1# $OpenLDAP$
2## This work is part of OpenLDAP Software <http://www.openldap.org/>.
3##
4## Copyright 2004-2021 The OpenLDAP Foundation.
5## All rights reserved.
6##
7## Redistribution and use in source and binary forms, with or without
8## modification, are permitted only as authorized by the OpenLDAP
9## Public License.
10##
11## A copy of this license is available in the file LICENSE in the
12## top-level directory of the distribution or, alternatively, at
13## <http://www.OpenLDAP.org/license.html>.
14#
15## Portions Copyright (C) The Internet Society (2004).
16## Please see full copyright statement below.
17
18# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
19#	Password Policy for LDAP Directories
20# With extensions from Hewlett-Packard:
21#	pwdCheckModule etc.
22
23# Contents of this file are subject to change (including deletion)
24# without notice.
25#
26# Not recommended for production use!
27# Use with extreme caution!
28
29#Network Working Group                                     J. Sermersheim
30#Internet-Draft                                               Novell, Inc
31#Expires: April 24, 2005                                        L. Poitou
32#                                                        Sun Microsystems
33#                                                        October 24, 2004
34#
35#
36#                  Password Policy for LDAP Directories
37#                draft-behera-ldap-password-policy-08.txt
38#
39#Status of this Memo
40#
41#   This document is an Internet-Draft and is subject to all provisions
42#   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
43#   author represents that any applicable patent or other IPR claims of
44#   which he or she is aware have been or will be disclosed, and any of
45#   which he or she become aware will be disclosed, in accordance with
46#   RFC 3668.
47#
48#   Internet-Drafts are working documents of the Internet Engineering
49#   Task Force (IETF), its areas, and its working groups.  Note that
50#   other groups may also distribute working documents as
51#   Internet-Drafts.
52#
53#   Internet-Drafts are draft documents valid for a maximum of six months
54#   and may be updated, replaced, or obsoleted by other documents at any
55#   time.  It is inappropriate to use Internet-Drafts as reference
56#   material or to cite them other than as "work in progress."
57#
58#   The list of current Internet-Drafts can be accessed at
59#   http://www.ietf.org/ietf/1id-abstracts.txt.
60#
61#   The list of Internet-Draft Shadow Directories can be accessed at
62#   http://www.ietf.org/shadow.html.
63#
64#   This Internet-Draft will expire on April 24, 2005.
65#
66#Copyright Notice
67#
68#   Copyright (C) The Internet Society (2004).
69#
70#Abstract
71#
72#   Password policy as described in this document is a set of rules that
73#   controls how passwords are used and administered in Lightweight
74#   Directory Access Protocol (LDAP) based directories.  In order to
75#   improve the security of LDAP directories and make it difficult for
76#   password cracking programs to break into directories, it is desirable
77#   to enforce a set of rules on password usage.  These rules are made to
78#
79#  [trimmed]
80#
81#5.  Schema used for Password Policy
82#
83#   The schema elements defined here fall into two general categories.  A
84#   password policy object class is defined which contains a set of
85#   administrative password policy attributes, and a set of operational
86#   attributes are defined that hold general password policy state
87#   information for each user.
88#
89#5.2  Attribute Types used in the pwdPolicy ObjectClass
90#
91#   Following are the attribute types used by the pwdPolicy object class.
92#
93#5.2.1  pwdAttribute
94#
95#   This holds the name of the attribute to which the password policy is
96#   applied.  For example, the password policy may be applied to the
97#   userPassword attribute.
98
99attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
100      NAME 'pwdAttribute'
101      EQUALITY objectIdentifierMatch
102      SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
103
104#5.2.2  pwdMinAge
105#
106#   This attribute holds the number of seconds that must elapse between
107#   modifications to the password.  If this attribute is not present, 0
108#   seconds is assumed.
109
110attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
111      NAME 'pwdMinAge'
112      EQUALITY integerMatch
113      ORDERING integerOrderingMatch
114      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
115      SINGLE-VALUE )
116
117#5.2.3  pwdMaxAge
118#
119#   This attribute holds the number of seconds after which a modified
120#   password will expire.
121#
122#   If this attribute is not present, or if the value is 0 the password
123#   does not expire.  If not 0, the value must be greater than or equal
124#   to the value of the pwdMinAge.
125
126attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
127      NAME 'pwdMaxAge'
128      EQUALITY integerMatch
129      ORDERING integerOrderingMatch
130      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
131      SINGLE-VALUE )
132
133#5.2.4  pwdInHistory
134#
135#   This attribute specifies the maximum number of used passwords stored
136#   in the pwdHistory attribute.
137#
138#   If this attribute is not present, or if the value is 0, used
139#   passwords are not stored in the pwdHistory attribute and thus may be
140#   reused.
141
142attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
143      NAME 'pwdInHistory'
144      EQUALITY integerMatch
145      ORDERING integerOrderingMatch
146      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
147      SINGLE-VALUE )
148
149#5.2.5  pwdCheckQuality
150#
151#   {TODO: Consider changing the syntax to OID.  Each OID will list a
152#   quality rule (like min len, # of special characters, etc).  These
153#   rules can be specified outsid ethis document.}
154#
155#   {TODO: Note that even though this is meant to be a check that happens
156#   during password modification, it may also be allowed to happen during
157#   authN.  This is useful for situations where the password is encrypted
158#   when modified, but decrypted when used to authN.}
159#
160#   This attribute indicates how the password quality will be verified
161#   while being modified or added.  If this attribute is not present, or
162#   if the value is '0', quality checking will not be enforced.  A value
163#   of '1' indicates that the server will check the quality, and if the
164#   server is unable to check it (due to a hashed password or other
165#   reasons) it will be accepted.  A value of '2' indicates that the
166#   server will check the quality, and if the server is unable to verify
167#   it, it will return an error refusing the password.
168
169attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
170      NAME 'pwdCheckQuality'
171      EQUALITY integerMatch
172      ORDERING integerOrderingMatch
173      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
174      SINGLE-VALUE )
175
176#5.2.6  pwdMinLength
177#
178#   When quality checking is enabled, this attribute holds the minimum
179#   number of characters that must be used in a password.  If this
180#   attribute is not present, no minimum password length will be
181#   enforced.  If the server is unable to check the length (due to a
182#   hashed password or otherwise), the server will, depending on the
183#   value of the pwdCheckQuality attribute, either accept the password
184#   without checking it ('0' or '1') or refuse it ('2').
185
186attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
187      NAME 'pwdMinLength'
188      EQUALITY integerMatch
189      ORDERING integerOrderingMatch
190      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
191      SINGLE-VALUE )
192
193#5.2.7  pwdExpireWarning
194#
195#   This attribute specifies the maximum number of seconds before a
196#   password is due to expire that expiration warning messages will be
197#   returned to an authenticating user.
198#
199#   If this attribute is not present, or if the value is 0 no warnings
200#   will be returned.  If not 0, the value must be smaller than the value
201#   of the pwdMaxAge attribute.
202
203attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
204      NAME 'pwdExpireWarning'
205      EQUALITY integerMatch
206      ORDERING integerOrderingMatch
207      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
208      SINGLE-VALUE )
209
210#5.2.8  pwdGraceAuthNLimit
211#
212#   This attribute specifies the number of times an expired password can
213#   be used to authenticate.  If this attribute is not present or if the
214#   value is 0, authentication will fail.
215
216attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
217      NAME 'pwdGraceAuthNLimit'
218      EQUALITY integerMatch
219      ORDERING integerOrderingMatch
220      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
221      SINGLE-VALUE )
222
223#5.2.9  pwdLockout
224#
225#   This attribute indicates, when its value is "TRUE", that the password
226#   may not be used to authenticate after a specified number of
227#   consecutive failed bind attempts.  The maximum number of consecutive
228#   failed bind attempts is specified in pwdMaxFailure.
229#
230#   If this attribute is not present, or if the value is "FALSE", the
231#   password may be used to authenticate when the number of failed bind
232#   attempts has been reached.
233
234attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
235      NAME 'pwdLockout'
236      EQUALITY booleanMatch
237      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
238      SINGLE-VALUE )
239
240#5.2.10  pwdLockoutDuration
241#
242#   This attribute holds the number of seconds that the password cannot
243#   be used to authenticate due to too many failed bind attempts.  If
244#   this attribute is not present, or if the value is 0 the password
245#   cannot be used to authenticate until reset by a password
246#   administrator.
247
248attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
249      NAME 'pwdLockoutDuration'
250      EQUALITY integerMatch
251      ORDERING integerOrderingMatch
252      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
253      SINGLE-VALUE )
254
255#5.2.11  pwdMaxFailure
256#
257#   This attribute specifies the number of consecutive failed bind
258#   attempts after which the password may not be used to authenticate.
259#   If this attribute is not present, or if the value is 0, this policy
260#   is not checked, and the value of pwdLockout will be ignored.
261
262attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
263      NAME 'pwdMaxFailure'
264      EQUALITY integerMatch
265      ORDERING integerOrderingMatch
266      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
267      SINGLE-VALUE )
268
269#5.2.12  pwdFailureCountInterval
270#
271#   This attribute holds the number of seconds after which the password
272#   failures are purged from the failure counter, even though no
273#   successful authentication occurred.
274#
275#   If this attribute is not present, or if its value is 0, the failure
276#   counter is only reset by a successful authentication.
277
278attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
279      NAME 'pwdFailureCountInterval'
280      EQUALITY integerMatch
281      ORDERING integerOrderingMatch
282      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
283      SINGLE-VALUE )
284
285#5.2.13  pwdMustChange
286#
287#   This attribute specifies with a value of "TRUE" that users must
288#   change their passwords when they first bind to the directory after a
289#   password is set or reset by a password administrator.  If this
290#   attribute is not present, or if the value is "FALSE", users are not
291#   required to change their password upon binding after the password
292#   administrator sets or resets the password.  This attribute is not set
293#   due to any actions specified by this document, it is typically set by
294#   a password administrator after resetting a user's password.
295
296attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
297      NAME 'pwdMustChange'
298      EQUALITY booleanMatch
299      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
300      SINGLE-VALUE )
301
302#5.2.14  pwdAllowUserChange
303#
304#   This attribute indicates whether users can change their own
305#   passwords, although the change operation is still subject to access
306#   control.  If this attribute is not present, a value of "TRUE" is
307#   assumed.  This attribute is intended to be used in the absense of an
308#   access control mechanism.
309
310attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
311      NAME 'pwdAllowUserChange'
312      EQUALITY booleanMatch
313      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
314      SINGLE-VALUE )
315
316#5.2.15  pwdSafeModify
317#
318#   This attribute specifies whether or not the existing password must be
319#   sent along with the new password when being changed.  If this
320#   attribute is not present, a "FALSE" value is assumed.
321
322attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
323      NAME 'pwdSafeModify'
324      EQUALITY booleanMatch
325      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
326      SINGLE-VALUE )
327
328#ITS#8185  pwdMaxRecordedFailure
329#
330#   This attribute specifies the maximum number of consecutive failed bind
331#   attempts to record.  If this attribute is not present, or if the value
332#	is 0, it defaults to the value of pwdMaxFailure. If that value is also
333#	0, this value defaults to 5.
334
335attributetype ( 1.3.6.1.4.1.42.2.27.8.1.30
336      NAME 'pwdMaxRecordedFailure'
337      EQUALITY integerMatch
338      ORDERING integerOrderingMatch
339      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
340      SINGLE-VALUE )
341
342# HP extensions
343#
344# pwdCheckModule
345#
346#    This attribute names a user-defined loadable module that provides
347#    a check_password() function. If pwdCheckQuality is set to '1' or '2'
348#    this function will be called after all of the internal password
349#    quality checks have been passed. The function has this prototype:
350#
351#    int check_password( char *password, char **errormessage, void *arg )
352#
353#    The function should return LDAP_SUCCESS for a valid password.
354
355attributetype ( 1.3.6.1.4.1.4754.1.99.1
356     NAME 'pwdCheckModule'
357     EQUALITY caseExactIA5Match
358     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
359     DESC 'Loadable module that instantiates check_password() function'
360     SINGLE-VALUE )
361
362objectclass ( 1.3.6.1.4.1.4754.2.99.1
363      NAME 'pwdPolicyChecker'
364      SUP top
365      AUXILIARY
366      MAY ( pwdCheckModule ) )
367
368#5.1  The pwdPolicy Object Class
369#
370#   This object class contains the attributes defining a password policy
371#   in effect for a set of users.  Section 10 describes the
372#   administration of this object, and the relationship between it and
373#   particular objects.
374#
375objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
376      NAME 'pwdPolicy'
377      SUP top
378      AUXILIARY
379      MUST ( pwdAttribute )
380      MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
381      pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
382      $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
383      pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $
384      pwdMaxRecordedFailure ) )
385
386#5.3  Attribute Types for Password Policy State Information
387#
388#   Password policy state information must be maintained for each user.
389#   The information is located in each user entry as a set of operational
390#   attributes.  These operational attributes are: pwdChangedTime,
391#   pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
392#   pwdReset, pwdPolicySubEntry.
393#
394#5.3.1  Password Policy State Attribute Option
395#
396#   Since the password policy could apply to several attributes used to
397#   store passwords, each of the above operational attributes must have
398#   an option to specify which pwdAttribute it applies to.  The password
399#   policy option is defined as the following:
400#
401#   pwd-<passwordAttribute>
402#
403#   where passwordAttribute a string following the OID syntax
404#   (1.3.6.1.4.1.1466.115.121.1.38).  The attribute type descriptor
405#   (short name) MUST be used.
406#
407#   For example, if the pwdPolicy object has for pwdAttribute
408#   "userPassword" then the pwdChangedTime operational attribute, in a
409#   user entry, will be:
410#
411#   pwdChangedTime;pwd-userPassword: 20000103121520Z
412#
413#   This attribute option follows sub-typing semantics.  If a client
414#   requests a password policy state attribute to be returned in a search
415#   operation, and does not specify an option, all subtypes of that
416#   policy state attribute are returned.
417#
418#5.3.2  pwdChangedTime
419#
420#   This attribute specifies the last time the entry's password was
421#   changed.  This is used by the password expiration policy.  If this
422#   attribute does not exist, the password will never expire.
423#
424#      ( 1.3.6.1.4.1.42.2.27.8.1.16
425#      NAME 'pwdChangedTime'
426#      DESC 'The time the password was last changed'
427#      EQUALITY generalizedTimeMatch
428#      ORDERING generalizedTimeOrderingMatch
429#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
430#      SINGLE-VALUE
431#      USAGE directoryOperation )
432#
433#5.3.3  pwdAccountLockedTime
434#
435#   This attribute holds the time that the user's account was locked.  A
436#   locked account means that the password may no longer be used to
437#   authenticate.  A 000001010000Z value means that the account has been
438#   locked permanently, and that only a password administrator can unlock
439#   the account.
440#
441#      ( 1.3.6.1.4.1.42.2.27.8.1.17
442#      NAME 'pwdAccountLockedTime'
443#      DESC 'The time an user account was locked'
444#      EQUALITY generalizedTimeMatch
445#      ORDERING generalizedTimeOrderingMatch
446#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
447#      SINGLE-VALUE
448#      USAGE directoryOperation )
449#
450#5.3.4  pwdFailureTime
451#
452#   This attribute holds the timestamps of the consecutive authentication
453#   failures.
454#
455#      ( 1.3.6.1.4.1.42.2.27.8.1.19
456#      NAME 'pwdFailureTime'
457#      DESC 'The timestamps of the last consecutive authentication
458#      failures'
459#      EQUALITY generalizedTimeMatch
460#      ORDERING generalizedTimeOrderingMatch
461#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
462#      USAGE directoryOperation )
463#
464#5.3.5  pwdHistory
465#
466#   This attribute holds a history of previously used passwords.  Values
467#   of this attribute are transmitted in string format as given by the
468#   following ABNF:
469#
470#   pwdHistory = time "#" syntaxOID "#" length "#" data
471#
472#   time       = <generalizedTimeString as specified in 6.14
473#                 of [RFC2252]>
474#
475#   syntaxOID  = numericoid    ; the string representation of the
476#                              ; dotted-decimal OID that defines the
477#                              ; syntax used to store the password.
478#                              ; numericoid is described in 4.1
479#                              ; of [RFC2252].
480#
481#   length     = numericstring ; the number of octets in data.
482#                              ; numericstring is described in 4.1
483#                              ; of [RFC2252].
484#
485#   data       = <octets representing the password in the format
486#                 specified by syntaxOID>.
487#
488#   This format allows the server to store, and transmit a history of
489#   passwords that have been used.  In order for equality matching to
490#   function properly, the time field needs to adhere to a consistent
491#   format.  For this purpose, the time field MUST be in GMT format.
492#
493#      ( 1.3.6.1.4.1.42.2.27.8.1.20
494#      NAME 'pwdHistory'
495#      DESC 'The history of user s passwords'
496#      EQUALITY octetStringMatch
497#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
498#      USAGE directoryOperation )
499#
500#5.3.6  pwdGraceUseTime
501#
502#   This attribute holds the timestamps of grace authentications after a
503#   password has expired.
504#
505#      ( 1.3.6.1.4.1.42.2.27.8.1.21
506#      NAME 'pwdGraceUseTime'
507#      DESC 'The timestamps of the grace authentication after the
508#      password has expired'
509#      EQUALITY generalizedTimeMatch
510#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
511#
512#5.3.7  pwdReset
513#
514#   This attribute holds a flag to indicate (when TRUE) that the password
515#   has been updated by the password administrator and must be changed by
516#   the user on first authentication.
517#
518#      ( 1.3.6.1.4.1.42.2.27.8.1.22
519#      NAME 'pwdReset'
520#      DESC 'The indication that the password has been reset'
521#      EQUALITY booleanMatch
522#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
523#      SINGLE-VALUE
524#      USAGE directoryOperation )
525#
526#5.3.8  pwdPolicySubentry
527#
528#   This attribute points to the pwdPolicy subentry in effect for this
529#   object.
530#
531#      ( 1.3.6.1.4.1.42.2.27.8.1.23
532#      NAME 'pwdPolicySubentry'
533#      DESC 'The pwdPolicy subentry in effect for this object'
534#      EQUALITY distinguishedNameMatch
535#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
536#      SINGLE-VALUE
537#      USAGE directoryOperation )
538#
539#
540#Disclaimer of Validity
541#
542#   This document and the information contained herein are provided on an
543#   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
544#   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
545#   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
546#   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
547#   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
548#   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
549#
550#
551#Copyright Statement
552#
553#   Copyright (C) The Internet Society (2004).  This document is subject
554#   to the rights, licenses and restrictions contained in BCP 78, and
555#   except as set forth therein, the authors retain all their rights.
556
557