Rev 9 | Blame | Compare with Previous | Last modification | View Log | RSS feed
# $OpenLDAP$## This work is part of OpenLDAP Software <http://www.openldap.org/>.#### Copyright 2004-2014 The OpenLDAP Foundation.## All rights reserved.#### Redistribution and use in source and binary forms, with or without## modification, are permitted only as authorized by the OpenLDAP## Public License.#### A copy of this license is available in the file LICENSE in the## top-level directory of the distribution or, alternatively, at## <http://www.OpenLDAP.org/license.html>.### Portions Copyright (C) The Internet Society (2004).## Please see full copyright statement below.# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)# Password Policy for LDAP Directories# With extensions from Hewlett-Packard:# pwdCheckModule etc.# Contents of this file are subject to change (including deletion)# without notice.## Not recommended for production use!# Use with extreme caution!#Network Working Group J. Sermersheim#Internet-Draft Novell, Inc#Expires: April 24, 2005 L. Poitou# Sun Microsystems# October 24, 2004### Password Policy for LDAP Directories# draft-behera-ldap-password-policy-08.txt##Status of this Memo## This document is an Internet-Draft and is subject to all provisions# of section 3 of RFC 3667. By submitting this Internet-Draft, each# author represents that any applicable patent or other IPR claims of# which he or she is aware have been or will be disclosed, and any of# which he or she become aware will be disclosed, in accordance with# RFC 3668.## Internet-Drafts are working documents of the Internet Engineering# Task Force (IETF), its areas, and its working groups. Note that# other groups may also distribute working documents as# Internet-Drafts.## Internet-Drafts are draft documents valid for a maximum of six months# and may be updated, replaced, or obsoleted by other documents at any# time. It is inappropriate to use Internet-Drafts as reference# material or to cite them other than as "work in progress."## The list of current Internet-Drafts can be accessed at# http://www.ietf.org/ietf/1id-abstracts.txt.## The list of Internet-Draft Shadow Directories can be accessed at# http://www.ietf.org/shadow.html.## This Internet-Draft will expire on April 24, 2005.##Copyright Notice## Copyright (C) The Internet Society (2004).##Abstract## Password policy as described in this document is a set of rules that# controls how passwords are used and administered in Lightweight# Directory Access Protocol (LDAP) based directories. In order to# improve the security of LDAP directories and make it difficult for# password cracking programs to break into directories, it is desirable# to enforce a set of rules on password usage. These rules are made to## [trimmed]##5. Schema used for Password Policy## The schema elements defined here fall into two general categories. A# password policy object class is defined which contains a set of# administrative password policy attributes, and a set of operational# attributes are defined that hold general password policy state# information for each user.##5.2 Attribute Types used in the pwdPolicy ObjectClass## Following are the attribute types used by the pwdPolicy object class.##5.2.1 pwdAttribute## This holds the name of the attribute to which the password policy is# applied. For example, the password policy may be applied to the# userPassword attribute.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1NAME 'pwdAttribute'EQUALITY objectIdentifierMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )#5.2.2 pwdMinAge## This attribute holds the number of seconds that must elapse between# modifications to the password. If this attribute is not present, 0# seconds is assumed.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2NAME 'pwdMinAge'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )#5.2.3 pwdMaxAge## This attribute holds the number of seconds after which a modified# password will expire.## If this attribute is not present, or if the value is 0 the password# does not expire. If not 0, the value must be greater than or equal# to the value of the pwdMinAge.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3NAME 'pwdMaxAge'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )#5.2.4 pwdInHistory## This attribute specifies the maximum number of used passwords stored# in the pwdHistory attribute.## If this attribute is not present, or if the value is 0, used# passwords are not stored in the pwdHistory attribute and thus may be# reused.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4NAME 'pwdInHistory'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )#5.2.5 pwdCheckQuality## {TODO: Consider changing the syntax to OID. Each OID will list a# quality rule (like min len, # of special characters, etc). These# rules can be specified outsid ethis document.}## {TODO: Note that even though this is meant to be a check that happens# during password modification, it may also be allowed to happen during# authN. This is useful for situations where the password is encrypted# when modified, but decrypted when used to authN.}## This attribute indicates how the password quality will be verified# while being modified or added. If this attribute is not present, or# if the value is '0', quality checking will not be enforced. A value# of '1' indicates that the server will check the quality, and if the# server is unable to check it (due to a hashed password or other# reasons) it will be accepted. A value of '2' indicates that the# server will check the quality, and if the server is unable to verify# it, it will return an error refusing the password.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5NAME 'pwdCheckQuality'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )#5.2.6 pwdMinLength## When quality checking is enabled, this attribute holds the minimum# number of characters that must be used in a password. If this# attribute is not present, no minimum password length will be# enforced. If the server is unable to check the length (due to a# hashed password or otherwise), the server will, depending on the# value of the pwdCheckQuality attribute, either accept the password# without checking it ('0' or '1') or refuse it ('2').attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6NAME 'pwdMinLength'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )#5.2.7 pwdExpireWarning## This attribute specifies the maximum number of seconds before a# password is due to expire that expiration warning messages will be# returned to an authenticating user.## If this attribute is not present, or if the value is 0 no warnings# will be returned. If not 0, the value must be smaller than the value# of the pwdMaxAge attribute.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7NAME 'pwdExpireWarning'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )#5.2.8 pwdGraceAuthNLimit## This attribute specifies the number of times an expired password can# be used to authenticate. If this attribute is not present or if the# value is 0, authentication will fail.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8NAME 'pwdGraceAuthNLimit'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )#5.2.9 pwdLockout## This attribute indicates, when its value is "TRUE", that the password# may not be used to authenticate after a specified number of# consecutive failed bind attempts. The maximum number of consecutive# failed bind attempts is specified in pwdMaxFailure.## If this attribute is not present, or if the value is "FALSE", the# password may be used to authenticate when the number of failed bind# attempts has been reached.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9NAME 'pwdLockout'EQUALITY booleanMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.7SINGLE-VALUE )#5.2.10 pwdLockoutDuration## This attribute holds the number of seconds that the password cannot# be used to authenticate due to too many failed bind attempts. If# this attribute is not present, or if the value is 0 the password# cannot be used to authenticate until reset by a password# administrator.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10NAME 'pwdLockoutDuration'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )#5.2.11 pwdMaxFailure## This attribute specifies the number of consecutive failed bind# attempts after which the password may not be used to authenticate.# If this attribute is not present, or if the value is 0, this policy# is not checked, and the value of pwdLockout will be ignored.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11NAME 'pwdMaxFailure'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )#5.2.12 pwdFailureCountInterval## This attribute holds the number of seconds after which the password# failures are purged from the failure counter, even though no# successful authentication occurred.## If this attribute is not present, or if its value is 0, the failure# counter is only reset by a successful authentication.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12NAME 'pwdFailureCountInterval'EQUALITY integerMatchORDERING integerOrderingMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )#5.2.13 pwdMustChange## This attribute specifies with a value of "TRUE" that users must# change their passwords when they first bind to the directory after a# password is set or reset by a password administrator. If this# attribute is not present, or if the value is "FALSE", users are not# required to change their password upon binding after the password# administrator sets or resets the password. This attribute is not set# due to any actions specified by this document, it is typically set by# a password administrator after resetting a user's password.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13NAME 'pwdMustChange'EQUALITY booleanMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.7SINGLE-VALUE )#5.2.14 pwdAllowUserChange## This attribute indicates whether users can change their own# passwords, although the change operation is still subject to access# control. If this attribute is not present, a value of "TRUE" is# assumed. This attribute is intended to be used in the absense of an# access control mechanism.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14NAME 'pwdAllowUserChange'EQUALITY booleanMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.7SINGLE-VALUE )#5.2.15 pwdSafeModify## This attribute specifies whether or not the existing password must be# sent along with the new password when being changed. If this# attribute is not present, a "FALSE" value is assumed.attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15NAME 'pwdSafeModify'EQUALITY booleanMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.7SINGLE-VALUE )# HP extensions## pwdCheckModule## This attribute names a user-defined loadable module that provides# a check_password() function. If pwdCheckQuality is set to '1' or '2'# this function will be called after all of the internal password# quality checks have been passed. The function has this prototype:## int check_password( char *password, char **errormessage, void *arg )## The function should return LDAP_SUCCESS for a valid password.attributetype ( 1.3.6.1.4.1.4754.1.99.1NAME 'pwdCheckModule'EQUALITY caseExactIA5MatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.26DESC 'Loadable module that instantiates "check_password() function'SINGLE-VALUE )objectclass ( 1.3.6.1.4.1.4754.2.99.1NAME 'pwdPolicyChecker'SUP topAUXILIARYMAY ( pwdCheckModule ) )#5.1 The pwdPolicy Object Class## This object class contains the attributes defining a password policy# in effect for a set of users. Section 10 describes the# administration of this object, and the relationship between it and# particular objects.#objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1NAME 'pwdPolicy'SUP topAUXILIARYMUST ( pwdAttribute )MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout$ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )#5.3 Attribute Types for Password Policy State Information## Password policy state information must be maintained for each user.# The information is located in each user entry as a set of operational# attributes. These operational attributes are: pwdChangedTime,# pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,# pwdReset, pwdPolicySubEntry.##5.3.1 Password Policy State Attribute Option## Since the password policy could apply to several attributes used to# store passwords, each of the above operational attributes must have# an option to specify which pwdAttribute it applies to. The password# policy option is defined as the following:## pwd-<passwordAttribute>## where passwordAttribute a string following the OID syntax# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor# (short name) MUST be used.## For example, if the pwdPolicy object has for pwdAttribute# "userPassword" then the pwdChangedTime operational attribute, in a# user entry, will be:## pwdChangedTime;pwd-userPassword: 20000103121520Z## This attribute option follows sub-typing semantics. If a client# requests a password policy state attribute to be returned in a search# operation, and does not specify an option, all subtypes of that# policy state attribute are returned.##5.3.2 pwdChangedTime## This attribute specifies the last time the entry's password was# changed. This is used by the password expiration policy. If this# attribute does not exist, the password will never expire.## ( 1.3.6.1.4.1.42.2.27.8.1.16# NAME 'pwdChangedTime'# DESC 'The time the password was last changed'# EQUALITY generalizedTimeMatch# ORDERING generalizedTimeOrderingMatch# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24# SINGLE-VALUE# USAGE directoryOperation )##5.3.3 pwdAccountLockedTime## This attribute holds the time that the user's account was locked. A# locked account means that the password may no longer be used to# authenticate. A 000001010000Z value means that the account has been# locked permanently, and that only a password administrator can unlock# the account.## ( 1.3.6.1.4.1.42.2.27.8.1.17# NAME 'pwdAccountLockedTime'# DESC 'The time an user account was locked'# EQUALITY generalizedTimeMatch# ORDERING generalizedTimeOrderingMatch# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24# SINGLE-VALUE# USAGE directoryOperation )##5.3.4 pwdFailureTime## This attribute holds the timestamps of the consecutive authentication# failures.## ( 1.3.6.1.4.1.42.2.27.8.1.19# NAME 'pwdFailureTime'# DESC 'The timestamps of the last consecutive authentication# failures'# EQUALITY generalizedTimeMatch# ORDERING generalizedTimeOrderingMatch# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24# USAGE directoryOperation )##5.3.5 pwdHistory## This attribute holds a history of previously used passwords. Values# of this attribute are transmitted in string format as given by the# following ABNF:## pwdHistory = time "#" syntaxOID "#" length "#" data## time = <generalizedTimeString as specified in 6.14# of [RFC2252]>## syntaxOID = numericoid ; the string representation of the# ; dotted-decimal OID that defines the# ; syntax used to store the password.# ; numericoid is described in 4.1# ; of [RFC2252].## length = numericstring ; the number of octets in data.# ; numericstring is described in 4.1# ; of [RFC2252].## data = <octets representing the password in the format# specified by syntaxOID>.## This format allows the server to store, and transmit a history of# passwords that have been used. In order for equality matching to# function properly, the time field needs to adhere to a consistent# format. For this purpose, the time field MUST be in GMT format.## ( 1.3.6.1.4.1.42.2.27.8.1.20# NAME 'pwdHistory'# DESC 'The history of user s passwords'# EQUALITY octetStringMatch# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40# USAGE directoryOperation )##5.3.6 pwdGraceUseTime## This attribute holds the timestamps of grace authentications after a# password has expired.## ( 1.3.6.1.4.1.42.2.27.8.1.21# NAME 'pwdGraceUseTime'# DESC 'The timestamps of the grace authentication after the# password has expired'# EQUALITY generalizedTimeMatch# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24##5.3.7 pwdReset## This attribute holds a flag to indicate (when TRUE) that the password# has been updated by the password administrator and must be changed by# the user on first authentication.## ( 1.3.6.1.4.1.42.2.27.8.1.22# NAME 'pwdReset'# DESC 'The indication that the password has been reset'# EQUALITY booleanMatch# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7# SINGLE-VALUE# USAGE directoryOperation )##5.3.8 pwdPolicySubentry## This attribute points to the pwdPolicy subentry in effect for this# object.## ( 1.3.6.1.4.1.42.2.27.8.1.23# NAME 'pwdPolicySubentry'# DESC 'The pwdPolicy subentry in effect for this object'# EQUALITY distinguishedNameMatch# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12# SINGLE-VALUE# USAGE directoryOperation )###Disclaimer of Validity## This document and the information contained herein are provided on an# "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS# OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET# ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,# INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE# INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED# WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.###Copyright Statement## Copyright (C) The Internet Society (2004). This document is subject# to the rights, licenses and restrictions contained in BCP 78, and# except as set forth therein, the authors retain all their rights.