X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapo-ppolicy.5;h=c0bf32fe5942758819e7afd66f62599350901a59;hb=faf077bd5c4cc03010515c3d3aefb7da95c3e956;hp=053d9fcdb0e36b4b80dfbaee15cc0b625848ac4c;hpb=f2af052a67946cb9e0b9074969ae3b481a25a622;p=openldap diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5 index 053d9fcdb0..8135dcce83 100644 --- a/doc/man/man5/slapo-ppolicy.5 +++ b/doc/man/man5/slapo-ppolicy.5 @@ -1,9 +1,9 @@ -.\" $OpenLDAP$ -.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved. -.\" Copying restrictions apply. See COPYRIGHT/LICENSE. .TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2004-2013 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ .SH NAME -slapo-ppolicy \- Password Policy overlay to slapd +slapo\-ppolicy \- Password Policy overlay to slapd .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION @@ -17,7 +17,7 @@ decodes and applies specific password policy controls to overall use of a backend database, changes to user password fields, etc. .P The overlay provides a variety of password control mechanisms. They -include password aging--both minimum and maximum ages, password +include password aging -- both minimum and maximum ages, password reuse and duplication control, account time-outs, mandatory password resets, acceptable password content, and even grace logins. Different groups of users may be associated with different password @@ -49,6 +49,17 @@ Specify the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry and no default is given, then no policies will be enforced. .TP +.B ppolicy_forward_updates +Specify that policy state changes that result from Bind operations (such +as recording failures, lockout, etc.) on a consumer should be forwarded +to a master instead of being written directly into the consumer's local +database. This setting is only useful on a replication consumer, and +also requires the +.B updateref +setting and +.B chain +overlay to be appropriately configured. +.TP .B ppolicy_hash_cleartext Specify that cleartext passwords present in Add and Modify requests should be hashed before being stored in the database. This violates the X.500/LDAP @@ -159,7 +170,7 @@ modified whenever and however often is desired). NAME 'pwdMinAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMaxAge @@ -173,7 +184,7 @@ value is zero (0), then passwords will not expire. NAME 'pwdMaxAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdInHistory @@ -196,7 +207,7 @@ although the password is saved in the history. NAME 'pwdInHistory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdCheckQuality @@ -217,7 +228,7 @@ error refusing the password. NAME 'pwdCheckQuality' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMinLength @@ -245,7 +256,7 @@ is two (2)). NAME 'pwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdExpireWarning @@ -261,7 +272,7 @@ present, or if the value is zero (0), no warnings will be sent. NAME 'pwdExpireWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdGraceAuthnLimit @@ -277,7 +288,7 @@ directory. NAME 'pwdGraceAuthnLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdLockout @@ -303,7 +314,7 @@ attempts have been made. NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdLockoutDuration @@ -327,7 +338,7 @@ again until it is reset by an administrator. NAME 'pwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMaxFailure @@ -351,7 +362,7 @@ and NAME 'pwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdFailureCountInterval @@ -369,7 +380,7 @@ counter will only be reset by a successful authentication. NAME 'pwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdMustChange @@ -391,7 +402,7 @@ the administrator sets or resets the password. NAME 'pwdMustChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdAllowUserChange @@ -403,12 +414,29 @@ is set to "TRUE", or if the attribute is not present, users will be allowed to change their own passwords. If its value is "FALSE", users will not be allowed to change their own passwords. .LP +Note: this implies that when +.B pwdAllowUserChange +is set to "TRUE", +users will still be able to change the password of another user, +subjected to access control. +This restriction only applies to modifications of ones's own password. +It should also be noted that +.B pwdAllowUserChange +was defined in the specification to provide rough access control +to the password attribute in implementations that do not allow fine-grain +access control. +Since OpenLDAP provides fine-grain access control, the use of this attribute +is discouraged; ACLs should be used instead +(see +.BR slapd.access (5) +for details). +.LP .RS 4 ( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdSafeModify @@ -426,7 +454,7 @@ along with the new password. NAME 'pwdSafeModify' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .B pwdCheckModule @@ -473,7 +501,7 @@ be free()'d by slapd. NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - SINGLE-VALUE ) + SINGLE\-VALUE ) .RE .P Note: @@ -491,7 +519,7 @@ policy proposal. .SH OPERATIONAL ATTRIBUTES .P The operational attributes used by the -.B passwd_policy +.B ppolicy module are stored in the user's entry. Most of these attributes are not intended to be changed directly by users; they are there to track user activity. They have been detailed here so that @@ -500,6 +528,19 @@ the .B ppolicy module. +.P +Note that the current IETF Password Policy proposal does not define +how these operational attributes are expected to behave in a +replication environment. In general, authentication attempts on +a slave server only affect the copy of the operational attributes +on that slave and will not affect any attributes for +a user's entry on the master server. Operational attribute changes +resulting from authentication attempts on a master server +will usually replicate to the slaves (and also overwrite +any changes that originated on the slave). +These behaviors are not guaranteed and are subject to change +when a formal specification emerges. + .B userPassword .P The @@ -533,8 +574,8 @@ policy rules will be enforced. this object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 - SINGLE-VALUE - NO-USER-MODIFICATION + SINGLE\-VALUE + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -554,8 +595,8 @@ does not exist, the user's password will not expire. SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch - SINGLE-VALUE - NO-USER-MODIFICATION + SINGLE\-VALUE + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -566,7 +607,10 @@ If the account has been locked, the password may no longer be used to authenticate the user to the directory. If .B pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked -and may only be unlocked by an administrator. +and may only be unlocked by an administrator. Note that account locking +only takes effect when the +.B pwdLockout +password policy attribute is set to "TRUE". .LP .RS 4 ( 1.3.6.1.4.1.42.2.27.8.1.17 @@ -575,8 +619,8 @@ and may only be unlocked by an administrator. SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch - SINGLE-VALUE - NO-USER-MODIFICATION + SINGLE\-VALUE + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -610,7 +654,7 @@ will be cleansed of entries. SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch - NO-USER-MODIFICATION + NO\-USER\-MODIFICATION USAGE directoryOperation ) .RE @@ -664,7 +708,7 @@ field is in GMT format. DESC 'The history of user passwords' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 EQUALITY octetStringMatch - NO-USER-MODIFICATION + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -688,7 +732,7 @@ attribute. DESC 'The timestamps of the grace login once the password has expired' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch - NO-USER-MODIFICATION + NO\-USER\-MODIFICATION USAGE directoryOperation) .RE @@ -710,7 +754,7 @@ administrative reset. been reset' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE + SINGLE\-VALUE USAGE directoryOperation) .RE @@ -720,7 +764,7 @@ administrative reset. .nf database bdb suffix dc=example,dc=com -\... +\|... overlay ppolicy ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com" .fi @@ -729,6 +773,8 @@ ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com" .SH SEE ALSO .BR ldap (3), .BR slapd.conf (5), +.BR slapd\-config (5), +.BR slapo\-chain (5). .LP "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) .LP