int pwdMinLength; /* minimum number of chars in password */
int pwdExpireWarning; /* number of seconds that warning controls are
sent before a password expires */
- int pwdGraceLoginLimit; /* number of times you can log in with an
+ int pwdGraceAuthNLimit; /* number of times you can log in with an
expired password */
int pwdLockout; /* 0 = do not lockout passwords, 1 = lock them out */
int pwdLockoutDuration; /* time in seconds a password is locked out for */
/* Operational attributes */
static AttributeDescription *ad_pwdChangedTime, *ad_pwdAccountLockedTime,
- *ad_pwdExpirationWarned, *ad_pwdFailureTime, *ad_pwdHistory,
- *ad_pwdGraceUseTime, *ad_pwdReset, *ad_pwdPolicySubentry;
+ *ad_pwdFailureTime, *ad_pwdHistory, *ad_pwdGraceUseTime, *ad_pwdReset,
+ *ad_pwdPolicySubentry;
static struct schema_info {
char *def;
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
"SINGLE-VALUE USAGE directoryOperation )",
&ad_pwdAccountLockedTime },
- { "( 1.3.6.1.4.1.42.2.27.8.1.18 "
- "NAME ( 'pwdExpirationWarned' ) "
- "DESC 'The time the user was first warned about the coming expiration of the password' "
- "EQUALITY generalizedTimeMatch "
- "ORDERING generalizedTimeOrderingMatch "
- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
- "SINGLE-VALUE USAGE directoryOperation NO-USER-MODIFICATION )",
- &ad_pwdExpirationWarned },
{ "( 1.3.6.1.4.1.42.2.27.8.1.19 "
"NAME ( 'pwdFailureTime' ) "
"DESC 'The timestamps of the last consecutive authentication failures' "
/* User attributes */
static AttributeDescription *ad_pwdMinAge, *ad_pwdMaxAge, *ad_pwdInHistory,
*ad_pwdCheckQuality, *ad_pwdMinLength, *ad_pwdMaxFailure,
- *ad_pwdGraceLoginLimit, *ad_pwdExpireWarning, *ad_pwdLockoutDuration,
+ *ad_pwdGraceAuthNLimit, *ad_pwdExpireWarning, *ad_pwdLockoutDuration,
*ad_pwdFailureCountInterval, *ad_pwdCheckModule, *ad_pwdLockout,
*ad_pwdMustChange, *ad_pwdAllowUserChange, *ad_pwdSafeModify,
*ad_pwdAttribute;
TAB(pwdCheckQuality),
TAB(pwdMinLength),
TAB(pwdMaxFailure),
- TAB(pwdGraceLoginLimit),
+ TAB(pwdGraceAuthNLimit),
TAB(pwdExpireWarning),
TAB(pwdLockout),
TAB(pwdLockoutDuration),
pp->pwdMinLength = atoi(a->a_vals[0].bv_val );
if ((a = attr_find( pe->e_attrs, ad_pwdMaxFailure )))
pp->pwdMaxFailure = atoi(a->a_vals[0].bv_val );
- if ((a = attr_find( pe->e_attrs, ad_pwdGraceLoginLimit )))
- pp->pwdGraceLoginLimit = atoi(a->a_vals[0].bv_val );
+ if ((a = attr_find( pe->e_attrs, ad_pwdGraceAuthNLimit )))
+ pp->pwdGraceAuthNLimit = atoi(a->a_vals[0].bv_val );
if ((a = attr_find( pe->e_attrs, ad_pwdExpireWarning )))
pp->pwdExpireWarning = atoi(a->a_vals[0].bv_val );
if ((a = attr_find( pe->e_attrs, ad_pwdFailureCountInterval )))
if (!pwExpired) goto check_expiring_password;
if ((a = attr_find( e->e_attrs, ad_pwdGraceUseTime )) == NULL)
- ngut = ppb->pp.pwdGraceLoginLimit;
+ ngut = ppb->pp.pwdGraceAuthNLimit;
else {
for(ngut=0; a->a_nvals[ngut].bv_val; ngut++);
- ngut = ppb->pp.pwdGraceLoginLimit - ngut;
+ ngut = ppb->pp.pwdGraceAuthNLimit - ngut;
}
/*
*/
if (ppb->pp.pwdMaxAge - age < ppb->pp.pwdExpireWarning ) {
/*
- * Set the warning value, add expiration warned timestamp to the entry.
+ * Set the warning value.
*/
- if ((a = attr_find( e->e_attrs, ad_pwdExpirationWarned )) == NULL) {
- m = ch_calloc( sizeof(Modifications), 1 );
- m->sml_op = LDAP_MOD_ADD;
- m->sml_type = ad_pwdExpirationWarned->ad_cname;
- m->sml_desc = ad_pwdExpirationWarned;
- m->sml_values = ch_calloc( sizeof(struct berval), 2 );
- ber_str2bv( nowstr, 0, 1, &m->sml_values[0] );
- m->sml_next = mod;
- mod = m;
- }
-
warn = ppb->pp.pwdMaxAge - age; /* seconds left until expiry */
if (warn < 0) warn = 0; /* something weird here - why is pwExpired not set? */
rs->sr_ctrls = ctrls;
}
op->o_bd->bd_info = (BackendInfo *)on->on_info;
- send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
+ send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS,
"Operations are restricted to bind/unbind/abandon/StartTLS/modify password" );
return rs->sr_err;
}
if (pwcons[op->o_conn->c_conn_idx].restrict && !mod_pw_only) {
Debug( LDAP_DEBUG_TRACE,
"connection restricted to password changing only\n", 0, 0, 0 );
- rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password";
pErr = PP_changeAfterReset;
goto return_results;
Debug( LDAP_DEBUG_TRACE,
"change password must use DELETE followed by ADD/REPLACE\n",
0, 0, 0 );
- rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "Must supply old password to be changed as well as new one";
pErr = PP_mustSupplyOldPassword;
goto return_results;
}
if (!pp.pwdAllowUserChange) {
- rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "User alteration of password is not allowed";
pErr = PP_passwordModNotAllowed;
goto return_results;
now = slap_get_time();
age = (int)(now - pwtime);
if ((pwtime != (time_t)-1) && (age < pp.pwdMinAge)) {
- rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
rs->sr_text = "Password is too young to change";
pErr = PP_passwordTooYoung;
goto return_results;
modtail = mods;
}
- if (attr_find(e->e_attrs, ad_pwdExpirationWarned )) {
- mods = (Modifications *) ch_malloc( sizeof( Modifications ) );
- mods->sml_op = LDAP_MOD_DELETE;
- mods->sml_type.bv_val = NULL;
- mods->sml_desc = ad_pwdExpirationWarned;
- mods->sml_values = NULL;
- mods->sml_nvalues = NULL;
- mods->sml_next = NULL;
- modtail->sml_next = mods;
- modtail = mods;
- }
-
/* Delete the pwdReset attribute, since it's being reset */
if ((zapReset) && (attr_find(e->e_attrs, ad_pwdReset ))) {
mods = (Modifications *) ch_malloc( sizeof( Modifications ) );
# Not recommended for production use!
# Use with extreme caution!
-# Internet-Draft P. Behera
-# draft behera-ldap-password-policy-07.txt L. Poitou
-# Intended Category: Proposed Standard Sun Microsystems
-# Expires: August 2004 J. Sermersheim
-# Novell
-#
-# February 2004
-#
-#
-# Password Policy for LDAP Directories
-#
-#
-# Status of this Memo
-#
-# This document is an Internet-Draft and is in full conformance with
-# all provisions of Section 10 of RFC 2026.
-#
-# Internet-Drafts are working documents of the Internet Engineering
-# Task Force (IETF), its areas, and its working groups. Note that
-# other groups may also distribute working documents as Internet-
-# Drafts.
-#
-# Internet-Drafts are draft documents valid for a maximum of six
-# months and may be updated, replaced, or obsoleted by other documents
-# at any time. It is inappropriate to use Internet- Drafts as
-# reference material or to cite them other than as "work in progress."
-#
-# The list of current Internet-Drafts can be accessed at
-# http://www.ietf.org/ietf/1id-abstracts.txt
-#
-# The list of Internet-Draft Shadow Directories can be accessed at
-# http://www.ietf.org/shadow.html.
-#
-# Technical discussions of this draft are held on the LDAPEXT Working
-# Group mailing list at ietf-ldapext@netscape.com. Editorial comments
-# may be sent to the authors listed in Section 13.
-#
-# Copyright (C) The Internet Society (2004). All rights Reserved.
-#
-# Please see the Copyright Section near the end of this document for
-# more information.
-#
-#
-# 1. Abstract
-#
-# Password policy as described in this document is a set of rules that
-# controls how passwords are used and administered in LDAP
-# directories. In order to improve the security of LDAP directories
-# and make it difficult for password cracking programs to break into
-# directories, it is desirable to enforce a set of rules on password
-# usage. These rules are made to ensure that users change their
-# passwords periodically, passwords meet construction requirements,
-# the re-use of old password is restricted, and users are locked out
-# after a certain number of failed attempts.
-#
-# [trimmed]
-#
-#
-# 4.2. Attribute Types used in the pwdPolicy ObjectClass
-#
-# Following are the attribute types used by the pwdPolicy object
-# class.
-#
-# 4.2.1. pwdAttribute
-#
-# This holds the name of the attribute to which the password policy is
-# applied. For example, the password policy may be applied to the
-# userPassword attribute.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
- NAME 'pwdAttribute'
- EQUALITY objectIdentifierMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
-# 4.2.2. pwdMinAge
-#
-# This attribute holds the number of seconds that must elapse between
-# modifications to the password. If this attribute is not present, 0
-# seconds is assumed.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
- NAME 'pwdMinAge'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.3. pwdMaxAge
-#
-# This attribute holds the number of seconds after which a modified
-# password will expire.
-#
-# If this attribute is not present, or if the value is 0 the password
-# does not expire. If not 0, the value must be greater than or equal
-# to the value of the pwdMinAge.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
- NAME 'pwdMaxAge'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.4. pwdInHistory
-#
-# This attribute specifies the maximum number of used passwords stored
-# in the pwdHistory attribute.
-#
-# If this attribute is not present, or if the value is 0, used
-# passwords are not stored in the pwdHistory attribute and thus may be
-# reused.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
- NAME 'pwdInHistory'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.5. pwdCheckQuality
-#
-# This attribute indicates how the password quality will be verified
-# while being modified or added. If this attribute is not present, or
-# if the value is '0', quality checking will not be enforced. A value
-# of '1' indicates that the server will check the quality, and if the
-# server is unable to check it (due to a hashed password or other
-# reasons) it will be accepted. A value of '2' indicates that the
-# server will check the quality, and if the server is unable to verify
-# it, it will return an error refusing the password.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
- NAME 'pwdCheckQuality'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.6. pwdMinLength
-#
-# When quality checking is enabled, this attribute holds the minimum
-# number of characters that must be used in a password. If this
-# attribute is not present, no minimum password length will be
-# enforced. If the server is unable to check the length (due to a
-# hashed password or otherwise), the server will, depending on the
-# value of the pwdCheckQuality attribute, either accept the password
-# without checking it ('0' or '1') or refuse it ('2').
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
- NAME 'pwdMinLength'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.7. pwdExpireWarning
-#
-# This attribute specifies the maximum number of seconds before a
-# password is due to expire that expiration warning messages will be
-# returned to an authenticating user. If this attribute is not
-# present, or if the value is 0 no warnings will be sent. If not 0,
-# the value must be smaller than the value of the pwdMaxAge attribute.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
- NAME 'pwdExpireWarning'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.8. pwdGraceLoginLimit
-#
-# This attribute specifies the number of times an expired password can
-# be used to authenticate. If this attribute is not present or if the
-# value is 0, authentication will fail.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
- NAME 'pwdGraceLoginLimit'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.9. pwdLockout
-#
-# This attribute indicates, when its value is "TRUE", that the
-# password may not be used to authenticate after a specified number of
-# consecutive failed bind attempts. The maximum number of consecutive
-# failed bind attempts is specified in pwdMaxFailure.
-#
-# If this attribute is not present, or if the value is "FALSE", the
-# password may be used to authenticate when the number of failed bind
-# attempts has been reached.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
- NAME 'pwdLockout'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
-
-# 4.2.10. pwdLockoutDuration
-#
-# This attribute holds the number of seconds that the password cannot
-# be used to authenticate due to too many failed bind attempts. If
-# this attribute is not present, or if the value is 0 the password
-# cannot be used to authenticate until reset by an administrator.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
- NAME 'pwdLockoutDuration'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.11. pwdMaxFailure
-#
-# This attribute specifies the number of consecutive failed bind
-# attempts after which the password may not be used to authenticate.
-# If this attribute is not present, or if the value is 0, this policy
-# is not checked, and the value of pwdLockout will be ignored.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
- NAME 'pwdMaxFailure'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.12. pwdFailureCountInterval
-#
-# This attribute holds the number of seconds after which the password
-# failures are purged from the failure counter, even though no
-# successful authentication occurred.
-#
-# If this attribute is not present, or if its value is 0, the failure
-# counter is only reset by a successful authentication.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
- NAME 'pwdFailureCountInterval'
- EQUALITY integerMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# 4.2.13. pwdMustChange
-#
-# This attribute specifies with a value of "TRUE" that users must
-# change their passwords when they first bind to the directory after a
-# password is set or reset by the administrator. If this attribute is
-# not present, or if the value is "FALSE", users are not required to
-# change their password upon binding after the administrator sets or
-# resets the password.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
- NAME 'pwdMustChange'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
-
-# 4.2.14. pwdAllowUserChange
-#
-# This attribute indicates whether users can change their own
-# passwords, although the change operation is still subject to access
-# control. If this attribute is not present, a value of "TRUE" is
-# assumed.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
- NAME 'pwdAllowUserChange'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
-
-# 4.2.15. pwdSafeModify
-#
-# This attribute specifies whether or not the existing password must
-# be sent when changing a password. If this attribute is not present,
-# a "FALSE" value is assumed.
-#
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
- NAME 'pwdSafeModify'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
+#Network Working Group J. Sermersheim
+#Internet-Draft Novell, Inc
+#Expires: April 24, 2005 L. Poitou
+# Sun Microsystems
+# October 24, 2004
+#
+#
+# Password Policy for LDAP Directories
+# draft-behera-ldap-password-policy-08.txt
+#
+#Status of this Memo
+#
+# This document is an Internet-Draft and is subject to all provisions
+# of section 3 of RFC 3667. By submitting this Internet-Draft, each
+# author represents that any applicable patent or other IPR claims of
+# which he or she is aware have been or will be disclosed, and any of
+# which he or she become aware will be disclosed, in accordance with
+# RFC 3668.
+#
+# Internet-Drafts are working documents of the Internet Engineering
+# Task Force (IETF), its areas, and its working groups. Note that
+# other groups may also distribute working documents as
+# Internet-Drafts.
+#
+# Internet-Drafts are draft documents valid for a maximum of six months
+# and may be updated, replaced, or obsoleted by other documents at any
+# time. It is inappropriate to use Internet-Drafts as reference
+# material or to cite them other than as "work in progress."
+#
+# The list of current Internet-Drafts can be accessed at
+# http://www.ietf.org/ietf/1id-abstracts.txt.
+#
+# The list of Internet-Draft Shadow Directories can be accessed at
+# http://www.ietf.org/shadow.html.
+#
+# This Internet-Draft will expire on April 24, 2005.
+#
+#Copyright Notice
+#
+# Copyright (C) The Internet Society (2004).
+#
+#Abstract
+#
+# Password policy as described in this document is a set of rules that
+# controls how passwords are used and administered in Lightweight
+# Directory Access Protocol (LDAP) based directories. In order to
+# improve the security of LDAP directories and make it difficult for
+# password cracking programs to break into directories, it is desirable
+# to enforce a set of rules on password usage. These rules are made to
+#
+# [trimmed]
+#
+#5. Schema used for Password Policy
+#
+# The schema elements defined here fall into two general categories. A
+# password policy object class is defined which contains a set of
+# administrative password policy attributes, and a set of operational
+# attributes are defined that hold general password policy state
+# information for each user.
+#
+#5.2 Attribute Types used in the pwdPolicy ObjectClass
+#
+# Following are the attribute types used by the pwdPolicy object class.
+#
+#5.2.1 pwdAttribute
+#
+# This holds the name of the attribute to which the password policy is
+# applied. For example, the password policy may be applied to the
+# userPassword attribute.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
+ NAME 'pwdAttribute'
+ EQUALITY objectIdentifierMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+
+#5.2.2 pwdMinAge
+#
+# This attribute holds the number of seconds that must elapse between
+# modifications to the password. If this attribute is not present, 0
+# seconds is assumed.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
+ NAME 'pwdMinAge'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.3 pwdMaxAge
+#
+# This attribute holds the number of seconds after which a modified
+# password will expire.
+#
+# If this attribute is not present, or if the value is 0 the password
+# does not expire. If not 0, the value must be greater than or equal
+# to the value of the pwdMinAge.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
+ NAME 'pwdMaxAge'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.4 pwdInHistory
+#
+# This attribute specifies the maximum number of used passwords stored
+# in the pwdHistory attribute.
+#
+# If this attribute is not present, or if the value is 0, used
+# passwords are not stored in the pwdHistory attribute and thus may be
+# reused.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
+ NAME 'pwdInHistory'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.5 pwdCheckQuality
+#
+# {TODO: Consider changing the syntax to OID. Each OID will list a
+# quality rule (like min len, # of special characters, etc). These
+# rules can be specified outsid ethis document.}
+#
+# {TODO: Note that even though this is meant to be a check that happens
+# during password modification, it may also be allowed to happen during
+# authN. This is useful for situations where the password is encrypted
+# when modified, but decrypted when used to authN.}
+#
+# This attribute indicates how the password quality will be verified
+# while being modified or added. If this attribute is not present, or
+# if the value is '0', quality checking will not be enforced. A value
+# of '1' indicates that the server will check the quality, and if the
+# server is unable to check it (due to a hashed password or other
+# reasons) it will be accepted. A value of '2' indicates that the
+# server will check the quality, and if the server is unable to verify
+# it, it will return an error refusing the password.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
+ NAME 'pwdCheckQuality'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.6 pwdMinLength
+#
+# When quality checking is enabled, this attribute holds the minimum
+# number of characters that must be used in a password. If this
+# attribute is not present, no minimum password length will be
+# enforced. If the server is unable to check the length (due to a
+# hashed password or otherwise), the server will, depending on the
+# value of the pwdCheckQuality attribute, either accept the password
+# without checking it ('0' or '1') or refuse it ('2').
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
+ NAME 'pwdMinLength'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.7 pwdExpireWarning
+#
+# This attribute specifies the maximum number of seconds before a
+# password is due to expire that expiration warning messages will be
+# returned to an authenticating user.
+#
+# If this attribute is not present, or if the value is 0 no warnings
+# will be returned. If not 0, the value must be smaller than the value
+# of the pwdMaxAge attribute.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
+ NAME 'pwdExpireWarning'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.8 pwdGraceAuthNLimit
+#
+# This attribute specifies the number of times an expired password can
+# be used to authenticate. If this attribute is not present or if the
+# value is 0, authentication will fail.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
+ NAME 'pwdGraceAuthNLimit'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.9 pwdLockout
+#
+# This attribute indicates, when its value is "TRUE", that the password
+# may not be used to authenticate after a specified number of
+# consecutive failed bind attempts. The maximum number of consecutive
+# failed bind attempts is specified in pwdMaxFailure.
+#
+# If this attribute is not present, or if the value is "FALSE", the
+# password may be used to authenticate when the number of failed bind
+# attempts has been reached.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
+ NAME 'pwdLockout'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
+#5.2.10 pwdLockoutDuration
+#
+# This attribute holds the number of seconds that the password cannot
+# be used to authenticate due to too many failed bind attempts. If
+# this attribute is not present, or if the value is 0 the password
+# cannot be used to authenticate until reset by a password
+# administrator.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
+ NAME 'pwdLockoutDuration'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.11 pwdMaxFailure
+#
+# This attribute specifies the number of consecutive failed bind
+# attempts after which the password may not be used to authenticate.
+# If this attribute is not present, or if the value is 0, this policy
+# is not checked, and the value of pwdLockout will be ignored.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
+ NAME 'pwdMaxFailure'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.12 pwdFailureCountInterval
+#
+# This attribute holds the number of seconds after which the password
+# failures are purged from the failure counter, even though no
+# successful authentication occurred.
+#
+# If this attribute is not present, or if its value is 0, the failure
+# counter is only reset by a successful authentication.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
+ NAME 'pwdFailureCountInterval'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
+#5.2.13 pwdMustChange
+#
+# This attribute specifies with a value of "TRUE" that users must
+# change their passwords when they first bind to the directory after a
+# password is set or reset by a password administrator. If this
+# attribute is not present, or if the value is "FALSE", users are not
+# required to change their password upon binding after the password
+# administrator sets or resets the password. This attribute is not set
+# due to any actions specified by this document, it is typically set by
+# a password administrator after resetting a user's password.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
+ NAME 'pwdMustChange'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
+#5.2.14 pwdAllowUserChange
+#
+# This attribute indicates whether users can change their own
+# passwords, although the change operation is still subject to access
+# control. If this attribute is not present, a value of "TRUE" is
+# assumed. This attribute is intended to be used in the absense of an
+# access control mechanism.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
+ NAME 'pwdAllowUserChange'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
+
+#5.2.15 pwdSafeModify
+#
+# This attribute specifies whether or not the existing password must be
+# sent along with the new password when being changed. If this
+# attribute is not present, a "FALSE" value is assumed.
+
+attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
+ NAME 'pwdSafeModify'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+ SINGLE-VALUE )
# HP extensions
#
#
# The function should return LDAP_SUCCESS for a valid password.
-attributetype ( 1.3.6.1.4.1.4754.1.99.1
+attributetype ( 1.3.6.1.4.1.4754.1.99.1
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
DESC 'Loadable module that instantiates "check_password() function'
SINGLE-VALUE )
-# 4.1. The pwdPolicy Object Class
-#
-# This object class contains the attributes defining a password policy
-# in effect for a set of users. Section 8 describes the administration
-# of this object, and the relationship between it and particular
-# objects.
-
-objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
- NAME 'pwdPolicy'
- SUP top
- AUXILIARY
- MUST ( pwdAttribute )
- MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
- pwdMinLength $ pwdExpireWarning $ pwdGraceLoginLimit $ pwdLockout
- $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
- pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
-
-objectclass ( 1.3.6.1.4.1.4754.2.99.1
+objectclass ( 1.3.6.1.4.1.4754.2.99.1
NAME 'pwdPolicyChecker'
SUP top
AUXILIARY
MAY ( pwdCheckModule ) )
-# 4.3. Attribute Types for Password Policy State Information
-#
-# Password policy state information must be maintained for each user.
-# The information is located in each user entry as a set of
-# operational attributes. These operational attributes are:
-# pwdChangedTime, pwdAccountLockedTime, pwdExpirationWarned,
-# pwdFailureTime, pwdHistory, pwdGraceUseTime, pwdReset,
-# pwdPolicySubEntry.
-#
-# 4.3.1. Password Policy State Attribute Option
-#
-# Since the password policy could apply to several attributes used to
-# store passwords, each of the above operational attributes must have
-# an option to specify which pwdAttribute is applies to.
-# The password policy option is defined as the following:
-# pwd-<passwordAttribute>
-#
-# where passwordAttribute a string following the OID syntax
-# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
-# (short name) MUST be used.
-#
-# For example, if the pwdPolicy object has for pwdAttribute
-# "userPassword" then the pwdChangedTime operational attribute, in a
-# user entry, will be:
-# pwdChangedTime;pwd-userPassword: 20000103121520Z
-#
-# This attribute option follows sub-typing semantics. If a client
-# requests a password policy state attribute to be returned in a
-# search operation, and does not specify an option, all subtypes of
-# that policy state attribute are returned.
-#
-# 4.3.2. pwdChangedTime
-#
-# This attribute specifies the last time the entry's password was
-# changed. This is used by the password expiration policy. If this
-# attribute does not exist, the password will never expire.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.16
-# NAME 'pwdChangedTime'
-# DESC 'The time the password was last changed'
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
-# EQUALITY generalizedTimeMatch
-# ORDERING generalizedTimeOrderingMatch
-# SINGLE-VALUE
-# USAGE directoryOperation)
-#
-# 4.3.3. pwdAccountLockedTime
-#
-# This attribute holds the time that the user's account was locked. A
-# locked account means that the password may no longer be used to
-# authenticate. A 0 value means that the account has been locked
-# permanently, and that only an administrator can unlock the account.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.17
-# NAME 'pwdAccountLockedTime'
-# DESC 'The time an user account was locked'
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
-# EQUALITY generalizedTimeMatch
-# ORDERING generalizedTimeOrderingMatch
-# SINGLE-VALUE
-# USAGE directoryOperation)
-#
-# 4.3.4. pwdExpirationWarned
-#
-# This attribute contains the time when the password expiration
-# warning was first sent to the client. The password will expire in
-# the pwdExpireWarning time.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.18
-# NAME 'pwdExpirationWarned'
-# DESC 'The time the user was first warned about the coming
-# expiration of the password'
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
-# EQUALITY generalizedTimeMatch
-# ORDERING generalizedTimeOrderingMatch
-# SINGLE-VALUE
-# USAGE directoryOperation )
-#
-# 4.3.5. pwdFailureTime
-#
-# This attribute holds the timestamps of the consecutive
-# authentication failures.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.19
-# NAME 'pwdFailureTime'
-# DESC 'The timestamps of the last consecutive authentication
-# failures'
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
-# EQUALITY generalizedTimeMatch
-# ORDERING generalizedTimeOrderingMatch
-# USAGE directoryOperation )
-#
-# 4.3.6. pwdHistory
-#
-# This attribute holds a history of previously used passwords.
-#
-# Values of this attribute are transmitted in string format as given
-# by the following ABNF:
-#
-# pwdHistory = time "#" syntaxOID "#" length "#" data
-#
-# time = <generalizedTimeString as specified in 6.14 of
-# [RFC2252]>
-#
-# syntaxOID = numericoid ; the string representation of the
-# ; dotted-decimal OID that defines the
-# ; syntax used to store the password.
-# ; numericoid is described in 4.1 of
-# ; [RFC2252].
-#
-# length = numericstring ; the number of octets in data.
-# ; numericstring is described in 4.1 of
-# ; [RFC2252].
-#
-# data = <octets representing the password in the format
-# specified by syntaxOID>.
-#
-# This format allows the server to store, and transmit a history of
-# passwords that have been used. In order for equality matching to
-# function properly, the time field needs to adhere to a consistent
-# format. For this purpose, the time field MUST be in GMT format.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.20
-# NAME 'pwdHistory'
-# DESC 'The history of user s passwords'
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
-# EQUALITY octetStringMatch
-# USAGE directoryOperation)
-#
-# 4.3.7. pwdGraceUseTime
-#
-# This attribute holds the timestamps of grace login once a password
-# has expired.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.21
-# NAME 'pwdGraceUseTime'
-# DESC 'The timestamps of the grace login once the password has
-# expired'
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
-# EQUALITY generalizedTimeMatch
-#
-# USAGE directoryOperation)
-#
-# 4.3.8. pwdReset
-#
-# This attribute holds a flag to indicate (when TRUE) that the
-# password has been reset and therefore must be changed by the user on
-# first authentication.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.22
-# NAME 'pwdReset'
-# DESC 'The indication that the password has been reset'
-# EQUALITY booleanMatch
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
-# SINGLE-VALUE
-# USAGE directoryOperation)
-#
-# 4.3.9. pwdPolicySubentry
-#
-# This attribute points to the pwdPolicy subentry in effect for this
-# object.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.23
-# NAME 'pwdPolicySubentry'
-# DESC 'The pwdPolicy subentry in effect for this object'
-# EQUALITY distinguishedNameMatch
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
-# SINGLE-VALUE
-# USAGE directoryOperation)
-#
-# 14. Copyright Notice
-#
-# Copyright (C) The Internet Society (2004). All Rights
-# Reserved.
-#
-# This document and translations of it may be copied and furnished to
-# others, and derivative works that comment on or otherwise explain it
-# or assist in its implementation may be prepared, copied, published
-# and distributed, in whole or in part, without restriction of any
-# kind, provided that the above copyright notice and this paragraph
-# are included on all such copies and derivative works. However, this
-# document itself may not be modified in any way, such as by removing
-# the copyright notice or references to the Internet Society or other
-# Internet organizations, except as needed for the purpose of
-# developing Internet standards in which case the procedures for
-# copyrights defined in the Internet Standards process must be
-# followed, or as required to translate it into languages other than
-# English.
-#
-# The limited permissions granted above are perpetual and will not be
-# revoked by the Internet Society or its successors or assigns.
-#
-# This document and the information contained herein is provided on an
-# "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-# TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-# BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-# HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
+#5.1 The pwdPolicy Object Class
+#
+# This object class contains the attributes defining a password policy
+# in effect for a set of users. Section 10 describes the
+# administration of this object, and the relationship between it and
+# particular objects.
+#
+objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
+ NAME 'pwdPolicy'
+ SUP top
+ AUXILIARY
+ MUST ( pwdAttribute )
+ MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
+ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
+ $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
+ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
+
+#5.3 Attribute Types for Password Policy State Information
+#
+# Password policy state information must be maintained for each user.
+# The information is located in each user entry as a set of operational
+# attributes. These operational attributes are: pwdChangedTime,
+# pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
+# pwdReset, pwdPolicySubEntry.
+#
+#5.3.1 Password Policy State Attribute Option
+#
+# Since the password policy could apply to several attributes used to
+# store passwords, each of the above operational attributes must have
+# an option to specify which pwdAttribute it applies to. The password
+# policy option is defined as the following:
+#
+# pwd-<passwordAttribute>
+#
+# where passwordAttribute a string following the OID syntax
+# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
+# (short name) MUST be used.
+#
+# For example, if the pwdPolicy object has for pwdAttribute
+# "userPassword" then the pwdChangedTime operational attribute, in a
+# user entry, will be:
+#
+# pwdChangedTime;pwd-userPassword: 20000103121520Z
+#
+# This attribute option follows sub-typing semantics. If a client
+# requests a password policy state attribute to be returned in a search
+# operation, and does not specify an option, all subtypes of that
+# policy state attribute are returned.
+#
+#5.3.2 pwdChangedTime
+#
+# This attribute specifies the last time the entry's password was
+# changed. This is used by the password expiration policy. If this
+# attribute does not exist, the password will never expire.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.16
+# NAME 'pwdChangedTime'
+# DESC 'The time the password was last changed'
+# EQUALITY generalizedTimeMatch
+# ORDERING generalizedTimeOrderingMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+# SINGLE-VALUE
+# USAGE directoryOperation )
+#
+#5.3.3 pwdAccountLockedTime
+#
+# This attribute holds the time that the user's account was locked. A
+# locked account means that the password may no longer be used to
+# authenticate. A 000001010000Z value means that the account has been
+# locked permanently, and that only a password administrator can unlock
+# the account.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.17
+# NAME 'pwdAccountLockedTime'
+# DESC 'The time an user account was locked'
+# EQUALITY generalizedTimeMatch
+# ORDERING generalizedTimeOrderingMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+# SINGLE-VALUE
+# USAGE directoryOperation )
+#
+#5.3.4 pwdFailureTime
+#
+# This attribute holds the timestamps of the consecutive authentication
+# failures.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.19
+# NAME 'pwdFailureTime'
+# DESC 'The timestamps of the last consecutive authentication
+# failures'
+# EQUALITY generalizedTimeMatch
+# ORDERING generalizedTimeOrderingMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+# USAGE directoryOperation )
+#
+#5.3.5 pwdHistory
+#
+# This attribute holds a history of previously used passwords. Values
+# of this attribute are transmitted in string format as given by the
+# following ABNF:
+#
+# pwdHistory = time "#" syntaxOID "#" length "#" data
+#
+# time = <generalizedTimeString as specified in 6.14
+# of [RFC2252]>
+#
+# syntaxOID = numericoid ; the string representation of the
+# ; dotted-decimal OID that defines the
+# ; syntax used to store the password.
+# ; numericoid is described in 4.1
+# ; of [RFC2252].
+#
+# length = numericstring ; the number of octets in data.
+# ; numericstring is described in 4.1
+# ; of [RFC2252].
+#
+# data = <octets representing the password in the format
+# specified by syntaxOID>.
+#
+# This format allows the server to store, and transmit a history of
+# passwords that have been used. In order for equality matching to
+# function properly, the time field needs to adhere to a consistent
+# format. For this purpose, the time field MUST be in GMT format.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.20
+# NAME 'pwdHistory'
+# DESC 'The history of user s passwords'
+# EQUALITY octetStringMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+# USAGE directoryOperation )
+#
+#5.3.6 pwdGraceUseTime
+#
+# This attribute holds the timestamps of grace authentications after a
+# password has expired.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.21
+# NAME 'pwdGraceUseTime'
+# DESC 'The timestamps of the grace authentication after the
+# password has expired'
+# EQUALITY generalizedTimeMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+#
+#5.3.7 pwdReset
+#
+# This attribute holds a flag to indicate (when TRUE) that the password
+# has been updated by the password administrator and must be changed by
+# the user on first authentication.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.22
+# NAME 'pwdReset'
+# DESC 'The indication that the password has been reset'
+# EQUALITY booleanMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+# SINGLE-VALUE
+# USAGE directoryOperation )
+#
+#5.3.8 pwdPolicySubentry
+#
+# This attribute points to the pwdPolicy subentry in effect for this
+# object.
+#
+# ( 1.3.6.1.4.1.42.2.27.8.1.23
+# NAME 'pwdPolicySubentry'
+# DESC 'The pwdPolicy subentry in effect for this object'
+# EQUALITY distinguishedNameMatch
+# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+# SINGLE-VALUE
+# USAGE directoryOperation )
+#
+#
+#Disclaimer of Validity
+#
+# This document and the information contained herein are provided on an
+# "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+# OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+# ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+# INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+# INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+# WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+#
+#
+#Copyright Statement
+#
+# Copyright (C) The Internet Society (2004). This document is subject
+# to the rights, licenses and restrictions contained in BCP 78, and
+# except as set forth therein, the authors retain all their rights.
+
projects / openldap / commitdiff