1# $OpenLDAP$ 2## This work is part of OpenLDAP Software <http://www.openldap.org/>. 3## 4## Copyright 2004-2021 The OpenLDAP Foundation. 5## All rights reserved. 6## 7## Redistribution and use in source and binary forms, with or without 8## modification, are permitted only as authorized by the OpenLDAP 9## Public License. 10## 11## A copy of this license is available in the file LICENSE in the 12## top-level directory of the distribution or, alternatively, at 13## <http://www.OpenLDAP.org/license.html>. 14# 15## Portions Copyright (C) The Internet Society (2004). 16## Please see full copyright statement below. 17 18# Definitions from Draft behera-ldap-password-policy-07 (a work in progress) 19# Password Policy for LDAP Directories 20# With extensions from Hewlett-Packard: 21# pwdCheckModule etc. 22 23# Contents of this file are subject to change (including deletion) 24# without notice. 25# 26# Not recommended for production use! 27# Use with extreme caution! 28 29#Network Working Group J. Sermersheim 30#Internet-Draft Novell, Inc 31#Expires: April 24, 2005 L. Poitou 32# Sun Microsystems 33# October 24, 2004 34# 35# 36# Password Policy for LDAP Directories 37# draft-behera-ldap-password-policy-08.txt 38# 39#Status of this Memo 40# 41# This document is an Internet-Draft and is subject to all provisions 42# of section 3 of RFC 3667. By submitting this Internet-Draft, each 43# author represents that any applicable patent or other IPR claims of 44# which he or she is aware have been or will be disclosed, and any of 45# which he or she become aware will be disclosed, in accordance with 46# RFC 3668. 47# 48# Internet-Drafts are working documents of the Internet Engineering 49# Task Force (IETF), its areas, and its working groups. Note that 50# other groups may also distribute working documents as 51# Internet-Drafts. 52# 53# Internet-Drafts are draft documents valid for a maximum of six months 54# and may be updated, replaced, or obsoleted by other documents at any 55# time. It is inappropriate to use Internet-Drafts as reference 56# material or to cite them other than as "work in progress." 57# 58# The list of current Internet-Drafts can be accessed at 59# http://www.ietf.org/ietf/1id-abstracts.txt. 60# 61# The list of Internet-Draft Shadow Directories can be accessed at 62# http://www.ietf.org/shadow.html. 63# 64# This Internet-Draft will expire on April 24, 2005. 65# 66#Copyright Notice 67# 68# Copyright (C) The Internet Society (2004). 69# 70#Abstract 71# 72# Password policy as described in this document is a set of rules that 73# controls how passwords are used and administered in Lightweight 74# Directory Access Protocol (LDAP) based directories. In order to 75# improve the security of LDAP directories and make it difficult for 76# password cracking programs to break into directories, it is desirable 77# to enforce a set of rules on password usage. These rules are made to 78# 79# [trimmed] 80# 81#5. Schema used for Password Policy 82# 83# The schema elements defined here fall into two general categories. A 84# password policy object class is defined which contains a set of 85# administrative password policy attributes, and a set of operational 86# attributes are defined that hold general password policy state 87# information for each user. 88# 89#5.2 Attribute Types used in the pwdPolicy ObjectClass 90# 91# Following are the attribute types used by the pwdPolicy object class. 92# 93#5.2.1 pwdAttribute 94# 95# This holds the name of the attribute to which the password policy is 96# applied. For example, the password policy may be applied to the 97# userPassword attribute. 98 99attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 100 NAME 'pwdAttribute' 101 EQUALITY objectIdentifierMatch 102 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 103 104#5.2.2 pwdMinAge 105# 106# This attribute holds the number of seconds that must elapse between 107# modifications to the password. If this attribute is not present, 0 108# seconds is assumed. 109 110attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 111 NAME 'pwdMinAge' 112 EQUALITY integerMatch 113 ORDERING integerOrderingMatch 114 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 115 SINGLE-VALUE ) 116 117#5.2.3 pwdMaxAge 118# 119# This attribute holds the number of seconds after which a modified 120# password will expire. 121# 122# If this attribute is not present, or if the value is 0 the password 123# does not expire. If not 0, the value must be greater than or equal 124# to the value of the pwdMinAge. 125 126attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 127 NAME 'pwdMaxAge' 128 EQUALITY integerMatch 129 ORDERING integerOrderingMatch 130 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 131 SINGLE-VALUE ) 132 133#5.2.4 pwdInHistory 134# 135# This attribute specifies the maximum number of used passwords stored 136# in the pwdHistory attribute. 137# 138# If this attribute is not present, or if the value is 0, used 139# passwords are not stored in the pwdHistory attribute and thus may be 140# reused. 141 142attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 143 NAME 'pwdInHistory' 144 EQUALITY integerMatch 145 ORDERING integerOrderingMatch 146 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 147 SINGLE-VALUE ) 148 149#5.2.5 pwdCheckQuality 150# 151# {TODO: Consider changing the syntax to OID. Each OID will list a 152# quality rule (like min len, # of special characters, etc). These 153# rules can be specified outsid ethis document.} 154# 155# {TODO: Note that even though this is meant to be a check that happens 156# during password modification, it may also be allowed to happen during 157# authN. This is useful for situations where the password is encrypted 158# when modified, but decrypted when used to authN.} 159# 160# This attribute indicates how the password quality will be verified 161# while being modified or added. If this attribute is not present, or 162# if the value is '0', quality checking will not be enforced. A value 163# of '1' indicates that the server will check the quality, and if the 164# server is unable to check it (due to a hashed password or other 165# reasons) it will be accepted. A value of '2' indicates that the 166# server will check the quality, and if the server is unable to verify 167# it, it will return an error refusing the password. 168 169attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 170 NAME 'pwdCheckQuality' 171 EQUALITY integerMatch 172 ORDERING integerOrderingMatch 173 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 174 SINGLE-VALUE ) 175 176#5.2.6 pwdMinLength 177# 178# When quality checking is enabled, this attribute holds the minimum 179# number of characters that must be used in a password. If this 180# attribute is not present, no minimum password length will be 181# enforced. If the server is unable to check the length (due to a 182# hashed password or otherwise), the server will, depending on the 183# value of the pwdCheckQuality attribute, either accept the password 184# without checking it ('0' or '1') or refuse it ('2'). 185 186attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 187 NAME 'pwdMinLength' 188 EQUALITY integerMatch 189 ORDERING integerOrderingMatch 190 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 191 SINGLE-VALUE ) 192 193#5.2.7 pwdExpireWarning 194# 195# This attribute specifies the maximum number of seconds before a 196# password is due to expire that expiration warning messages will be 197# returned to an authenticating user. 198# 199# If this attribute is not present, or if the value is 0 no warnings 200# will be returned. If not 0, the value must be smaller than the value 201# of the pwdMaxAge attribute. 202 203attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 204 NAME 'pwdExpireWarning' 205 EQUALITY integerMatch 206 ORDERING integerOrderingMatch 207 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 208 SINGLE-VALUE ) 209 210#5.2.8 pwdGraceAuthNLimit 211# 212# This attribute specifies the number of times an expired password can 213# be used to authenticate. If this attribute is not present or if the 214# value is 0, authentication will fail. 215 216attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 217 NAME 'pwdGraceAuthNLimit' 218 EQUALITY integerMatch 219 ORDERING integerOrderingMatch 220 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 221 SINGLE-VALUE ) 222 223#5.2.9 pwdLockout 224# 225# This attribute indicates, when its value is "TRUE", that the password 226# may not be used to authenticate after a specified number of 227# consecutive failed bind attempts. The maximum number of consecutive 228# failed bind attempts is specified in pwdMaxFailure. 229# 230# If this attribute is not present, or if the value is "FALSE", the 231# password may be used to authenticate when the number of failed bind 232# attempts has been reached. 233 234attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9 235 NAME 'pwdLockout' 236 EQUALITY booleanMatch 237 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 238 SINGLE-VALUE ) 239 240#5.2.10 pwdLockoutDuration 241# 242# This attribute holds the number of seconds that the password cannot 243# be used to authenticate due to too many failed bind attempts. If 244# this attribute is not present, or if the value is 0 the password 245# cannot be used to authenticate until reset by a password 246# administrator. 247 248attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 249 NAME 'pwdLockoutDuration' 250 EQUALITY integerMatch 251 ORDERING integerOrderingMatch 252 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 253 SINGLE-VALUE ) 254 255#5.2.11 pwdMaxFailure 256# 257# This attribute specifies the number of consecutive failed bind 258# attempts after which the password may not be used to authenticate. 259# If this attribute is not present, or if the value is 0, this policy 260# is not checked, and the value of pwdLockout will be ignored. 261 262attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 263 NAME 'pwdMaxFailure' 264 EQUALITY integerMatch 265 ORDERING integerOrderingMatch 266 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 267 SINGLE-VALUE ) 268 269#5.2.12 pwdFailureCountInterval 270# 271# This attribute holds the number of seconds after which the password 272# failures are purged from the failure counter, even though no 273# successful authentication occurred. 274# 275# If this attribute is not present, or if its value is 0, the failure 276# counter is only reset by a successful authentication. 277 278attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12 279 NAME 'pwdFailureCountInterval' 280 EQUALITY integerMatch 281 ORDERING integerOrderingMatch 282 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 283 SINGLE-VALUE ) 284 285#5.2.13 pwdMustChange 286# 287# This attribute specifies with a value of "TRUE" that users must 288# change their passwords when they first bind to the directory after a 289# password is set or reset by a password administrator. If this 290# attribute is not present, or if the value is "FALSE", users are not 291# required to change their password upon binding after the password 292# administrator sets or resets the password. This attribute is not set 293# due to any actions specified by this document, it is typically set by 294# a password administrator after resetting a user's password. 295 296attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13 297 NAME 'pwdMustChange' 298 EQUALITY booleanMatch 299 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 300 SINGLE-VALUE ) 301 302#5.2.14 pwdAllowUserChange 303# 304# This attribute indicates whether users can change their own 305# passwords, although the change operation is still subject to access 306# control. If this attribute is not present, a value of "TRUE" is 307# assumed. This attribute is intended to be used in the absense of an 308# access control mechanism. 309 310attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14 311 NAME 'pwdAllowUserChange' 312 EQUALITY booleanMatch 313 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 314 SINGLE-VALUE ) 315 316#5.2.15 pwdSafeModify 317# 318# This attribute specifies whether or not the existing password must be 319# sent along with the new password when being changed. If this 320# attribute is not present, a "FALSE" value is assumed. 321 322attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15 323 NAME 'pwdSafeModify' 324 EQUALITY booleanMatch 325 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 326 SINGLE-VALUE ) 327 328#ITS#8185 pwdMaxRecordedFailure 329# 330# This attribute specifies the maximum number of consecutive failed bind 331# attempts to record. If this attribute is not present, or if the value 332# is 0, it defaults to the value of pwdMaxFailure. If that value is also 333# 0, this value defaults to 5. 334 335attributetype ( 1.3.6.1.4.1.42.2.27.8.1.30 336 NAME 'pwdMaxRecordedFailure' 337 EQUALITY integerMatch 338 ORDERING integerOrderingMatch 339 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 340 SINGLE-VALUE ) 341 342# HP extensions 343# 344# pwdCheckModule 345# 346# This attribute names a user-defined loadable module that provides 347# a check_password() function. If pwdCheckQuality is set to '1' or '2' 348# this function will be called after all of the internal password 349# quality checks have been passed. The function has this prototype: 350# 351# int check_password( char *password, char **errormessage, void *arg ) 352# 353# The function should return LDAP_SUCCESS for a valid password. 354 355attributetype ( 1.3.6.1.4.1.4754.1.99.1 356 NAME 'pwdCheckModule' 357 EQUALITY caseExactIA5Match 358 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 359 DESC 'Loadable module that instantiates check_password() function' 360 SINGLE-VALUE ) 361 362objectclass ( 1.3.6.1.4.1.4754.2.99.1 363 NAME 'pwdPolicyChecker' 364 SUP top 365 AUXILIARY 366 MAY ( pwdCheckModule ) ) 367 368#5.1 The pwdPolicy Object Class 369# 370# This object class contains the attributes defining a password policy 371# in effect for a set of users. Section 10 describes the 372# administration of this object, and the relationship between it and 373# particular objects. 374# 375objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1 376 NAME 'pwdPolicy' 377 SUP top 378 AUXILIARY 379 MUST ( pwdAttribute ) 380 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ 381 pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout 382 $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ 383 pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ 384 pwdMaxRecordedFailure ) ) 385 386#5.3 Attribute Types for Password Policy State Information 387# 388# Password policy state information must be maintained for each user. 389# The information is located in each user entry as a set of operational 390# attributes. These operational attributes are: pwdChangedTime, 391# pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime, 392# pwdReset, pwdPolicySubEntry. 393# 394#5.3.1 Password Policy State Attribute Option 395# 396# Since the password policy could apply to several attributes used to 397# store passwords, each of the above operational attributes must have 398# an option to specify which pwdAttribute it applies to. The password 399# policy option is defined as the following: 400# 401# pwd-<passwordAttribute> 402# 403# where passwordAttribute a string following the OID syntax 404# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor 405# (short name) MUST be used. 406# 407# For example, if the pwdPolicy object has for pwdAttribute 408# "userPassword" then the pwdChangedTime operational attribute, in a 409# user entry, will be: 410# 411# pwdChangedTime;pwd-userPassword: 20000103121520Z 412# 413# This attribute option follows sub-typing semantics. If a client 414# requests a password policy state attribute to be returned in a search 415# operation, and does not specify an option, all subtypes of that 416# policy state attribute are returned. 417# 418#5.3.2 pwdChangedTime 419# 420# This attribute specifies the last time the entry's password was 421# changed. This is used by the password expiration policy. If this 422# attribute does not exist, the password will never expire. 423# 424# ( 1.3.6.1.4.1.42.2.27.8.1.16 425# NAME 'pwdChangedTime' 426# DESC 'The time the password was last changed' 427# EQUALITY generalizedTimeMatch 428# ORDERING generalizedTimeOrderingMatch 429# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 430# SINGLE-VALUE 431# USAGE directoryOperation ) 432# 433#5.3.3 pwdAccountLockedTime 434# 435# This attribute holds the time that the user's account was locked. A 436# locked account means that the password may no longer be used to 437# authenticate. A 000001010000Z value means that the account has been 438# locked permanently, and that only a password administrator can unlock 439# the account. 440# 441# ( 1.3.6.1.4.1.42.2.27.8.1.17 442# NAME 'pwdAccountLockedTime' 443# DESC 'The time an user account was locked' 444# EQUALITY generalizedTimeMatch 445# ORDERING generalizedTimeOrderingMatch 446# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 447# SINGLE-VALUE 448# USAGE directoryOperation ) 449# 450#5.3.4 pwdFailureTime 451# 452# This attribute holds the timestamps of the consecutive authentication 453# failures. 454# 455# ( 1.3.6.1.4.1.42.2.27.8.1.19 456# NAME 'pwdFailureTime' 457# DESC 'The timestamps of the last consecutive authentication 458# failures' 459# EQUALITY generalizedTimeMatch 460# ORDERING generalizedTimeOrderingMatch 461# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 462# USAGE directoryOperation ) 463# 464#5.3.5 pwdHistory 465# 466# This attribute holds a history of previously used passwords. Values 467# of this attribute are transmitted in string format as given by the 468# following ABNF: 469# 470# pwdHistory = time "#" syntaxOID "#" length "#" data 471# 472# time = <generalizedTimeString as specified in 6.14 473# of [RFC2252]> 474# 475# syntaxOID = numericoid ; the string representation of the 476# ; dotted-decimal OID that defines the 477# ; syntax used to store the password. 478# ; numericoid is described in 4.1 479# ; of [RFC2252]. 480# 481# length = numericstring ; the number of octets in data. 482# ; numericstring is described in 4.1 483# ; of [RFC2252]. 484# 485# data = <octets representing the password in the format 486# specified by syntaxOID>. 487# 488# This format allows the server to store, and transmit a history of 489# passwords that have been used. In order for equality matching to 490# function properly, the time field needs to adhere to a consistent 491# format. For this purpose, the time field MUST be in GMT format. 492# 493# ( 1.3.6.1.4.1.42.2.27.8.1.20 494# NAME 'pwdHistory' 495# DESC 'The history of user s passwords' 496# EQUALITY octetStringMatch 497# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 498# USAGE directoryOperation ) 499# 500#5.3.6 pwdGraceUseTime 501# 502# This attribute holds the timestamps of grace authentications after a 503# password has expired. 504# 505# ( 1.3.6.1.4.1.42.2.27.8.1.21 506# NAME 'pwdGraceUseTime' 507# DESC 'The timestamps of the grace authentication after the 508# password has expired' 509# EQUALITY generalizedTimeMatch 510# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 511# 512#5.3.7 pwdReset 513# 514# This attribute holds a flag to indicate (when TRUE) that the password 515# has been updated by the password administrator and must be changed by 516# the user on first authentication. 517# 518# ( 1.3.6.1.4.1.42.2.27.8.1.22 519# NAME 'pwdReset' 520# DESC 'The indication that the password has been reset' 521# EQUALITY booleanMatch 522# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 523# SINGLE-VALUE 524# USAGE directoryOperation ) 525# 526#5.3.8 pwdPolicySubentry 527# 528# This attribute points to the pwdPolicy subentry in effect for this 529# object. 530# 531# ( 1.3.6.1.4.1.42.2.27.8.1.23 532# NAME 'pwdPolicySubentry' 533# DESC 'The pwdPolicy subentry in effect for this object' 534# EQUALITY distinguishedNameMatch 535# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 536# SINGLE-VALUE 537# USAGE directoryOperation ) 538# 539# 540#Disclaimer of Validity 541# 542# This document and the information contained herein are provided on an 543# "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 544# OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 545# ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 546# INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 547# INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 548# WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 549# 550# 551#Copyright Statement 552# 553# Copyright (C) The Internet Society (2004). This document is subject 554# to the rights, licenses and restrictions contained in BCP 78, and 555# except as set forth therein, the authors retain all their rights. 556 557