<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
- <!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
+ <!ENTITY rfc2119 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc2195 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2195.xml'>
<!ENTITY rfc4422 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4422.xml'>
<!ENTITY rfc4511 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4511.xml'>
<!ENTITY rfc4517 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4517.xml'>
<!ENTITY rfc2831 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2831.xml'>
<!ENTITY rfc3062 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3062.xml'>
- <!ENTITY rfc3383 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3383.xml'>
+ <!ENTITY rfc4520 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4520.xml'>
<!ENTITY rfc3672 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3672.xml'>
]>
<t>
pwd-<passwordAttribute></t>
- <t>where passwordAttribute a string following the OID syntax
+ <t>where passwordAttribute is a string following the OID syntax
(1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
(short name) MUST be used.</t>
<section anchor="gracecheck" title="Remaining Grace AuthN Check">
+ <t>If the pwdGraceExpiry attribute is present, and the current time is
+ greater than the password expiration time plus the pwdGraceExpiry
+ value, zero is returned.</t>
+
<t>If the pwdGraceUseTime attribute is present, the number of values in
that attribute subtracted from the value of pwdGraceAuthNLimit is
returned. Otherwise zero is returned. A positive result specifies
server sends a response message to the client with the resultCode:
constraintViolation (19), and includes the passwordPolicyResponse
in the controls field of the response message with the error:
- insufficientPasswordQuality (5).
+ insufficientPasswordQuality (5).<vspace blankLines="1"/>
If the server is able to check the password quality, and the check
fails, the server sends a response message to the client with the
resultCode: constraintViolation (19), and includes the
<t>checks the value of the pwdMinLength attribute. If the value is
non-zero, it ensures that the new password is of at least the
- minimum length.
+ minimum length.<vspace blankLines="1"/>
If the server is unable to check the length (due to a hashed
password or otherwise), the value of pwdCheckQuality is evaluated.
If the value is 1, operation continues. If the value is 2, the
server sends a response message to the client with the resultCode:
constraintViolation (19), and includes the passwordPolicyResponse
in the controls field of the response message with the error:
- passwordTooShort (6).
+ passwordTooShort (6).<vspace blankLines="1"/>
If the server is able to check the password length, and the check
fails, the server sends a response message to the client with the
resultCode: constraintViolation (19), and includes the
<t>For operations other than bind, unbind, abandon or StartTLS, the
client checks the result code and control to determine if
- any other actions are needed.
+ the user needs to change the password immediately.
<list style="symbols">
- <t><Response>.resultCode = insufficientAccessRights (50),
- passwordPolicyResponse.error = accountLocked (1) : The password
- failure limit has been reached and the account is locked. The
- user needs to retry later or contact the password administrator
- to reset the password.</t>
-
<t><Response>.resultCode = insufficientAccessRights (50),
passwordPolicyResponse.error = changeAfterReset (2) : The user
needs to change the password immediately.</t>
<section title="IANA Considerations">
- <t><<<TBD>>></t>
+ <t>In accordance with <xref target="RFC4520"/> the following
+ registrations are requested.</t>
+ <section title="Object Identifiers">
+ <t>The OIDs used in this specification are derived from
+ iso(1) identified-organization(3) dod(6) internet(1) private(4)
+ enterprise(1) Sun(42) products(2) LDAP(27) ppolicy(8). These
+ OIDs have been in use since at least July 2001 when version 04
+ of this draft was published. No additional OID assignment
+ is being requested.</t>
+ </section>
+ <section title="LDAP Protocol Mechanisms">
+ <t>Registration of the protocol mechanisms specified in this
+ document is requested.
+
+ <list style="empty">
+ <t>Subject: Request for LDAP Protocol Mechanism Registration</t>
+ <t>Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1</t>
+ <t>Description: Password Policy Request and Response Control</t>
+ <t>Person & email address to contact for further information:
+ <list style="empty">
+ <t>Howard Chu <hyc@symas.com></t>
+ </list></t>
+ <t>Usage: Control</t>
+ <t>Specification: (I-D) draft-behera-ldap-password-policy</t>
+ <t>Author/Change Controller: IESG</t>
+ <t>Comments:</t>
+ </list></t>
+ </section>
+ <section title="LDAP Descriptors">
+ <t>Registration of the descriptors specified in this
+ document is requested.
+
+ <list style="empty">
+ <t>Subject: Request for LDAP Descriptor Registration</t>
+ <t>Descriptor (short name): see table</t>
+ <t>Object Identifier: see table</t>
+ <t>Description: see table</t>
+ <t>Person & email address to contact for further information:
+ <list style="empty">
+ <t>Howard Chu <hyc@symas.com></t>
+ </list></t>
+ <t>Specification: (I-D) draft-behera-ldap-password-policy</t>
+ <t>Author/Change Controller: IESG</t>
+ <t>Comments:
+ <figure><artwork>
+ Name Type OID
+ ----------------------- ---- ------------------------------
+ pwdPolicy O 1.3.6.1.4.1.42.2.27.8.2.1
+ pwdAttribute A 1.3.6.1.4.1.42.2.27.8.1.1
+ pwdMinAge A 1.3.6.1.4.1.42.2.27.8.1.2
+ pwdMaxAge A 1.3.6.1.4.1.42.2.27.8.1.3
+ pwdInHistory A 1.3.6.1.4.1.42.2.27.8.1.4
+ pwdCheckQuality A 1.3.6.1.4.1.42.2.27.8.1.5
+ pwdMinLength A 1.3.6.1.4.1.42.2.27.8.1.6
+ pwdMaxLength A 1.3.6.1.4.1.42.2.27.8.1.31
+ pwdExpireWarning A 1.3.6.1.4.1.42.2.27.8.1.7
+ pwdGraceAuthNLimit A 1.3.6.1.4.1.42.2.27.8.1.8
+ pwdGraceExpiry A 1.3.6.1.4.1.42.2.27.8.1.30
+ pwdLockout A 1.3.6.1.4.1.42.2.27.8.1.9
+ pwdLockoutDuration A 1.3.6.1.4.1.42.2.27.8.1.10
+ pwdMaxFailure A 1.3.6.1.4.1.42.2.27.8.1.11
+ pwdFailureCountInterval A 1.3.6.1.4.1.42.2.27.8.1.12
+ pwdMustChange A 1.3.6.1.4.1.42.2.27.8.1.13
+ pwdAllowUserChange A 1.3.6.1.4.1.42.2.27.8.1.14
+ pwdSafeModify A 1.3.6.1.4.1.42.2.27.8.1.15
+ pwdMinDelay A 1.3.6.1.4.1.42.2.27.8.1.24
+ pwdMaxDelay A 1.3.6.1.4.1.42.2.27.8.1.25
+ pwdMaxIdle A 1.3.6.1.4.1.42.2.27.8.1.26
+ pwdChangedTime A 1.3.6.1.4.1.42.2.27.8.1.16
+ pwdAccountLockedTime A 1.3.6.1.4.1.42.2.27.8.1.17
+ pwdFailureTime A 1.3.6.1.4.1.42.2.27.8.1.19
+ pwdHistory A 1.3.6.1.4.1.42.2.27.8.1.20
+ pwdGraceUseTime A 1.3.6.1.4.1.42.2.27.8.1.21
+ pwdReset A 1.3.6.1.4.1.42.2.27.8.1.22
+ pwdPolicySubEntry A 1.3.6.1.4.1.42.2.27.8.1.23
+ pwdStartTime A 1.3.6.1.4.1.42.2.27.8.1.27
+ pwdEndTime A 1.3.6.1.4.1.42.2.27.8.1.28
+ pwdLastSuccess A 1.3.6.1.4.1.42.2.27.8.1.29
+ </artwork></figure>
+ <figure><artwork>
+ Legend
+ --------------------
+ A => Attribute Type
+ O => Object Class
+ </artwork></figure>
+ </t>
+ </list></t>
+
+ </section>
+ <section title="LDAP AttributeDescription Options">
+
+ <t>Registration of the AttributeDescription option specified
+ in this document is requested.
+
+ <list style="empty">
+ <t>Subject: Request for LDAP Attribute Description Option Registration</t>
+ <t>Option Name: pwd-</t>
+ <t>Family of Options: YES</t>
+ <t>Person & email address to contact for further information:
+ <list style="empty">
+ <t>Howard Chu <hyc@symas.com></t>
+ </list></t>
+ <t>Specification: (I-D) draft-behera-ldap-password-policy</t>
+ <t>Author/Change Controller: IESG</t>
+ <t>Comments:
+ <list style="empty">
+ <t>Used with policy state attributes to specify to which password attribute
+ the state belongs.</t></list>
+ </t>
+ </list></t>
+ </section>
</section>
<section title="Acknowledgement">
&rfc4517;
&rfc2831;
&rfc3062;
- &rfc3383;
+ &rfc4520;
&rfc3672;
<reference anchor="X.680">
projects / openldap / commitdiff