From: Howard Chu Date: Tue, 16 Mar 2004 10:34:24 +0000 (+0000) Subject: Password policy schema from draft 7 X-Git-Tag: OPENLDAP_REL_ENG_2_2_BP~276 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=23a98937263f091a95cd621d37aa1f074dea6c33;p=openldap Password policy schema from draft 7 --- diff --git a/servers/slapd/schema/ppolicy.schema b/servers/slapd/schema/ppolicy.schema new file mode 100644 index 0000000000..785313eee2 --- /dev/null +++ b/servers/slapd/schema/ppolicy.schema @@ -0,0 +1,532 @@ +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 2004 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . +# +## Portions Copyright (C) The Internet Society (2004). All Rights Reserved. +## Please see full copyright statement below. + +# Definitions from Draft behera-ldap-password-policy-07 +# Password Policy for LDAP Directories + +# With extensions from Hewlett-Packard: +# pwdCheckModule etc. + +# +# Internet-Draft P. Behera +# draft behera-ldap-password-policy-07.txt L. Poitou +# Intended Category: Proposed Standard Sun Microsystems +# Expires: August 2004 J. Sermersheim +# Novell +# +# February 2004 +# +# +# Password Policy for LDAP Directories +# +# +# Status of this Memo +# +# This document is an Internet-Draft and is in full conformance with +# all provisions of Section 10 of RFC 2026. +# +# Internet-Drafts are working documents of the Internet Engineering +# Task Force (IETF), its areas, and its working groups. Note that +# other groups may also distribute working documents as Internet- +# Drafts. +# +# Internet-Drafts are draft documents valid for a maximum of six +# months and may be updated, replaced, or obsoleted by other documents +# at any time. It is inappropriate to use Internet- Drafts as +# reference material or to cite them other than as "work in progress." +# +# The list of current Internet-Drafts can be accessed at +# http://www.ietf.org/ietf/1id-abstracts.txt +# +# The list of Internet-Draft Shadow Directories can be accessed at +# http://www.ietf.org/shadow.html. +# +# Technical discussions of this draft are held on the LDAPEXT Working +# Group mailing list at ietf-ldapext@netscape.com. Editorial comments +# may be sent to the authors listed in Section 13. +# +# Copyright (C) The Internet Society (2004). All rights Reserved. +# +# Please see the Copyright Section near the end of this document for +# more information. +# +# +# 1. Abstract +# +# Password policy as described in this document is a set of rules that +# controls how passwords are used and administered in LDAP +# directories. In order to improve the security of LDAP directories +# and make it difficult for password cracking programs to break into +# directories, it is desirable to enforce a set of rules on password +# usage. These rules are made to ensure that users change their +# passwords periodically, passwords meet construction requirements, +# the re-use of old password is restricted, and users are locked out +# after a certain number of failed attempts. +# +# [trimmed] +# +# +# 4.2. Attribute Types used in the pwdPolicy ObjectClass +# +# Following are the attribute types used by the pwdPolicy object +# class. +# +# 4.2.1. pwdAttribute +# +# This holds the name of the attribute to which the password policy is +# applied. For example, the password policy may be applied to the +# userPassword attribute. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 + NAME 'pwdAttribute' + EQUALITY objectIdentifierMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) + +# 4.2.2. pwdMinAge +# +# This attribute holds the number of seconds that must elapse between +# modifications to the password. If this attribute is not present, 0 +# seconds is assumed. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 + NAME 'pwdMinAge' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +# 4.2.3. pwdMaxAge +# +# This attribute holds the number of seconds after which a modified +# password will expire. +# +# If this attribute is not present, or if the value is 0 the password +# does not expire. If not 0, the value must be greater than or equal +# to the value of the pwdMinAge. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 + NAME 'pwdMaxAge' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +# 4.2.4. pwdInHistory +# +# This attribute specifies the maximum number of used passwords stored +# in the pwdHistory attribute. +# +# If this attribute is not present, or if the value is 0, used +# passwords are not stored in the pwdHistory attribute and thus may be +# reused. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 + NAME 'pwdInHistory' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +# 4.2.5. pwdCheckQuality +# +# This attribute indicates how the password quality will be verified +# while being modified or added. If this attribute is not present, or +# if the value is '0', quality checking will not be enforced. A value +# of '1' indicates that the server will check the quality, and if the +# server is unable to check it (due to a hashed password or other +# reasons) it will be accepted. A value of '2' indicates that the +# server will check the quality, and if the server is unable to verify +# it, it will return an error refusing the password. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 + NAME 'pwdCheckQuality' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +# 4.2.6. pwdMinLength +# +# When quality checking is enabled, this attribute holds the minimum +# number of characters that must be used in a password. If this +# attribute is not present, no minimum password length will be +# enforced. If the server is unable to check the length (due to a +# hashed password or otherwise), the server will, depending on the +# value of the pwdCheckQuality attribute, either accept the password +# without checking it ('0' or '1') or refuse it ('2'). + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 + NAME 'pwdMinLength' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +# 4.2.7. pwdExpireWarning +# +# This attribute specifies the maximum number of seconds before a +# password is due to expire that expiration warning messages will be +# returned to an authenticating user. If this attribute is not +# present, or if the value is 0 no warnings will be sent. If not 0, +# the value must be smaller than the value of the pwdMaxAge attribute. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 + NAME 'pwdExpireWarning' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +# 4.2.8. pwdGraceLoginLimit +# +# This attribute specifies the number of times an expired password can +# be used to authenticate. If this attribute is not present or if the +# value is 0, authentication will fail. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 + NAME 'pwdGraceLoginLimit' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +# 4.2.9. pwdLockout +# +# This attribute indicates, when its value is "TRUE", that the +# password may not be used to authenticate after a specified number of +# consecutive failed bind attempts. The maximum number of consecutive +# failed bind attempts is specified in pwdMaxFailure. +# +# If this attribute is not present, or if the value is "FALSE", the +# password may be used to authenticate when the number of failed bind +# attempts has been reached. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9 + NAME 'pwdLockout' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +# 4.2.10. pwdLockoutDuration +# +# This attribute holds the number of seconds that the password cannot +# be used to authenticate due to too many failed bind attempts. If +# this attribute is not present, or if the value is 0 the password +# cannot be used to authenticate until reset by an administrator. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 + NAME 'pwdLockoutDuration' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +# 4.2.11. pwdMaxFailure +# +# This attribute specifies the number of consecutive failed bind +# attempts after which the password may not be used to authenticate. +# If this attribute is not present, or if the value is 0, this policy +# is not checked, and the value of pwdLockout will be ignored. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 + NAME 'pwdMaxFailure' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +# 4.2.12. pwdFailureCountInterval +# +# This attribute holds the number of seconds after which the password +# failures are purged from the failure counter, even though no +# successful authentication occurred. +# +# If this attribute is not present, or if its value is 0, the failure +# counter is only reset by a successful authentication. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12 + NAME 'pwdFailureCountInterval' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +# 4.2.13. pwdMustChange +# +# This attribute specifies with a value of "TRUE" that users must +# change their passwords when they first bind to the directory after a +# password is set or reset by the administrator. If this attribute is +# not present, or if the value is "FALSE", users are not required to +# change their password upon binding after the administrator sets or +# resets the password. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13 + NAME 'pwdMustChange' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +# 4.2.14. pwdAllowUserChange +# +# This attribute indicates whether users can change their own +# passwords, although the change operation is still subject to access +# control. If this attribute is not present, a value of "TRUE" is +# assumed. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14 + NAME 'pwdAllowUserChange' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +# 4.2.15. pwdSafeModify +# +# This attribute specifies whether or not the existing password must +# be sent when changing a password. If this attribute is not present, +# a "FALSE" value is assumed. +# +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15 + NAME 'pwdSafeModify' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +# HP extensions +# +# pwdCheckModule +# +# This attribute names a user-defined loadable module that provides +# a check_password() function. If pwdCheckQuality is set to '1' or '2' +# this function will be called after all of the internal password +# quality checks have been passed. The function has this prototype: +# +# int check_password( char *password, char **errormessage, void *arg ) +# +# The function should return LDAP_SUCCESS for a valid password. + +attributetype ( 1.3.6.1.4.1.42.2.27.8.1.99 + NAME 'pwdCheckModule' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + DESC 'Loadable module that instantiates "check_password() function' + SINGLE-VALUE ) + +# 4.1. The pwdPolicy Object Class +# +# This object class contains the attributes defining a password policy +# in effect for a set of users. Section 8 describes the administration +# of this object, and the relationship between it and particular +# objects. + +objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1 + NAME 'pwdPolicy' + SUP top + AUXILIARY + MUST ( pwdAttribute ) + MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ + pwdMinLength $ pwdExpireWarning $ pwdGraceLoginLimit $ pwdLockout + $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ + pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ pwdCheckModule ) ) + +# 4.3. Attribute Types for Password Policy State Information +# +# Password policy state information must be maintained for each user. +# The information is located in each user entry as a set of +# operational attributes. These operational attributes are: +# pwdChangedTime, pwdAccountLockedTime, pwdExpirationWarned, +# pwdFailureTime, pwdHistory, pwdGraceUseTime, pwdReset, +# pwdPolicySubEntry. +# +# 4.3.1. Password Policy State Attribute Option +# +# Since the password policy could apply to several attributes used to +# store passwords, each of the above operational attributes must have +# an option to specify which pwdAttribute is applies to. +# The password policy option is defined as the following: +# pwd- +# +# where passwordAttribute a string following the OID syntax +# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor +# (short name) MUST be used. +# +# For example, if the pwdPolicy object has for pwdAttribute +# "userPassword" then the pwdChangedTime operational attribute, in a +# user entry, will be: +# pwdChangedTime;pwd-userPassword: 20000103121520Z +# +# This attribute option follows sub-typing semantics. If a client +# requests a password policy state attribute to be returned in a +# search operation, and does not specify an option, all subtypes of +# that policy state attribute are returned. +# +# 4.3.2. pwdChangedTime +# +# This attribute specifies the last time the entry's password was +# changed. This is used by the password expiration policy. If this +# attribute does not exist, the password will never expire. +# +# ( 1.3.6.1.4.1.42.2.27.8.1.16 +# NAME 'pwdChangedTime' +# DESC 'The time the password was last changed' +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 +# EQUALITY generalizedTimeMatch +# ORDERING generalizedTimeOrderingMatch +# SINGLE-VALUE +# USAGE directoryOperation) +# +# 4.3.3. pwdAccountLockedTime +# +# This attribute holds the time that the user's account was locked. A +# locked account means that the password may no longer be used to +# authenticate. A 0 value means that the account has been locked +# permanently, and that only an administrator can unlock the account. +# +# ( 1.3.6.1.4.1.42.2.27.8.1.17 +# NAME 'pwdAccountLockedTime' +# DESC 'The time an user account was locked' +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 +# EQUALITY generalizedTimeMatch +# ORDERING generalizedTimeOrderingMatch +# SINGLE-VALUE +# USAGE directoryOperation) +# +# 4.3.4. pwdExpirationWarned +# +# This attribute contains the time when the password expiration +# warning was first sent to the client. The password will expire in +# the pwdExpireWarning time. +# +# ( 1.3.6.1.4.1.42.2.27.8.1.18 +# NAME 'pwdExpirationWarned' +# DESC 'The time the user was first warned about the coming +# expiration of the password' +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 +# EQUALITY generalizedTimeMatch +# ORDERING generalizedTimeOrderingMatch +# SINGLE-VALUE +# USAGE directoryOperation ) +# +# 4.3.5. pwdFailureTime +# +# This attribute holds the timestamps of the consecutive +# authentication failures. +# +# ( 1.3.6.1.4.1.42.2.27.8.1.19 +# NAME 'pwdFailureTime' +# DESC 'The timestamps of the last consecutive authentication +# failures' +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 +# EQUALITY generalizedTimeMatch +# ORDERING generalizedTimeOrderingMatch +# USAGE directoryOperation ) +# +# 4.3.6. pwdHistory +# +# This attribute holds a history of previously used passwords. +# +# Values of this attribute are transmitted in string format as given +# by the following ABNF: +# +# pwdHistory = time "#" syntaxOID "#" length "#" data +# +# time = +# +# syntaxOID = numericoid ; the string representation of the +# ; dotted-decimal OID that defines the +# ; syntax used to store the password. +# ; numericoid is described in 4.1 of +# ; [RFC2252]. +# +# length = numericstring ; the number of octets in data. +# ; numericstring is described in 4.1 of +# ; [RFC2252]. +# +# data = . +# +# This format allows the server to store, and transmit a history of +# passwords that have been used. In order for equality matching to +# function properly, the time field needs to adhere to a consistent +# format. For this purpose, the time field MUST be in GMT format. +# +# ( 1.3.6.1.4.1.42.2.27.8.1.20 +# NAME 'pwdHistory' +# DESC 'The history of user s passwords' +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 +# EQUALITY octetStringMatch +# USAGE directoryOperation) +# +# 4.3.7. pwdGraceUseTime +# +# This attribute holds the timestamps of grace login once a password +# has expired. +# +# ( 1.3.6.1.4.1.42.2.27.8.1.21 +# NAME 'pwdGraceUseTime' +# DESC 'The timestamps of the grace login once the password has +# expired' +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 +# EQUALITY generalizedTimeMatch +# +# USAGE directoryOperation) +# +# 4.3.8. pwdReset +# +# This attribute holds a flag to indicate (when TRUE) that the +# password has been reset and therefore must be changed by the user on +# first authentication. +# +# ( 1.3.6.1.4.1.42.2.27.8.1.22 +# NAME 'pwdReset' +# DESC 'The indication that the password has been reset' +# EQUALITY booleanMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 +# SINGLE-VALUE +# USAGE directoryOperation) +# +# 4.3.9. pwdPolicySubentry +# +# This attribute points to the pwdPolicy subentry in effect for this +# object. +# +# ( 1.3.6.1.4.1.42.2.27.8.1.23 +# NAME 'pwdPolicySubentry' +# DESC 'The pwdPolicy subentry in effect for this object' +# EQUALITY distinguishedNameMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 +# SINGLE-VALUE +# USAGE directoryOperation) +# +# 14. Copyright Notice +# +# Copyright (C) The Internet Society (2004). All Rights +# Reserved. +# +# This document and translations of it may be copied and furnished to +# others, and derivative works that comment on or otherwise explain it +# or assist in its implementation may be prepared, copied, published +# and distributed, in whole or in part, without restriction of any +# kind, provided that the above copyright notice and this paragraph +# are included on all such copies and derivative works. However, this +# document itself may not be modified in any way, such as by removing +# the copyright notice or references to the Internet Society or other +# Internet organizations, except as needed for the purpose of +# developing Internet standards in which case the procedures for +# copyrights defined in the Internet Standards process must be +# followed, or as required to translate it into languages other than +# English. +# +# The limited permissions granted above are perpetual and will not be +# revoked by the Internet Society or its successors or assigns. +# +# This document and the information contained herein is provided on an +# "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +# TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +# BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +# HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."