ITS#9156 Document corner cases and omissions

2024-12-15 03:01:09 +08:00 · 2019-10-24 14:18:13 +01:00 · 2019-10-24 14:18:13 +01:00 · 2b007d01db
commit 2b007d01db
parent 44191183be
2 changed files with 53 additions and 10 deletions
--- a/doc/drafts/draft-behera-ldap-password-policy-xx.txt
+++ b/doc/drafts/draft-behera-ldap-password-policy-xx.txt
@ -829,7 +829,7 @@ Internet-Draft    Password Policy for LDAP Directories         July 2014
   the value is 0, there is no time limit on the grace authentications.

         ( 1.3.6.1.4.1.42.2.27.8.1.30
-         NAME 'pwdGraceExpire'
+         NAME 'pwdGraceExpiry'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
--- a/doc/drafts/draft-behera-ldap-password-policy-xx.xml
+++ b/doc/drafts/draft-behera-ldap-password-policy-xx.xml
@ -296,7 +296,7 @@
  </section>


-  <section title="Password Quality and Minimum length">
+  <section title="Password Quality and length constraints">

   <t>In order to prevent users from creating or updating passwords that
   are easy to guess, a password quality policy may be employed.  This
@ -800,6 +800,23 @@
      SINGLE-VALUE )
 	</artwork></figure>
  </section>
+
+
+  <section title="pwdMaxRecordedFailure">
+
+   <t>This attribute specifies the number of failures kept on record
+   for each user and should be equal to or higher than pwdMaxFailure.
+   If not set or is 0, it is deemed equal to pwdMaxFailure.</t>
+
+	<figure><artwork>
+      ( 1.3.6.1.4.1.42.2.27.8.1.32
+      NAME 'pwdMaxRecordedFailure'
+      EQUALITY integerMatch
+      ORDERING integerOrderingMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+	</artwork></figure>
+  </section>
 </section>


@ -1106,7 +1123,8 @@
         insufficientPasswordQuality (5),
         passwordTooShort            (6),
         passwordTooYoung            (7),
-         passwordInHistory           (8) } OPTIONAL }
+         passwordInHistory           (8),
+         passwordTooLong             (9) } OPTIONAL }
 	</artwork></figure>

   <t>The timeBeforeExpiration warning specifies the number of seconds
@ -1159,7 +1177,8 @@

   <t>The current time is greater than or equal to the value of the
   pwdLastSuccess attribute added to the value of the pwdMaxIdle
-   attribute.</t>
+   attribute. If pwdLastSuccess attribute is not present, pwdChangedTime
+   value is used instead.</t>

   <t>The current time is less than the value of the
      pwdAccountLockedTime attribute added to the value of the
@ -1520,6 +1539,22 @@
      resultCode: constraintViolation (19), and includes the
      passwordPolicyResponse in the controls field of the response
      message with the error: passwordTooShort (6).</t>
+
+   <t>checks the value of the pwdMaxLength attribute.  If the value is
+      non-zero, it ensures that the new password is of at most the
+      maximum length.<vspace blankLines="1"/>
+      If the server is unable to check the length (due to a hashed
+      password or otherwise), the value of pwdCheckQuality is evaluated.
+      If the value is 1, operation continues.  If the value is 2, the
+      server sends a response message to the client with the resultCode:
+      constraintViolation (19), and includes the passwordPolicyResponse
+      in the controls field of the response message with the error:
+      passwordTooLong (9).<vspace blankLines="1"/>
+      If the server is able to check the password length, and the check
+      fails, the server sends a response message to the client with the
+      resultCode: constraintViolation (19), and includes the
+      passwordPolicyResponse in the controls field of the response
+      message with the error: passwordTooLong (9).</t>
 	</list></t>
  </section>

@ -1557,8 +1592,8 @@
   set to TRUE.  Otherwise, the pwdReset is removed from the user's
   entry if it exists.</t>

-   <t>The pwdFailureTime and pwdGraceUseTime attributes is removed from the
-   user's entry if they exist.</t>
+   <t>The pwdFailureTime, pwdGraceUseTime, pwdLastSuccess attributes are
+   removed from the user's entry if they exist.</t>
  </section>
 </section>

@ -1672,6 +1707,10 @@
   <t>pwdModResponse.resultCode = constraintViolation (19),
      passwordPolicyResponse.error = passwordInHistory (8): The password
      has already been used; the user must choose a different one.</t>
+
+   <t>pwdModResponse.resultCode = constraintViolation (19),
+      passwordPolicyResponse.error = passwordTooLong (9): The length of
+      the password is too long.</t>
 	</list></t>
  </section>
 </section>
@ -1695,6 +1734,10 @@
   <t>addResponse.resultCode = constraintViolation (19),
      passwordPolicyResponse.error = passwordTooShort (6): The length of
      the password is too short.</t>
+
+   <t>addResponse.resultCode = constraintViolation (19),
+      passwordPolicyResponse.error = passwordTooLong (9): The length of
+      the password is too long.</t>
 	</list></t>
 </section>

@ -1806,10 +1849,10 @@
   doesn't have to be replicated to a read-only replica, since the
   password will never be directly modified on this server.</t>

-   <t>The pwdAccountLockedTime, pwdFailureTime and pwdGraceUseTime
-   attributes SHOULD be replicated to writable replicas, making the
-   password policy global for all servers.  When the user entry is
-   replicated to a read-only replica, these attributes SHOULD NOT be
+   <t>The pwdAccountLockedTime, pwdFailureTime, pwdGraceUseTime and
+   pwdLastSuccess attributes SHOULD be replicated to writable replicas,
+   making the password policy global for all servers.  When the user entry
+   is replicated to a read-only replica, these attributes SHOULD NOT be
   replicated.  This means that the number of failures, of grace
   authentications and the locking will take place on each replicated
   server.  For example, the effective number of failed attempts on a