ITS#9156 Document corner cases and omissions

This commit is contained in:
Ondřej Kuzník 2019-10-24 14:18:13 +01:00
parent 44191183be
commit 2b007d01db
2 changed files with 53 additions and 10 deletions

View File

@ -829,7 +829,7 @@ Internet-Draft Password Policy for LDAP Directories July 2014
the value is 0, there is no time limit on the grace authentications.
( 1.3.6.1.4.1.42.2.27.8.1.30
NAME 'pwdGraceExpire'
NAME 'pwdGraceExpiry'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

View File

@ -296,7 +296,7 @@
</section>
<section title="Password Quality and Minimum length">
<section title="Password Quality and length constraints">
<t>In order to prevent users from creating or updating passwords that
are easy to guess, a password quality policy may be employed. This
@ -800,6 +800,23 @@
SINGLE-VALUE )
</artwork></figure>
</section>
<section title="pwdMaxRecordedFailure">
<t>This attribute specifies the number of failures kept on record
for each user and should be equal to or higher than pwdMaxFailure.
If not set or is 0, it is deemed equal to pwdMaxFailure.</t>
<figure><artwork>
( 1.3.6.1.4.1.42.2.27.8.1.32
NAME 'pwdMaxRecordedFailure'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
</artwork></figure>
</section>
</section>
@ -1106,7 +1123,8 @@
insufficientPasswordQuality (5),
passwordTooShort (6),
passwordTooYoung (7),
passwordInHistory (8) } OPTIONAL }
passwordInHistory (8),
passwordTooLong (9) } OPTIONAL }
</artwork></figure>
<t>The timeBeforeExpiration warning specifies the number of seconds
@ -1159,7 +1177,8 @@
<t>The current time is greater than or equal to the value of the
pwdLastSuccess attribute added to the value of the pwdMaxIdle
attribute.</t>
attribute. If pwdLastSuccess attribute is not present, pwdChangedTime
value is used instead.</t>
<t>The current time is less than the value of the
pwdAccountLockedTime attribute added to the value of the
@ -1520,6 +1539,22 @@
resultCode: constraintViolation (19), and includes the
passwordPolicyResponse in the controls field of the response
message with the error: passwordTooShort (6).</t>
<t>checks the value of the pwdMaxLength attribute. If the value is
non-zero, it ensures that the new password is of at most the
maximum length.<vspace blankLines="1"/>
If the server is unable to check the length (due to a hashed
password or otherwise), the value of pwdCheckQuality is evaluated.
If the value is 1, operation continues. If the value is 2, the
server sends a response message to the client with the resultCode:
constraintViolation (19), and includes the passwordPolicyResponse
in the controls field of the response message with the error:
passwordTooLong (9).<vspace blankLines="1"/>
If the server is able to check the password length, and the check
fails, the server sends a response message to the client with the
resultCode: constraintViolation (19), and includes the
passwordPolicyResponse in the controls field of the response
message with the error: passwordTooLong (9).</t>
</list></t>
</section>
@ -1557,8 +1592,8 @@
set to TRUE. Otherwise, the pwdReset is removed from the user's
entry if it exists.</t>
<t>The pwdFailureTime and pwdGraceUseTime attributes is removed from the
user's entry if they exist.</t>
<t>The pwdFailureTime, pwdGraceUseTime, pwdLastSuccess attributes are
removed from the user's entry if they exist.</t>
</section>
</section>
@ -1672,6 +1707,10 @@
<t>pwdModResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = passwordInHistory (8): The password
has already been used; the user must choose a different one.</t>
<t>pwdModResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = passwordTooLong (9): The length of
the password is too long.</t>
</list></t>
</section>
</section>
@ -1695,6 +1734,10 @@
<t>addResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = passwordTooShort (6): The length of
the password is too short.</t>
<t>addResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = passwordTooLong (9): The length of
the password is too long.</t>
</list></t>
</section>
@ -1806,10 +1849,10 @@
doesn't have to be replicated to a read-only replica, since the
password will never be directly modified on this server.</t>
<t>The pwdAccountLockedTime, pwdFailureTime and pwdGraceUseTime
attributes SHOULD be replicated to writable replicas, making the
password policy global for all servers. When the user entry is
replicated to a read-only replica, these attributes SHOULD NOT be
<t>The pwdAccountLockedTime, pwdFailureTime, pwdGraceUseTime and
pwdLastSuccess attributes SHOULD be replicated to writable replicas,
making the password policy global for all servers. When the user entry
is replicated to a read-only replica, these attributes SHOULD NOT be
replicated. This means that the number of failures, of grace
authentications and the locking will take place on each replicated
server. For example, the effective number of failed attempts on a