ITS#9156 Document ppolicy changes

2025-03-07 14:18:15 +08:00 · 2019-10-28 12:14:03 +00:00 · 2019-10-28 12:14:03 +00:00 · ba290f1c35
commit ba290f1c35
parent 373e497b0e
1 changed files with 204 additions and 12 deletions
--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@ -100,12 +100,13 @@ object class.  The definition of that class is as follows:
    MUST ( pwdAttribute )
    MAY (
        pwdMinAge $ pwdMaxAge $ pwdInHistory $
-        pwdCheckQuality $ pwdMinLength $
+        pwdCheckQuality $ pwdMinLength $ pwdMaxLength $
        pwdExpireWarning $ pwdGraceAuthnLimit $
-        pwdLockout $ pwdLockoutDuration $
+        pwdGraceExpiry $ pwdLockout $ pwdLockoutDuration $
        pwdMaxFailure $ pwdFailureCountInterval $
        pwdMustChange $ pwdAllowUserChange $
-        pwdSafeModify $ pwdMaxRecordedFailure ) )
+        pwdSafeModify $ pwdMaxRecordedFailure $
        pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
 .RE
 This implementation also provides an additional
@ -117,7 +118,7 @@ objectclass, used for password quality checking (see below).
    NAME 'pwdPolicyChecker'
    AUXILIARY
    SUP top
-    MAY ( pwdCheckModule ) )
+    MAY ( pwdCheckModule $ pwdCheckModuleArg ) )
 .RE
 .P
 Every account that should be subject to password policy control should
@ -260,6 +261,34 @@ is two (2)).
   SINGLE\-VALUE )
 .RE
 .B pwdMaxLength
 .P
 When syntax checking is enabled
 (see also the
 .B pwdCheckQuality
 attribute), this attribute contains the maximum
 number of characters that will be accepted in a password. If this
 attribute is not present, maximum password length is not
 enforced. If the server is unable to check the length of the password,
 whether due to a client-side hashed password or some other reason,
 the server will, depending on the
 value of
 .BR pwdCheckQuality ,
 either accept the password
 without checking it (if
 .B pwdCheckQuality
 is zero (0) or one (1)) or refuse it (if
 .B pwdCheckQuality
 is two (2)).
 .LP
 .RS 4
 (  1.3.6.1.4.1.42.2.27.8.1.31
   NAME 'pwdMaxLength'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE\-VALUE )
 .RE
 .B pwdExpireWarning
 .P
 This attribute contains the maximum number of seconds before a
@ -292,6 +321,22 @@ directory.
   SINGLE\-VALUE )
 .RE
 .B pwdGraceExpiry
 .P
 This attribute specifies the number of seconds the grace
 authentications are valid.  If this attribute is not present or if
 the value is zero (0), there is no time limit on the grace
 authentications.
 .LP
 .RS 4
 (  1.3.6.1.4.1.42.2.27.8.1.30
   NAME 'pwdGraceExpiry'
   EQUALITY integerMatch
   ORDERING integerOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE\-VALUE )
 .RE
 .B pwdLockout
 .P
 This attribute specifies the action that should be taken
@ -378,7 +423,7 @@ to the value of
 If that value is also 0, the default is 5.
 .LP
 .RS 4
-(  1.3.6.1.4.1.42.2.27.8.1.16
+(  1.3.6.1.4.1.42.2.27.8.1.32
   NAME 'pwdMaxRecordedFailure'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
@ -477,7 +522,76 @@ along with the new password.
   SINGLE\-VALUE )
 .RE
-.B pwdCheckModule
+.B pwdMinDelay
 .P
 This attribute specifies the number of seconds to delay responding to
 the first failed authentication attempt.  If this attribute is not
 set or is zero (0), no delays will be used.
 .B pwdMaxDelay
 must also be specified if
 .B pwdMinDelay
 is set.
 Note that this implementation uses a variable lockout instead of
 delaying the bind response.
 .LP
 .RS 4
 (  1.3.6.1.4.1.42.2.27.8.1.24
   NAME 'pwdMinDelay'
   EQUALITY integerMatch
   ORDERING integerOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE\-VALUE )
 .RE
 .B pwdMaxDelay
 .P
 This attribute specifies the maximum number of seconds to delay when
 responding to a failed authentication attempt.  The time specified in
 .B pwdMinDelay
 is used as the starting time and is then doubled on each failure until
 the delay time is greater than or equal to
 .B pwdMaxDelay
 (or a successful authentication occurs, which resets the failure
 counter).
 .B pwdMinDelay
 must also be specified if
 .B pwdMaxDelay
 is set.
 Note that this implementation uses a variable lockout instead of
 delaying the bind response.
 .LP
 .RS 4
 (  1.3.6.1.4.1.42.2.27.8.1.25
   NAME 'pwdMaxDelay'
   EQUALITY integerMatch
   ORDERING integerOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE\-VALUE )
 .RE
 .B pwdMaxIdle
 .P
 This attribute specifies the number of seconds an account may remain
 unused before it becomes locked.  If this attribute is not set or is
 zero (0), no check is performed. For this to be enforced,
 .B lastbind
 functionality needs to be enabled on the database, that is
 .B olcLastBind
 is set to
 .BR TRUE .
 .LP
 .RS 4
 (  1.3.6.1.4.1.42.2.27.8.1.26
   NAME 'pwdMaxIdle'
   EQUALITY integerMatch
   ORDERING integerOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE\-VALUE )
 .RE
 .BR pwdCheckModule / pwdCheckModuleArg
 .P
 This attribute names a user-defined loadable module that must
 instantiate the check_password() function.  This function
@ -490,7 +604,7 @@ function prototype:
 .RS 4
 int
 .I check_password
-(char *pPasswd, char **ppErrStr, Entry *pEntry);
+(char *pPasswd, char **ppErrStr, Entry *pEntry, struct berval *pArg);
 .RE
 The
 .B pPasswd
@ -498,10 +612,20 @@ parameter contains the clear-text user password, the
 .B ppErrStr
 parameter contains a double pointer that allows the function
 to return human-readable details about any error it encounters.
-The optional
+
 The
 .B pEntry
-parameter, if non-NULL, carries a pointer to the
+parameter is optional, if non-NULL, carries a pointer to the
 entry whose password is being checked.
 The optional
 .B pArg
 parameter points to a
 .B struct berval
 containing the value of
 .B pwdCheckModuleArg
 in the effective password policy, if set, otherwise NULL.
 If
 .B ppErrStr
 is NULL, then 
@ -522,6 +646,13 @@ be free()'d by slapd.
   EQUALITY caseExactIA5Match
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
   SINGLE\-VALUE )
 ( 1.3.6.1.4.1.4754.1.99.2
   NAME 'pwdCheckModuleArg'
   EQUALITY octetStringMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
   DESC 'Argument to pass to check_password() function'
   SINGLE\-VALUE )
 .RE
 .P
 Note: 
@ -735,6 +866,7 @@ field is in GMT format.
 .RE
 .B pwdGraceUseTime
 This attribute contains the list of timestamps of logins made after
 the user password in the DN has expired.  These post-expiration
 logins are known as "\fIgrace logins\fP".
@ -780,6 +912,66 @@ administrative reset.
   USAGE directoryOperation)
 .RE
 .B pwdStartTime
 This attribute specifies the time the entry's password becomes valid
 for authentication.  Authentication attempts made before this time
 will fail.  If this attribute does not exist, then no restriction
 applies.
 .LP
 .RS 4
 (  1.3.6.1.4.1.42.2.27.8.1.27
   NAME 'pwdStartTime'
   DESC 'The time the password becomes enabled'
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   SINGLE\-VALUE
   NO\-USER\-MODIFICATION
   USAGE directoryOperation )
 .RE
 .B pwdEndTime
 This attribute specifies the time the entry's password becomes
 invalid for authentication.  Authentication attempts made after this
 time will fail, regardless of expiration or grace settings.  If this
 attribute does not exist, then this restriction does not apply.
 .LP
 .RS 4
 (  1.3.6.1.4.1.42.2.27.8.1.28
   NAME 'pwdEndTime'
   DESC 'The time the password becomes disabled'
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   SINGLE\-VALUE
   NO\-USER\-MODIFICATION
   USAGE directoryOperation )
 .RE
 Note that pwdStartTime may be set to a time greater than or equal to
 pwdEndTime; this simply disables the account.
 .B pwdAccountTmpLockoutEnd
 .P
 This attribute that the user's password has been locked out temporarily
 according to the
 .B pwdMinDelay
 policy option and when the lockout ends.
 .LP
 .RS 4
 (  1.3.6.1.4.1.42.2.27.8.1.33
   NAME 'pwdAccountTmpLockoutEnd'
   DESC 'Temporary lockout end'
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   SINGLE\-VALUE
   NO\-USER\-MODIFICATION
   USAGE directoryOperation )
 .RE
 .SH EXAMPLES
 .LP
 .RS
@ -802,7 +994,7 @@ ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
 .LP
 IETF LDAP password policy proposal by P. Behera, L.  Poitou and J.
 Sermersheim:  documented in IETF document
-"draft-behera-ldap-password-policy-09.txt".
+"draft-behera-ldap-password-policy-10.txt".
 .SH BUGS
 The LDAP Password Policy specification is not yet an approved standard,
@ -821,7 +1013,7 @@ IETF LDAP password policy proposal by P. Behera, L.
 Poitou and J. Sermersheim.
 The proposal is fully documented in
 the
-IETF document named draft-behera-ldap-password-policy-09.txt,
+IETF document named draft-behera-ldap-password-policy-10.txt,
-written in July of 2005.
+written in August of 2009.
 .P
 .so ../Project