins made after the user password in the DN has expired. These post-expiration -logins are known as -.RI " "grace logins" ." +logins are known as "\fIgrace logins\fP". If too many .I grace logins have been used (please refer to the @@ -681,6 +712,7 @@ attribute. DESC 'The timestamps of the grace login once the password has expired' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -702,7 +734,7 @@ administrative reset. been reset' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE + SINGLE\-VALUE USAGE directoryOperation) .RE @@ -712,7 +744,7 @@ administrative reset. .nf database bdb suffix dc=example,dc=com -\... +\|... overlay ppolicy ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com" .fi @@ -721,12 +753,14 @@ ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com" .SH SEE ALSO .BR ldap (3), .BR slapd.conf (5), +.BR slapd\-config (5), +.BR slapo\-chain (5). .LP "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) .LP IETF LDAP password policy proposal by P. Behera, L. Poitou and J. Sermersheim: documented in IETF document -"draft-behera-ldap-password-policy-07.txt". +"draft-behera-ldap-password-policy-09.txt". .SH BUGS The LDAP Password Policy specification is not yet an approved standard, @@ -745,10 +779,7 @@ IETF LDAP password policy proposal by P. Behera, L. Poitou and J. Sermersheim. The proposal is fully documented in the -IETF document named draft-behera-ldap-password-policy-07.txt, -written in February of 2004. +IETF document named draft-behera-ldap-password-policy-09.txt, +written in July of 2005. .P -.B OpenLDAP -is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). -.B OpenLDAP -is derived from University of Michigan LDAP 3.3 Release. +.so ../Project