From a28b3461738bc652159b9a6a8f5adbcc8a0ea386 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Wed, 12 Aug 2009 02:43:19 +0000 Subject: [PATCH] Add pwGraceExpiry to gracecheck minor cleanup revert Other Operations change from 09 filled in IANA considerations (no longer TBD) Reference RFC4520, not 3383 (obsolete) --- .../draft-behera-ldap-password-policy-xx.xml | 138 ++++++++++++++++-- 1 file changed, 123 insertions(+), 15 deletions(-) diff --git a/doc/drafts/draft-behera-ldap-password-policy-xx.xml b/doc/drafts/draft-behera-ldap-password-policy-xx.xml index 07b11a983f..8a0f057b70 100644 --- a/doc/drafts/draft-behera-ldap-password-policy-xx.xml +++ b/doc/drafts/draft-behera-ldap-password-policy-xx.xml @@ -1,6 +1,6 @@ + @@ -9,7 +9,7 @@ - + ]> @@ -807,7 +807,7 @@ pwd-<passwordAttribute> - where passwordAttribute a string following the OID syntax + where passwordAttribute is a string following the OID syntax (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor (short name) MUST be used. @@ -1181,6 +1181,10 @@
+ If the pwdGraceExpiry attribute is present, and the current time is + greater than the password expiration time plus the pwdGraceExpiry + value, zero is returned. + If the pwdGraceUseTime attribute is present, the number of values in that attribute subtracted from the value of pwdGraceAuthNLimit is returned. Otherwise zero is returned. A positive result specifies @@ -1479,7 +1483,7 @@ server sends a response message to the client with the resultCode: constraintViolation (19), and includes the passwordPolicyResponse in the controls field of the response message with the error: - insufficientPasswordQuality (5). + insufficientPasswordQuality (5). If the server is able to check the password quality, and the check fails, the server sends a response message to the client with the resultCode: constraintViolation (19), and includes the @@ -1488,14 +1492,14 @@ checks the value of the pwdMinLength attribute. If the value is non-zero, it ensures that the new password is of at least the - minimum length. + minimum length. If the server is unable to check the length (due to a hashed password or otherwise), the value of pwdCheckQuality is evaluated. If the value is 1, operation continues. If the value is 2, the server sends a response message to the client with the resultCode: constraintViolation (19), and includes the passwordPolicyResponse in the controls field of the response message with the error: - passwordTooShort (6). + passwordTooShort (6). If the server is able to check the password length, and the check fails, the server sends a response message to the client with the resultCode: constraintViolation (19), and includes the @@ -1716,15 +1720,9 @@ For operations other than bind, unbind, abandon or StartTLS, the client checks the result code and control to determine if - any other actions are needed. + the user needs to change the password immediately. - <Response>.resultCode = insufficientAccessRights (50), - passwordPolicyResponse.error = accountLocked (1) : The password - failure limit has been reached and the account is locked. The - user needs to retry later or contact the password administrator - to reset the password. - <Response>.resultCode = insufficientAccessRights (50), passwordPolicyResponse.error = changeAfterReset (2) : The user needs to change the password immediately. @@ -1872,7 +1870,117 @@
- <<<TBD>>> + In accordance with the following + registrations are requested. +
+ The OIDs used in this specification are derived from + iso(1) identified-organization(3) dod(6) internet(1) private(4) + enterprise(1) Sun(42) products(2) LDAP(27) ppolicy(8). These + OIDs have been in use since at least July 2001 when version 04 + of this draft was published. No additional OID assignment + is being requested. +
+
+ Registration of the protocol mechanisms specified in this + document is requested. + + + Subject: Request for LDAP Protocol Mechanism Registration + Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1 + Description: Password Policy Request and Response Control + Person & email address to contact for further information: + + Howard Chu <hyc@symas.com> + + Usage: Control + Specification: (I-D) draft-behera-ldap-password-policy + Author/Change Controller: IESG + Comments: + +
+
+ Registration of the descriptors specified in this + document is requested. + + + Subject: Request for LDAP Descriptor Registration + Descriptor (short name): see table + Object Identifier: see table + Description: see table + Person & email address to contact for further information: + + Howard Chu <hyc@symas.com> + + Specification: (I-D) draft-behera-ldap-password-policy + Author/Change Controller: IESG + Comments: +
+ Name Type OID + ----------------------- ---- ------------------------------ + pwdPolicy O 1.3.6.1.4.1.42.2.27.8.2.1 + pwdAttribute A 1.3.6.1.4.1.42.2.27.8.1.1 + pwdMinAge A 1.3.6.1.4.1.42.2.27.8.1.2 + pwdMaxAge A 1.3.6.1.4.1.42.2.27.8.1.3 + pwdInHistory A 1.3.6.1.4.1.42.2.27.8.1.4 + pwdCheckQuality A 1.3.6.1.4.1.42.2.27.8.1.5 + pwdMinLength A 1.3.6.1.4.1.42.2.27.8.1.6 + pwdMaxLength A 1.3.6.1.4.1.42.2.27.8.1.31 + pwdExpireWarning A 1.3.6.1.4.1.42.2.27.8.1.7 + pwdGraceAuthNLimit A 1.3.6.1.4.1.42.2.27.8.1.8 + pwdGraceExpiry A 1.3.6.1.4.1.42.2.27.8.1.30 + pwdLockout A 1.3.6.1.4.1.42.2.27.8.1.9 + pwdLockoutDuration A 1.3.6.1.4.1.42.2.27.8.1.10 + pwdMaxFailure A 1.3.6.1.4.1.42.2.27.8.1.11 + pwdFailureCountInterval A 1.3.6.1.4.1.42.2.27.8.1.12 + pwdMustChange A 1.3.6.1.4.1.42.2.27.8.1.13 + pwdAllowUserChange A 1.3.6.1.4.1.42.2.27.8.1.14 + pwdSafeModify A 1.3.6.1.4.1.42.2.27.8.1.15 + pwdMinDelay A 1.3.6.1.4.1.42.2.27.8.1.24 + pwdMaxDelay A 1.3.6.1.4.1.42.2.27.8.1.25 + pwdMaxIdle A 1.3.6.1.4.1.42.2.27.8.1.26 + pwdChangedTime A 1.3.6.1.4.1.42.2.27.8.1.16 + pwdAccountLockedTime A 1.3.6.1.4.1.42.2.27.8.1.17 + pwdFailureTime A 1.3.6.1.4.1.42.2.27.8.1.19 + pwdHistory A 1.3.6.1.4.1.42.2.27.8.1.20 + pwdGraceUseTime A 1.3.6.1.4.1.42.2.27.8.1.21 + pwdReset A 1.3.6.1.4.1.42.2.27.8.1.22 + pwdPolicySubEntry A 1.3.6.1.4.1.42.2.27.8.1.23 + pwdStartTime A 1.3.6.1.4.1.42.2.27.8.1.27 + pwdEndTime A 1.3.6.1.4.1.42.2.27.8.1.28 + pwdLastSuccess A 1.3.6.1.4.1.42.2.27.8.1.29 +
+
+ Legend + -------------------- + A => Attribute Type + O => Object Class +
+
+
+ +
+
+ + Registration of the AttributeDescription option specified + in this document is requested. + + + Subject: Request for LDAP Attribute Description Option Registration + Option Name: pwd- + Family of Options: YES + Person & email address to contact for further information: + + Howard Chu <hyc@symas.com> + + Specification: (I-D) draft-behera-ldap-password-policy + Author/Change Controller: IESG + Comments: + + Used with policy state attributes to specify to which password attribute + the state belongs. + + +
@@ -1893,7 +2001,7 @@ &rfc4517; &rfc2831; &rfc3062; - &rfc3383; + &rfc4520; &rfc3672; -- 2.39.5