Subversion Repositories configs

Rev

Rev 4 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
9 - 1
# $OpenLDAP$
4 - 2
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
3
##
9 - 4
## Copyright 2004-2014 The OpenLDAP Foundation.
4 - 5
## All rights reserved.
6
##
7
## Redistribution and use in source and binary forms, with or without
8
## modification, are permitted only as authorized by the OpenLDAP
9
## Public License.
10
##
11
## A copy of this license is available in the file LICENSE in the
12
## top-level directory of the distribution or, alternatively, at
13
## <http://www.OpenLDAP.org/license.html>.
14
#
15
## Portions Copyright (C) The Internet Society (2004).
16
## Please see full copyright statement below.
17
 
18
# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
19
#	Password Policy for LDAP Directories
20
# With extensions from Hewlett-Packard:
21
#	pwdCheckModule etc.
22
 
23
# Contents of this file are subject to change (including deletion)
24
# without notice.
25
#
26
# Not recommended for production use!
27
# Use with extreme caution!
28
 
29
#Network Working Group                                     J. Sermersheim
30
#Internet-Draft                                               Novell, Inc
31
#Expires: April 24, 2005                                        L. Poitou
32
#                                                        Sun Microsystems
33
#                                                        October 24, 2004
34
#
35
#
36
#                  Password Policy for LDAP Directories
37
#                draft-behera-ldap-password-policy-08.txt
38
#
39
#Status of this Memo
40
#
41
#   This document is an Internet-Draft and is subject to all provisions
42
#   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
43
#   author represents that any applicable patent or other IPR claims of
44
#   which he or she is aware have been or will be disclosed, and any of
45
#   which he or she become aware will be disclosed, in accordance with
46
#   RFC 3668.
47
#
48
#   Internet-Drafts are working documents of the Internet Engineering
49
#   Task Force (IETF), its areas, and its working groups.  Note that
50
#   other groups may also distribute working documents as
51
#   Internet-Drafts.
52
#
53
#   Internet-Drafts are draft documents valid for a maximum of six months
54
#   and may be updated, replaced, or obsoleted by other documents at any
55
#   time.  It is inappropriate to use Internet-Drafts as reference
56
#   material or to cite them other than as "work in progress."
57
#
58
#   The list of current Internet-Drafts can be accessed at
59
#   http://www.ietf.org/ietf/1id-abstracts.txt.
60
#
61
#   The list of Internet-Draft Shadow Directories can be accessed at
62
#   http://www.ietf.org/shadow.html.
63
#
64
#   This Internet-Draft will expire on April 24, 2005.
65
#
66
#Copyright Notice
67
#
68
#   Copyright (C) The Internet Society (2004).
69
#
70
#Abstract
71
#
72
#   Password policy as described in this document is a set of rules that
73
#   controls how passwords are used and administered in Lightweight
74
#   Directory Access Protocol (LDAP) based directories.  In order to
75
#   improve the security of LDAP directories and make it difficult for
76
#   password cracking programs to break into directories, it is desirable
77
#   to enforce a set of rules on password usage.  These rules are made to
78
#
79
#  [trimmed]
80
#
81
#5.  Schema used for Password Policy
82
#
83
#   The schema elements defined here fall into two general categories.  A
84
#   password policy object class is defined which contains a set of
85
#   administrative password policy attributes, and a set of operational
86
#   attributes are defined that hold general password policy state
87
#   information for each user.
88
#
89
#5.2  Attribute Types used in the pwdPolicy ObjectClass
90
#
91
#   Following are the attribute types used by the pwdPolicy object class.
92
#
93
#5.2.1  pwdAttribute
94
#
95
#   This holds the name of the attribute to which the password policy is
96
#   applied.  For example, the password policy may be applied to the
97
#   userPassword attribute.
98
 
99
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
100
      NAME 'pwdAttribute'
101
      EQUALITY objectIdentifierMatch
102
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
103
 
104
#5.2.2  pwdMinAge
105
#
106
#   This attribute holds the number of seconds that must elapse between
107
#   modifications to the password.  If this attribute is not present, 0
108
#   seconds is assumed.
109
 
110
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
111
      NAME 'pwdMinAge'
112
      EQUALITY integerMatch
113
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
114
      SINGLE-VALUE )
115
 
116
#5.2.3  pwdMaxAge
117
#
118
#   This attribute holds the number of seconds after which a modified
119
#   password will expire.
120
#
121
#   If this attribute is not present, or if the value is 0 the password
122
#   does not expire.  If not 0, the value must be greater than or equal
123
#   to the value of the pwdMinAge.
124
 
125
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
126
      NAME 'pwdMaxAge'
127
      EQUALITY integerMatch
128
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
129
      SINGLE-VALUE )
130
 
131
#5.2.4  pwdInHistory
132
#
133
#   This attribute specifies the maximum number of used passwords stored
134
#   in the pwdHistory attribute.
135
#
136
#   If this attribute is not present, or if the value is 0, used
137
#   passwords are not stored in the pwdHistory attribute and thus may be
138
#   reused.
139
 
140
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
141
      NAME 'pwdInHistory'
142
      EQUALITY integerMatch
143
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
144
      SINGLE-VALUE )
145
 
146
#5.2.5  pwdCheckQuality
147
#
148
#   {TODO: Consider changing the syntax to OID.  Each OID will list a
149
#   quality rule (like min len, # of special characters, etc).  These
150
#   rules can be specified outsid ethis document.}
151
#
152
#   {TODO: Note that even though this is meant to be a check that happens
153
#   during password modification, it may also be allowed to happen during
154
#   authN.  This is useful for situations where the password is encrypted
155
#   when modified, but decrypted when used to authN.}
156
#
157
#   This attribute indicates how the password quality will be verified
158
#   while being modified or added.  If this attribute is not present, or
159
#   if the value is '0', quality checking will not be enforced.  A value
160
#   of '1' indicates that the server will check the quality, and if the
161
#   server is unable to check it (due to a hashed password or other
162
#   reasons) it will be accepted.  A value of '2' indicates that the
163
#   server will check the quality, and if the server is unable to verify
164
#   it, it will return an error refusing the password.
165
 
166
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
167
      NAME 'pwdCheckQuality'
168
      EQUALITY integerMatch
169
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
170
      SINGLE-VALUE )
171
 
172
#5.2.6  pwdMinLength
173
#
174
#   When quality checking is enabled, this attribute holds the minimum
175
#   number of characters that must be used in a password.  If this
176
#   attribute is not present, no minimum password length will be
177
#   enforced.  If the server is unable to check the length (due to a
178
#   hashed password or otherwise), the server will, depending on the
179
#   value of the pwdCheckQuality attribute, either accept the password
180
#   without checking it ('0' or '1') or refuse it ('2').
181
 
182
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
183
      NAME 'pwdMinLength'
184
      EQUALITY integerMatch
185
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
186
      SINGLE-VALUE )
187
 
188
#5.2.7  pwdExpireWarning
189
#
190
#   This attribute specifies the maximum number of seconds before a
191
#   password is due to expire that expiration warning messages will be
192
#   returned to an authenticating user.
193
#
194
#   If this attribute is not present, or if the value is 0 no warnings
195
#   will be returned.  If not 0, the value must be smaller than the value
196
#   of the pwdMaxAge attribute.
197
 
198
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
199
      NAME 'pwdExpireWarning'
200
      EQUALITY integerMatch
201
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
202
      SINGLE-VALUE )
203
 
204
#5.2.8  pwdGraceAuthNLimit
205
#
206
#   This attribute specifies the number of times an expired password can
207
#   be used to authenticate.  If this attribute is not present or if the
208
#   value is 0, authentication will fail.
209
 
210
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
211
      NAME 'pwdGraceAuthNLimit'
212
      EQUALITY integerMatch
213
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
214
      SINGLE-VALUE )
215
 
216
#5.2.9  pwdLockout
217
#
218
#   This attribute indicates, when its value is "TRUE", that the password
219
#   may not be used to authenticate after a specified number of
220
#   consecutive failed bind attempts.  The maximum number of consecutive
221
#   failed bind attempts is specified in pwdMaxFailure.
222
#
223
#   If this attribute is not present, or if the value is "FALSE", the
224
#   password may be used to authenticate when the number of failed bind
225
#   attempts has been reached.
226
 
227
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
228
      NAME 'pwdLockout'
229
      EQUALITY booleanMatch
230
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
231
      SINGLE-VALUE )
232
 
233
#5.2.10  pwdLockoutDuration
234
#
235
#   This attribute holds the number of seconds that the password cannot
236
#   be used to authenticate due to too many failed bind attempts.  If
237
#   this attribute is not present, or if the value is 0 the password
238
#   cannot be used to authenticate until reset by a password
239
#   administrator.
240
 
241
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
242
      NAME 'pwdLockoutDuration'
243
      EQUALITY integerMatch
244
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
245
      SINGLE-VALUE )
246
 
247
#5.2.11  pwdMaxFailure
248
#
249
#   This attribute specifies the number of consecutive failed bind
250
#   attempts after which the password may not be used to authenticate.
251
#   If this attribute is not present, or if the value is 0, this policy
252
#   is not checked, and the value of pwdLockout will be ignored.
253
 
254
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
255
      NAME 'pwdMaxFailure'
256
      EQUALITY integerMatch
257
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
258
      SINGLE-VALUE )
259
 
260
#5.2.12  pwdFailureCountInterval
261
#
262
#   This attribute holds the number of seconds after which the password
263
#   failures are purged from the failure counter, even though no
264
#   successful authentication occurred.
265
#
266
#   If this attribute is not present, or if its value is 0, the failure
267
#   counter is only reset by a successful authentication.
268
 
269
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
270
      NAME 'pwdFailureCountInterval'
271
      EQUALITY integerMatch
272
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
273
      SINGLE-VALUE )
274
 
275
#5.2.13  pwdMustChange
276
#
277
#   This attribute specifies with a value of "TRUE" that users must
278
#   change their passwords when they first bind to the directory after a
279
#   password is set or reset by a password administrator.  If this
280
#   attribute is not present, or if the value is "FALSE", users are not
281
#   required to change their password upon binding after the password
282
#   administrator sets or resets the password.  This attribute is not set
283
#   due to any actions specified by this document, it is typically set by
284
#   a password administrator after resetting a user's password.
285
 
286
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
287
      NAME 'pwdMustChange'
288
      EQUALITY booleanMatch
289
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
290
      SINGLE-VALUE )
291
 
292
#5.2.14  pwdAllowUserChange
293
#
294
#   This attribute indicates whether users can change their own
295
#   passwords, although the change operation is still subject to access
296
#   control.  If this attribute is not present, a value of "TRUE" is
297
#   assumed.  This attribute is intended to be used in the absense of an
298
#   access control mechanism.
299
 
300
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
301
      NAME 'pwdAllowUserChange'
302
      EQUALITY booleanMatch
303
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
304
      SINGLE-VALUE )
305
 
306
#5.2.15  pwdSafeModify
307
#
308
#   This attribute specifies whether or not the existing password must be
309
#   sent along with the new password when being changed.  If this
310
#   attribute is not present, a "FALSE" value is assumed.
311
 
312
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
313
      NAME 'pwdSafeModify'
314
      EQUALITY booleanMatch
315
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
316
      SINGLE-VALUE )
317
 
318
# HP extensions
319
#
320
# pwdCheckModule
321
#
322
#    This attribute names a user-defined loadable module that provides
323
#    a check_password() function. If pwdCheckQuality is set to '1' or '2'
324
#    this function will be called after all of the internal password
325
#    quality checks have been passed. The function has this prototype:
326
#
327
#    int check_password( char *password, char **errormessage, void *arg )
328
#
329
#    The function should return LDAP_SUCCESS for a valid password.
330
 
331
attributetype ( 1.3.6.1.4.1.4754.1.99.1
332
     NAME 'pwdCheckModule'
333
     EQUALITY caseExactIA5Match
334
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
335
     DESC 'Loadable module that instantiates "check_password() function'
336
     SINGLE-VALUE )
337
 
338
objectclass ( 1.3.6.1.4.1.4754.2.99.1
339
      NAME 'pwdPolicyChecker'
340
      SUP top
341
      AUXILIARY
342
      MAY ( pwdCheckModule ) )
343
 
344
#5.1  The pwdPolicy Object Class
345
#
346
#   This object class contains the attributes defining a password policy
347
#   in effect for a set of users.  Section 10 describes the
348
#   administration of this object, and the relationship between it and
349
#   particular objects.
350
#
351
objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
352
      NAME 'pwdPolicy'
353
      SUP top
354
      AUXILIARY
355
      MUST ( pwdAttribute )
356
      MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
357
      pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
358
      $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
359
      pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
360
 
361
#5.3  Attribute Types for Password Policy State Information
362
#
363
#   Password policy state information must be maintained for each user.
364
#   The information is located in each user entry as a set of operational
365
#   attributes.  These operational attributes are: pwdChangedTime,
366
#   pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
367
#   pwdReset, pwdPolicySubEntry.
368
#
369
#5.3.1  Password Policy State Attribute Option
370
#
371
#   Since the password policy could apply to several attributes used to
372
#   store passwords, each of the above operational attributes must have
373
#   an option to specify which pwdAttribute it applies to.  The password
374
#   policy option is defined as the following:
375
#
376
#   pwd-<passwordAttribute>
377
#
378
#   where passwordAttribute a string following the OID syntax
379
#   (1.3.6.1.4.1.1466.115.121.1.38).  The attribute type descriptor
380
#   (short name) MUST be used.
381
#
382
#   For example, if the pwdPolicy object has for pwdAttribute
383
#   "userPassword" then the pwdChangedTime operational attribute, in a
384
#   user entry, will be:
385
#
386
#   pwdChangedTime;pwd-userPassword: 20000103121520Z
387
#
388
#   This attribute option follows sub-typing semantics.  If a client
389
#   requests a password policy state attribute to be returned in a search
390
#   operation, and does not specify an option, all subtypes of that
391
#   policy state attribute are returned.
392
#
393
#5.3.2  pwdChangedTime
394
#
395
#   This attribute specifies the last time the entry's password was
396
#   changed.  This is used by the password expiration policy.  If this
397
#   attribute does not exist, the password will never expire.
398
#
399
#      ( 1.3.6.1.4.1.42.2.27.8.1.16
400
#      NAME 'pwdChangedTime'
401
#      DESC 'The time the password was last changed'
402
#      EQUALITY generalizedTimeMatch
403
#      ORDERING generalizedTimeOrderingMatch
404
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
405
#      SINGLE-VALUE
406
#      USAGE directoryOperation )
407
#
408
#5.3.3  pwdAccountLockedTime
409
#
410
#   This attribute holds the time that the user's account was locked.  A
411
#   locked account means that the password may no longer be used to
412
#   authenticate.  A 000001010000Z value means that the account has been
413
#   locked permanently, and that only a password administrator can unlock
414
#   the account.
415
#
416
#      ( 1.3.6.1.4.1.42.2.27.8.1.17
417
#      NAME 'pwdAccountLockedTime'
418
#      DESC 'The time an user account was locked'
419
#      EQUALITY generalizedTimeMatch
420
#      ORDERING generalizedTimeOrderingMatch
421
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
422
#      SINGLE-VALUE
423
#      USAGE directoryOperation )
424
#
425
#5.3.4  pwdFailureTime
426
#
427
#   This attribute holds the timestamps of the consecutive authentication
428
#   failures.
429
#
430
#      ( 1.3.6.1.4.1.42.2.27.8.1.19
431
#      NAME 'pwdFailureTime'
432
#      DESC 'The timestamps of the last consecutive authentication
433
#      failures'
434
#      EQUALITY generalizedTimeMatch
435
#      ORDERING generalizedTimeOrderingMatch
436
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
437
#      USAGE directoryOperation )
438
#
439
#5.3.5  pwdHistory
440
#
441
#   This attribute holds a history of previously used passwords.  Values
442
#   of this attribute are transmitted in string format as given by the
443
#   following ABNF:
444
#
445
#   pwdHistory = time "#" syntaxOID "#" length "#" data
446
#
447
#   time       = <generalizedTimeString as specified in 6.14
448
#                 of [RFC2252]>
449
#
450
#   syntaxOID  = numericoid    ; the string representation of the
451
#                              ; dotted-decimal OID that defines the
452
#                              ; syntax used to store the password.
453
#                              ; numericoid is described in 4.1
454
#                              ; of [RFC2252].
455
#
456
#   length     = numericstring ; the number of octets in data.
457
#                              ; numericstring is described in 4.1
458
#                              ; of [RFC2252].
459
#
460
#   data       = <octets representing the password in the format
461
#                 specified by syntaxOID>.
462
#
463
#   This format allows the server to store, and transmit a history of
464
#   passwords that have been used.  In order for equality matching to
465
#   function properly, the time field needs to adhere to a consistent
466
#   format.  For this purpose, the time field MUST be in GMT format.
467
#
468
#      ( 1.3.6.1.4.1.42.2.27.8.1.20
469
#      NAME 'pwdHistory'
470
#      DESC 'The history of user s passwords'
471
#      EQUALITY octetStringMatch
472
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
473
#      USAGE directoryOperation )
474
#
475
#5.3.6  pwdGraceUseTime
476
#
477
#   This attribute holds the timestamps of grace authentications after a
478
#   password has expired.
479
#
480
#      ( 1.3.6.1.4.1.42.2.27.8.1.21
481
#      NAME 'pwdGraceUseTime'
482
#      DESC 'The timestamps of the grace authentication after the
483
#      password has expired'
484
#      EQUALITY generalizedTimeMatch
485
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
486
#
487
#5.3.7  pwdReset
488
#
489
#   This attribute holds a flag to indicate (when TRUE) that the password
490
#   has been updated by the password administrator and must be changed by
491
#   the user on first authentication.
492
#
493
#      ( 1.3.6.1.4.1.42.2.27.8.1.22
494
#      NAME 'pwdReset'
495
#      DESC 'The indication that the password has been reset'
496
#      EQUALITY booleanMatch
497
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
498
#      SINGLE-VALUE
499
#      USAGE directoryOperation )
500
#
501
#5.3.8  pwdPolicySubentry
502
#
503
#   This attribute points to the pwdPolicy subentry in effect for this
504
#   object.
505
#
506
#      ( 1.3.6.1.4.1.42.2.27.8.1.23
507
#      NAME 'pwdPolicySubentry'
508
#      DESC 'The pwdPolicy subentry in effect for this object'
509
#      EQUALITY distinguishedNameMatch
510
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
511
#      SINGLE-VALUE
512
#      USAGE directoryOperation )
513
#
514
#
515
#Disclaimer of Validity
516
#
517
#   This document and the information contained herein are provided on an
518
#   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
519
#   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
520
#   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
521
#   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
522
#   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
523
#   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
524
#
525
#
526
#Copyright Statement
527
#
528
#   Copyright (C) The Internet Society (2004).  This document is subject
529
#   to the rights, licenses and restrictions contained in BCP 78, and
530
#   except as set forth therein, the authors retain all their rights.
531