mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
2093 lines
80 KiB
XML
2093 lines
80 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
|
|
<!ENTITY rfc2119 PUBLIC '' "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
|
|
<!ENTITY rfc2195 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2195.xml'>
|
|
<!ENTITY rfc4422 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4422.xml'>
|
|
<!ENTITY rfc4511 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4511.xml'>
|
|
<!ENTITY rfc4512 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4512.xml'>
|
|
<!ENTITY rfc4513 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4513.xml'>
|
|
<!ENTITY rfc4517 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4517.xml'>
|
|
<!ENTITY rfc2831 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2831.xml'>
|
|
<!ENTITY rfc3062 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3062.xml'>
|
|
<!ENTITY rfc4520 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4520.xml'>
|
|
<!ENTITY rfc3672 PUBLIC '' 'http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3672.xml'>
|
|
|
|
]>
|
|
<?xml-stylesheet type='text/xsl' href='http://xml2rfc.ietf.org/authoring/rfc2629.xslt' ?>
|
|
<?rfc toc="yes" ?>
|
|
<?rfc tocdepth="2" ?>
|
|
<?rfc tocindent="no" ?>
|
|
<?rfc symrefs="yes" ?>
|
|
<?rfc sortrefs="yes"?>
|
|
<?rfc iprnotified="no" ?>
|
|
<?rfc strict="yes" ?>
|
|
<rfc category="std" ipr="trust200902" docName="draft-behera-ldap-password-policy-11">
|
|
<front>
|
|
<title>Password Policy for LDAP Directories</title>
|
|
<author initials="J." fullname="Jim Sermersheim" surname="Sermersheim">
|
|
<organization>Novell, Inc</organization>
|
|
<address>
|
|
<postal>
|
|
<street>1800 South Novell Place</street>
|
|
<city>Provo</city>
|
|
<region>Utah</region>
|
|
<code>84606</code>
|
|
<country>US</country>
|
|
</postal>
|
|
<phone>+1 801 861-3088</phone>
|
|
<email>jimse@novell.com</email>
|
|
</address>
|
|
</author>
|
|
<author initials="L." fullname="Ludovic Poitou" surname="Poitou">
|
|
<organization>Sun Microsystems</organization>
|
|
<address>
|
|
<postal>
|
|
<street>180, Avenue de l'Europe</street>
|
|
<city>Zirst de Montbonnot</city> <code>38334</code> <region>Saint Ismier cedex</region>
|
|
<country>FR</country>
|
|
</postal>
|
|
<phone>+33 476 188 212</phone>
|
|
<email>ludovic.poitou@sun.com</email>
|
|
</address>
|
|
</author>
|
|
<author initials="H." fullname="Howard Chu" surname="Chu" role="editor">
|
|
<organization>Symas Corp.</organization>
|
|
<address>
|
|
<postal>
|
|
<street>18740 Oxnard Street, Suite 313A</street>
|
|
<city>Tarzana</city>
|
|
<region>California</region>
|
|
<code>91356</code>
|
|
<country>US</country>
|
|
</postal>
|
|
<phone>+1 818 757-7087</phone>
|
|
<email>hyc@symas.com</email>
|
|
</address>
|
|
</author>
|
|
<date year="2014" month="July"/>
|
|
<abstract>
|
|
<t>
|
|
Password policy as described in this document is a set of rules that
|
|
controls how passwords are used and administered in Lightweight
|
|
Directory Access Protocol (LDAP) based directories. In order to
|
|
improve the security of LDAP directories and make it difficult for
|
|
password cracking programs to break into directories, it is desirable
|
|
to enforce a set of rules on password usage. These rules are made to
|
|
ensure that users change their passwords periodically, passwords meet
|
|
construction requirements, the re-use of old password is restricted,
|
|
and to deter password guessing attacks.
|
|
</t>
|
|
</abstract>
|
|
</front>
|
|
|
|
<middle>
|
|
|
|
<section title="Overview">
|
|
|
|
<t>LDAP-based directory services are currently accepted by many
|
|
organizations as the access protocol for directories. The ability to
|
|
ensure the secure read and update access to directory information
|
|
throughout the network is essential to the successful deployment.
|
|
Most LDAP implementations support many authentication schemes - the
|
|
most basic and widely used is the simple authentication i.e., user DN
|
|
and password. In this case, many LDAP servers have implemented some
|
|
kind of policy related to the password used to authenticate. Among
|
|
other things, this policy includes:
|
|
<list style="symbols">
|
|
<t>Whether and when passwords expire.</t>
|
|
|
|
<t>Whether failed bind attempts cause the account to be locked.</t>
|
|
|
|
<t>If and how users are able to change their passwords.</t>
|
|
</list>
|
|
</t>
|
|
|
|
<t>In order to achieve greater security protection and ensure
|
|
interoperability in a heterogeneous environment, LDAP needs to
|
|
standardize on a common password policy model. This is critical to
|
|
the successful deployment of LDAP directories.</t>
|
|
</section>
|
|
|
|
|
|
<section title="Conventions">
|
|
|
|
<t>Imperative keywords defined in <xref target="RFC2119"/> are used in this document,
|
|
and carry the meanings described there.</t>
|
|
|
|
<t>All ASN.1 <xref target="X.680"/> Basic Encoding Rules (BER) <xref target="X.690"/> encodings follow the
|
|
conventions found in Section 5.1 of <xref target="RFC4511"/>.</t>
|
|
|
|
<t>The term "password administrator" refers to a user that has
|
|
sufficient access control privileges to modify users' passwords. The
|
|
term "password policy administrator" refers to a user that has
|
|
sufficient access control privileges to modify the pwdPolicy object
|
|
defined in this document. The access control that is used to
|
|
determine whether an identity is a password administrator or password
|
|
policy administrator is beyond the scope of this document, but
|
|
typically implies that the password administrator has 'write'
|
|
privileges to the password attribute.</t>
|
|
</section>
|
|
|
|
|
|
<section title="Application of Password Policy">
|
|
|
|
<t>The password policy defined in this document can be applied to any
|
|
attribute holding a user's password used for an authenticated LDAP
|
|
bind operation. In this document, the term "user" represents any
|
|
LDAP client application that has an identity in the directory.</t>
|
|
|
|
<t>This policy is typically applied to the userPassword attribute in the
|
|
case of the LDAP simple authentication method <xref target="RFC4511"/> or the case
|
|
of password based SASL <xref target="RFC4422"/> authentication such as CRAM-MD5
|
|
<xref target="RFC2195"/> and DIGEST-MD5 <xref target="RFC2831"/>.</t>
|
|
|
|
<t>The policy described in this document assumes that the password
|
|
attribute holds a single value. No considerations are made for
|
|
directories or systems that allow a user to maintain multi-valued
|
|
password attributes.</t>
|
|
|
|
<t>Server implementations MAY institute internal policy whereby certain
|
|
identities (such as directory administrators) are not forced to
|
|
comply with any of password policy. In this case, the password for a
|
|
directory administrator never expires; the account is never locked,
|
|
etc.</t>
|
|
</section>
|
|
|
|
|
|
<section title="Articles of Password Policy">
|
|
|
|
<t>The following sections explain in general terms each aspect of the
|
|
password policy defined in this document as well as the need for
|
|
each. These policies are subdivided into the general groups of
|
|
password usage and password modification. Implementation details are
|
|
presented in <xref target="server_enforce"/> and <xref target="client_enforce"/>.</t>
|
|
|
|
<section title="Password Usage Policy">
|
|
|
|
<t>This section describes policy enforced when a password is used to
|
|
authenticate. The general focus of this policy is to minimize the
|
|
threat of intruders once a password is in use.</t>
|
|
|
|
<section title="Password Validity Policy">
|
|
|
|
<t>These mechanisms allow account usage to be controlled independent
|
|
of any password expiration policies. The policy defines the absolute
|
|
period of time for which an account may be used. This
|
|
allows an administrator to define an absolute starting time after which
|
|
a password becomes valid, and an absolute ending time after which the
|
|
password is disabled.</t>
|
|
|
|
<t>A mechanism is also provided to define the period of time for which
|
|
an account may remain unused before being disabled.</t>
|
|
</section>
|
|
|
|
|
|
<section title="Password Guessing Limit">
|
|
|
|
<t>In order to prevent intruders from guessing a user's password, a
|
|
mechanism exists to track the number of consecutive failed
|
|
authentication attempts, and take action when a limit is reached.
|
|
This policy consists of several parts:
|
|
<list style="symbols">
|
|
|
|
<t>A counter to track the number of failed authentication attempts.</t>
|
|
|
|
<t>The amount of time to delay on the first authentication failure.</t>
|
|
|
|
<t>The maximum amount of time to delay on subsequent failures.</t>
|
|
|
|
<t>A timeframe in which the limit of consecutive failed
|
|
authentication attempts must happen before action is taken.</t>
|
|
|
|
<t>A configurable limit on failed authentication attempts.</t>
|
|
|
|
<t>The action to be taken when the limit is reached. The action will
|
|
either be nothing, or the account will be locked.</t>
|
|
|
|
<t>An amount of time the account is locked (if it is to be locked).
|
|
This can be indefinite.</t>
|
|
</list> </t>
|
|
|
|
<t>Note that using the account lock feature provides an easy
|
|
avenue for Denial-of-Service (DoS) attacks on user accounts. While
|
|
some sites' policies require accounts to be locked, this feature is
|
|
discouraged in favor of delaying each failed login attempt.</t>
|
|
|
|
<t>The delay time will be doubled on each subsequent failure, until it
|
|
reaches the maximum time configured.</t>
|
|
|
|
<t>[TBD: we could also provide a syntax for configuring a backoff
|
|
algorithm. E.g. "+<int>" for linearly incrementing delay,
|
|
"x<int>" for constant multiplier, "^<int> for geometric.
|
|
But it's probably overkill to add a calculator
|
|
language to the server.]</t>
|
|
|
|
</section>
|
|
|
|
</section>
|
|
|
|
|
|
<section title="Password Modification Policy">
|
|
|
|
<t>This section describes policy enforced while users are modifying
|
|
passwords. The general focus of this policy is to ensure that when
|
|
users add or change their passwords, the security and effectiveness
|
|
of their passwords is maximized. In this document, the term "modify
|
|
password operation" refers to any operation that is used to add or
|
|
modify a password attribute. Often this is done by updating the
|
|
password attribute during an add or modify operation, but MAY be done
|
|
by other means such as an extended operation.</t>
|
|
|
|
<section title="Password Expiration, Expiration Warning, and Grace
|
|
Authentications">
|
|
|
|
<t>One of the key properties of a password is the fact that it is not
|
|
well known. If a password is frequently changed, the chances of that
|
|
user's account being broken into are minimized.</t>
|
|
|
|
<t>Password policy administrators may deploy a password policy that
|
|
causes passwords to expire after a given amount of time - thus
|
|
forcing users to change their passwords periodically.</t>
|
|
|
|
<t>As a side effect, there needs to be a way in which users are made
|
|
aware of this need to change their password before actually being
|
|
locked out of their accounts. One or both of the following methods
|
|
handle this:
|
|
<list style="symbols">
|
|
|
|
<t>A warning may be returned to the user sometime before his password
|
|
is due to expire. If the user fails to heed this warning before
|
|
the expiration time, his account will be locked.</t>
|
|
|
|
<t>The user may bind to the directory a preset number of times after
|
|
her password has expired. If she fails to change her password
|
|
during one of her 'grace' authentications, her account will be
|
|
locked.</t>
|
|
</list></t>
|
|
</section>
|
|
|
|
|
|
<section title="Password History">
|
|
|
|
<t>When the Password Expiration policy is used, an additional mechanism
|
|
may be employed to prevent users from simply re-using a previous
|
|
password (as this would effectively circumvent the expiration
|
|
policy).</t>
|
|
|
|
<t>In order to do this; a history of used passwords is kept. The
|
|
password policy administrator sets the number of passwords to be
|
|
stored at any given time. Passwords are stored in this history
|
|
whenever the password is changed. Users aren't allowed to specify
|
|
any passwords that are in the history list while changing passwords.</t>
|
|
</section>
|
|
|
|
|
|
<section title="Password Minimum Age">
|
|
|
|
<t>Users may circumvent the Password History mechanism by quickly
|
|
performing a series of password changes. If they change their
|
|
password enough times, their 'favorite' password will be pushed out
|
|
of the history list.</t>
|
|
|
|
<t>This process may be made less attractive to users by employing a
|
|
minimum age for passwords. If users are forced to wait 24 hours
|
|
between password changes, they may be less likely to cycle through a
|
|
history of 10 passwords.</t>
|
|
</section>
|
|
|
|
|
|
<section title="Password Quality and length constraints">
|
|
|
|
<t>In order to prevent users from creating or updating passwords that
|
|
are easy to guess, a password quality policy may be employed. This
|
|
policy consists of two general mechanisms - ensuring that passwords
|
|
conform to a defined quality criterion and ensuring that they are of
|
|
a minimum length.</t>
|
|
|
|
<t>Forcing a password to comply with the quality policy may imply a
|
|
variety of things including:
|
|
<list style="symbols">
|
|
|
|
<t>Disallowing trivial or well-known words make up the password.</t>
|
|
|
|
<t>Forcing a certain number of digits be used.</t>
|
|
|
|
<t>Disallowing anagrams of the user's name.</t></list></t>
|
|
|
|
<t>The implementation of this policy meets with the following problems:
|
|
<list style="symbols">
|
|
|
|
<t>If the password to be added or updated is encrypted by the client
|
|
before being sent, the server has no way of enforcing this policy.
|
|
Therefore, the onus of enforcing this policy falls upon client
|
|
implementations.</t>
|
|
|
|
<t>There are no specific definitions of what 'quality checking'
|
|
means. This can lead to unexpected behavior in a heterogeneous
|
|
environment.</t></list></t>
|
|
</section>
|
|
|
|
|
|
<section title="User Defined Passwords">
|
|
|
|
<t>In some cases, it is desirable to disallow users from adding and
|
|
updating their own passwords. This policy makes this functionality
|
|
possible.</t>
|
|
</section>
|
|
|
|
<section title="Password Change after Reset">
|
|
|
|
<t>This policy forces the user to update her password after it has been
|
|
set for the first time, or has been reset by a password
|
|
administrator.</t>
|
|
|
|
<t>This is needed in scenarios where a password administrator has set or
|
|
reset the password to a well-known value.</t>
|
|
</section>
|
|
|
|
|
|
<section title="Safe Modification">
|
|
|
|
<t>As directories become more commonly used, it will not be unusual for
|
|
clients to connect to a directory and leave the connection open for
|
|
an extended period. This opens up the possibility for an intruder to
|
|
make modifications to a user's password while that user's computer is
|
|
connected but unattended.</t>
|
|
|
|
<t>This policy forces the user to prove his identity by specifying the
|
|
old password during a password modify operation.</t>
|
|
|
|
<t>{TODO: This allows a dictionary attack unless we specify that this is
|
|
also subject to intruder detection. One solution is to require users
|
|
to authN prior to changing password. Another solution is to perform
|
|
intruder detection checks when the password for a non-authenticated
|
|
identity is being updated}</t>
|
|
</section>
|
|
</section>
|
|
|
|
|
|
<section title="Restriction of the Password Policy">
|
|
|
|
<t>The password policy defined in this document can apply to any
|
|
attribute containing a password. Password policy state information
|
|
is held in the user's entry, and applies to a password attribute, not
|
|
a particular password attribute value. Thus the server SHOULD
|
|
enforce that the password attribute subject to password policy,
|
|
contains one and only one password value.</t>
|
|
</section>
|
|
</section>
|
|
|
|
|
|
<section title="Schema used for Password Policy">
|
|
|
|
<t>The schema elements defined here fall into two general categories. A
|
|
password policy object class is defined which contains a set of
|
|
administrative password policy attributes, and a set of operational
|
|
attributes are defined that hold general password policy state
|
|
information for each user.</t>
|
|
|
|
<section title="The pwdPolicy Object Class">
|
|
|
|
<t>This object class contains the attributes defining a password policy
|
|
in effect for a set of users. <xref target="admin"/> describes the
|
|
administration of this object, and the relationship between it and
|
|
particular objects.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.2.1
|
|
NAME 'pwdPolicy'
|
|
SUP top
|
|
AUXILIARY
|
|
MUST ( pwdAttribute )
|
|
MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
|
|
pwdMinLength $ pwdMaxLength $ pwdExpireWarning $
|
|
pwdGraceAuthNLimit $ pwdGraceExpiry $ pwdLockout $
|
|
pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
|
|
pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $
|
|
pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="Attribute Types used in the pwdPolicy ObjectClass">
|
|
|
|
<t>Following are the attribute types used by the pwdPolicy object class.</t>
|
|
|
|
<section title="pwdAttribute">
|
|
|
|
<t>This holds the name of the attribute to which the password policy is
|
|
applied. For example, the password policy may be applied to the
|
|
userPassword attribute.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.1
|
|
NAME 'pwdAttribute'
|
|
EQUALITY objectIdentifierMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdMinAge">
|
|
|
|
<t>This attribute holds the number of seconds that must elapse between
|
|
modifications to the password. If this attribute is not present, 0
|
|
seconds is assumed.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.2
|
|
NAME 'pwdMinAge'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdMaxAge">
|
|
|
|
<t>This attribute holds the number of seconds after which a modified
|
|
password will expire.</t>
|
|
|
|
<t>If this attribute is not present, or if the value is 0 the password
|
|
does not expire. If not 0, the value must be greater than or equal
|
|
to the value of the pwdMinAge.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.3
|
|
NAME 'pwdMaxAge'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdInHistory">
|
|
|
|
<t>This attribute specifies the maximum number of used passwords stored
|
|
in the pwdHistory attribute.</t>
|
|
|
|
<t>If this attribute is not present, or if the value is 0, used
|
|
passwords are not stored in the pwdHistory attribute and thus may be
|
|
reused.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.4
|
|
NAME 'pwdInHistory'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdCheckQuality">
|
|
|
|
<t>{TODO: Consider changing the syntax to OID. Each OID will list a
|
|
quality rule (like min len, # of special characters, etc). These
|
|
rules can be specified outside this document.}</t>
|
|
|
|
<t>{TODO: Note that even though this is meant to be a check that happens
|
|
during password modification, it may also be allowed to happen during
|
|
authN. This is useful for situations where the password is encrypted
|
|
when modified, but decrypted when used to authN.}</t>
|
|
|
|
<t>This attribute indicates how the password quality will be verified
|
|
while being modified or added. If this attribute is not present, or
|
|
if the value is '0', quality checking will not be enforced. A value
|
|
of '1' indicates that the server will check the quality, and if the
|
|
server is unable to check it (due to a hashed password or other
|
|
reasons) it will be accepted. A value of '2' indicates that the
|
|
server will check the quality, and if the server is unable to verify
|
|
it, it will return an error refusing the password.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.5
|
|
NAME 'pwdCheckQuality'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdMinLength">
|
|
|
|
<t>When quality checking is enabled, this attribute holds the minimum
|
|
number of characters that must be used in a password. If this
|
|
attribute is not present, no minimum password length will be
|
|
enforced. If the server is unable to check the length (due to a
|
|
hashed password or otherwise), the server will, depending on the
|
|
value of the pwdCheckQuality attribute, either accept the password
|
|
without checking it ('0' or '1') or refuse it ('2').</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.6
|
|
NAME 'pwdMinLength'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdMaxLength">
|
|
|
|
<t>When quality checking is enabled, this attribute holds the maximum
|
|
number of characters that may be used in a password. If this
|
|
attribute is not present, no maximum password length will be
|
|
enforced. If the server is unable to check the length (due to a
|
|
hashed password or otherwise), the server will, depending on the
|
|
value of the pwdCheckQuality attribute, either accept the password
|
|
without checking it ('0' or '1') or refuse it ('2').</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.31
|
|
NAME 'pwdMaxLength'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdExpireWarning">
|
|
|
|
<t>This attribute specifies the maximum number of seconds before a
|
|
password is due to expire that expiration warning messages will be
|
|
returned to an authenticating user.</t>
|
|
|
|
<t>If this attribute is not present, or if the value is 0 no warnings
|
|
will be returned. If not 0, the value must be smaller than the value
|
|
of the pwdMaxAge attribute.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.7
|
|
NAME 'pwdExpireWarning'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdGraceAuthNLimit">
|
|
|
|
<t>This attribute specifies the number of times an expired password can
|
|
be used to authenticate. If this attribute is not present or if the
|
|
value is 0, authentication will fail.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.8
|
|
NAME 'pwdGraceAuthNLimit'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdGraceExpiry">
|
|
|
|
<t>This attribute specifies the number of seconds the grace
|
|
authentications are valid. If this attribute is not present
|
|
or if the value is 0, there is no time limit on the grace
|
|
authentications.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.30
|
|
NAME 'pwdGraceExpire'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdLockout">
|
|
|
|
<t>This attribute indicates, when its value is "TRUE", that the password
|
|
may not be used to authenticate after a specified number of
|
|
consecutive failed bind attempts. The maximum number of consecutive
|
|
failed bind attempts is specified in pwdMaxFailure.</t>
|
|
|
|
<t>If this attribute is not present, or if the value is "FALSE", the
|
|
password may be used to authenticate when the number of failed bind
|
|
attempts has been reached.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.9
|
|
NAME 'pwdLockout'
|
|
EQUALITY booleanMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdLockoutDuration">
|
|
|
|
<t>This attribute holds the number of seconds that the password cannot
|
|
be used to authenticate due to too many failed bind attempts. If
|
|
this attribute is not present, or if the value is 0 the password
|
|
cannot be used to authenticate until reset by a password
|
|
administrator.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.10
|
|
NAME 'pwdLockoutDuration'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdMaxFailure">
|
|
|
|
<t>This attribute specifies the number of consecutive failed bind
|
|
attempts after which the password may not be used to authenticate.
|
|
If this attribute is not present, or if the value is 0, this policy
|
|
is not checked, and the value of pwdLockout will be ignored.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.11
|
|
NAME 'pwdMaxFailure'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
ORDERING integerOrderingMatch
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdFailureCountInterval">
|
|
|
|
<t>This attribute holds the number of seconds after which the password
|
|
failures are purged from the failure counter, even though no
|
|
successful authentication occurred.</t>
|
|
|
|
<t>If this attribute is not present, or if its value is 0, the failure
|
|
counter is only reset by a successful authentication.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.12
|
|
NAME 'pwdFailureCountInterval'
|
|
EQUALITY integerMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
ORDERING integerOrderingMatch
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdMustChange">
|
|
|
|
<t>This attribute specifies with a value of "TRUE" that users must
|
|
change their passwords when they first bind to the directory after a
|
|
password is set or reset by a password administrator. If this
|
|
attribute is not present, or if the value is "FALSE", users are not
|
|
required to change their password upon binding after the password
|
|
administrator sets or resets the password. This attribute is not set
|
|
due to any actions specified by this document, it is typically set by
|
|
a password administrator after resetting a user's password.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.13
|
|
NAME 'pwdMustChange'
|
|
EQUALITY booleanMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdAllowUserChange">
|
|
|
|
<t>This attribute indicates whether users can change their own
|
|
passwords, although the change operation is still subject to access
|
|
control. If this attribute is not present, a value of "TRUE" is
|
|
assumed. This attribute is intended to be used in the absence of an
|
|
access control mechanism.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.14
|
|
NAME 'pwdAllowUserChange'
|
|
EQUALITY booleanMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdSafeModify">
|
|
|
|
<t>This attribute specifies whether or not the existing password must be
|
|
sent along with the new password when being changed. If this
|
|
attribute is not present, a "FALSE" value is assumed.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.15
|
|
NAME 'pwdSafeModify'
|
|
EQUALITY booleanMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdMinDelay">
|
|
|
|
<t>This attribute specifies the number of seconds to delay responding
|
|
to the first failed authentication attempt. If this attribute is not
|
|
set or is 0, no delays will be used. pwdMaxDelay must also be specified
|
|
if pwdMinDelay is set.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.24
|
|
NAME 'pwdMinDelay'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdMaxDelay">
|
|
|
|
<t>This attribute specifies the maximum number of seconds to delay
|
|
when responding to a failed authentication attempt. The time specified
|
|
in pwdMinDelay is used as the starting time and is then doubled on
|
|
each failure until the delay time is greater than or equal to pwdMaxDelay
|
|
(or a successful authentication occurs, which resets the failure counter).
|
|
pwdMinDelay must be specified if pwdMaxDelay is set.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.25
|
|
NAME 'pwdMaxDelay'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdMaxIdle">
|
|
|
|
<t>This attribute specifies the number of seconds an account may
|
|
remain unused before it becomes locked. If this attribute is not
|
|
set or is 0, no check is performed.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.26
|
|
NAME 'pwdMaxIdle'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdMaxRecordedFailure">
|
|
|
|
<t>This attribute specifies the number of failures kept on record
|
|
for each user and should be equal to or higher than pwdMaxFailure.
|
|
If not set or is 0, it is deemed equal to pwdMaxFailure.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.32
|
|
NAME 'pwdMaxRecordedFailure'
|
|
EQUALITY integerMatch
|
|
ORDERING integerOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
|
SINGLE-VALUE )
|
|
</artwork></figure>
|
|
</section>
|
|
</section>
|
|
|
|
|
|
|
|
<section title="Attribute Types for Password Policy State Information">
|
|
|
|
<t>Password policy state information must be maintained for each user.
|
|
The information is located in each user entry as a set of operational
|
|
attributes. These operational attributes are: pwdChangedTime,
|
|
pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
|
|
pwdReset, pwdPolicySubEntry, pwdStartTime, pwdEndTime, pwdLastSuccess.</t>
|
|
|
|
<section title="Password Policy State Attribute Option">
|
|
|
|
<t>Since the password policy could apply to several attributes used to
|
|
store passwords, each of the above operational attributes must have
|
|
an option to specify which pwdAttribute it applies to. The password
|
|
policy option is defined as the following:</t>
|
|
|
|
<t>
|
|
pwd-<passwordAttribute></t>
|
|
|
|
<t>where passwordAttribute is a string following the OID syntax
|
|
(1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
|
|
(short name) MUST be used.</t>
|
|
|
|
<t>For example, if the pwdPolicy object has for pwdAttribute
|
|
"userPassword" then the pwdChangedTime operational attribute, in a
|
|
user entry, will be:</t>
|
|
|
|
<t>pwdChangedTime;pwd-userPassword: 20000103121520Z</t>
|
|
|
|
<t>This attribute option follows sub-typing semantics. If a client
|
|
requests a password policy state attribute to be returned in a search
|
|
operation, and does not specify an option, all subtypes of that
|
|
policy state attribute are returned.</t>
|
|
</section>
|
|
|
|
<section title="pwdChangedTime">
|
|
|
|
<t>This attribute specifies the last time the entry's password was
|
|
changed. This is used by the password expiration policy. If this
|
|
attribute does not exist, the password will never expire.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.16
|
|
NAME 'pwdChangedTime'
|
|
DESC 'The time the password was last changed'
|
|
EQUALITY generalizedTimeMatch
|
|
ORDERING generalizedTimeOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
|
SINGLE-VALUE
|
|
NO-USER-MODIFICATION
|
|
USAGE directoryOperation )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdAccountLockedTime">
|
|
|
|
<t>This attribute holds the time that the user's account was locked. A
|
|
locked account means that the password may no longer be used to
|
|
authenticate. A 000001010000Z value means that the account has been
|
|
locked permanently, and that only a password administrator can unlock
|
|
the account.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.17
|
|
NAME 'pwdAccountLockedTime'
|
|
DESC 'The time an user account was locked'
|
|
EQUALITY generalizedTimeMatch
|
|
ORDERING generalizedTimeOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
|
SINGLE-VALUE
|
|
NO-USER-MODIFICATION
|
|
USAGE directoryOperation )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdFailureTime">
|
|
|
|
<t>This attribute holds the timestamps of the consecutive authentication
|
|
failures.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.19
|
|
NAME 'pwdFailureTime'
|
|
DESC 'The timestamps of the last consecutive authentication
|
|
failures'
|
|
EQUALITY generalizedTimeMatch
|
|
ORDERING generalizedTimeOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
|
NO-USER-MODIFICATION
|
|
USAGE directoryOperation )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdHistory">
|
|
|
|
<t>This attribute holds a history of previously used passwords. Values
|
|
of this attribute are transmitted in string format as given by the
|
|
following ABNF:</t>
|
|
|
|
<figure><artwork>
|
|
pwdHistory = time "#" syntaxOID "#" length "#" data
|
|
|
|
time = GeneralizedTime
|
|
|
|
syntaxOID = numericoid ; the string representation of the
|
|
; dotted-decimal OID that defines the
|
|
; syntax used to store the password.
|
|
|
|
length = number ; the number of octets in data.
|
|
|
|
data = <octets representing the password in the format
|
|
specified by syntaxOID>.
|
|
</artwork>
|
|
<postamble>GeneralizedTime is specified in 3.3.13 of <xref target="RFC4517"/>. numericoid and number are specified in 1.4 of <xref target="RFC4512"/>.</postamble>
|
|
</figure>
|
|
|
|
<t>This format allows the server to store, and transmit a history of
|
|
passwords that have been used. In order for equality matching to
|
|
function properly, the time field needs to adhere to a consistent
|
|
format. For this purpose, the time field MUST be in GMT format.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.20
|
|
NAME 'pwdHistory'
|
|
DESC 'The history of user s passwords'
|
|
EQUALITY octetStringMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
|
NO-USER-MODIFICATION
|
|
USAGE directoryOperation )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdGraceUseTime">
|
|
|
|
<t>This attribute holds the timestamps of grace authentications after a
|
|
password has expired.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.21
|
|
NAME 'pwdGraceUseTime'
|
|
DESC 'The timestamps of the grace authentication after the
|
|
password has expired'
|
|
EQUALITY generalizedTimeMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
|
NO-USER-MODIFICATION
|
|
USAGE directoryOperation )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdReset">
|
|
|
|
<t>This attribute holds a flag to indicate (when TRUE) that the password
|
|
has been updated by the password administrator and must be changed by
|
|
the user.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.22
|
|
NAME 'pwdReset'
|
|
DESC 'The indication that the password has been reset'
|
|
EQUALITY booleanMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
|
SINGLE-VALUE
|
|
USAGE directoryOperation )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdPolicySubentry">
|
|
|
|
<t>This attribute points to the pwdPolicy subentry in effect for this
|
|
object.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.23
|
|
NAME 'pwdPolicySubentry'
|
|
DESC 'The pwdPolicy subentry in effect for this object'
|
|
EQUALITY distinguishedNameMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
|
SINGLE-VALUE
|
|
NO-USER-MODIFICATION
|
|
USAGE directoryOperation )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdStartTime">
|
|
|
|
<t>This attribute specifies the time the entry's password becomes
|
|
valid for authentication. Authentication attempts made before this
|
|
time will fail. If this attribute does not exist, then no restriction
|
|
applies.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.27
|
|
NAME 'pwdStartTime'
|
|
DESC 'The time the password becomes enabled'
|
|
EQUALITY generalizedTimeMatch
|
|
ORDERING generalizedTimeOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
|
SINGLE-VALUE
|
|
NO-USER-MODIFICATION
|
|
USAGE directoryOperation )
|
|
</artwork></figure>
|
|
</section>
|
|
|
|
|
|
<section title="pwdEndTime">
|
|
|
|
<t>This attribute specifies the time the entry's password becomes
|
|
invalid for authentication. Authentication attempts made after this
|
|
time will fail, regardless of expiration or grace settings.
|
|
If this attribute does not exist, then this restriction
|
|
does not apply.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.28
|
|
NAME 'pwdEndTime'
|
|
DESC 'The time the password becomes disabled'
|
|
EQUALITY generalizedTimeMatch
|
|
ORDERING generalizedTimeOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
|
SINGLE-VALUE
|
|
NO-USER-MODIFICATION
|
|
USAGE directoryOperation )
|
|
</artwork></figure>
|
|
|
|
<t>Note that pwdStartTime may be set to a time greater than or equal
|
|
to pwdEndTime; this simply disables the account.</t>
|
|
</section>
|
|
|
|
<section title="pwdLastSuccess">
|
|
|
|
<t>This attribute holds the timestamp of the last successful
|
|
authentication.</t>
|
|
|
|
<figure><artwork>
|
|
( 1.3.6.1.4.1.42.2.27.8.1.29
|
|
NAME 'pwdLastSuccess'
|
|
DESC 'The timestamp of the last successful authentication'
|
|
EQUALITY generalizedTimeMatch
|
|
ORDERING generalizedTimeOrderingMatch
|
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
|
SINGLE-VALUE
|
|
NO-USER-MODIFICATION
|
|
USAGE directoryOperation )
|
|
</artwork></figure>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
|
|
<section title="Controls used for Password Policy">
|
|
|
|
<t>This section details the controls used while enforcing password
|
|
policy. A request control is defined that is sent by a client with a
|
|
request operation in order to elicit a response control. The
|
|
response control contains various warnings and errors associated with
|
|
password policy.</t>
|
|
|
|
<t>{TODO: add a note about advertisement and discovery}</t>
|
|
|
|
<section title="Request Control">
|
|
|
|
<t>This control MAY be sent with any LDAP request message in order to
|
|
convey to the server that this client is aware of, and can process
|
|
the response control described in this document. When a server
|
|
receives this control, it will return the response control when
|
|
appropriate and with the proper data.</t>
|
|
|
|
<t>The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the criticality may
|
|
be TRUE or FALSE. There is no controlValue.</t>
|
|
</section>
|
|
|
|
<section title="Response Control">
|
|
|
|
<t>If the client has sent a passwordPolicyRequest control, the server
|
|
(when solicited by the inclusion of the request control) sends this
|
|
control with the following operation responses: bindResponse,
|
|
modifyResponse, addResponse, compareResponse and possibly
|
|
extendedResponse, to inform of various conditions, and MAY be sent
|
|
with other operations (in the case of the changeAfterReset error).
|
|
The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the controlValue is
|
|
the BER encoding of the following type:</t>
|
|
|
|
<figure><artwork>
|
|
PasswordPolicyResponseValue ::= SEQUENCE {
|
|
warning [0] CHOICE {
|
|
timeBeforeExpiration [0] INTEGER (0 .. maxInt),
|
|
graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
|
|
error [1] ENUMERATED {
|
|
passwordExpired (0),
|
|
accountLocked (1),
|
|
changeAfterReset (2),
|
|
passwordModNotAllowed (3),
|
|
mustSupplyOldPassword (4),
|
|
insufficientPasswordQuality (5),
|
|
passwordTooShort (6),
|
|
passwordTooYoung (7),
|
|
passwordInHistory (8),
|
|
passwordTooLong (9) } OPTIONAL }
|
|
</artwork></figure>
|
|
|
|
<t>The timeBeforeExpiration warning specifies the number of seconds
|
|
before a password will expire. The graceAuthNsRemaining warning
|
|
specifies the remaining number of times a user will be allowed to
|
|
authenticate with an expired password. The passwordExpired error
|
|
signifies that the password has expired and must be reset. The
|
|
changeAfterReset error signifies that the password must be changed
|
|
before the user will be allowed to perform any operation other than
|
|
bind and modify. The passwordModNotAllowed error is set when a user
|
|
is restricted from changing her password. The
|
|
insufficientPasswordQuality error is set when a password doesn't pass
|
|
quality checking. The passwordTooYoung error is set if the age of
|
|
the password to be modified is not yet old enough.</t>
|
|
|
|
<t>Typically, only either a warning or an error will be encoded though
|
|
there may be exceptions. For example, if the user is required to
|
|
change a password after the password administrator set it, and the
|
|
password will expire in a short amount of time, the control may
|
|
include the timeBeforeExpiration warning and the changeAfterReset
|
|
error.</t>
|
|
</section>
|
|
</section>
|
|
|
|
|
|
<section title="Policy Decision Points">
|
|
|
|
<t>Following are a number of procedures used to make policy decisions.
|
|
These procedures are typically performed by the server while
|
|
processing an operation.</t>
|
|
|
|
<t>The following sections contain detailed instructions that refer to
|
|
attributes of the pwdPolicy object class. When doing so, the
|
|
attribute of the pwdPolicy object that governs the entry being
|
|
discussed is implied.</t>
|
|
|
|
<section anchor="lockcheck" title="Locked Account Check">
|
|
|
|
<t>A status of true is returned to indicate that the account is locked
|
|
if any of these conditions are met:
|
|
|
|
<list style="symbols">
|
|
<t>The value of the pwdAccountLockedTime attribute is 000001010000Z.</t>
|
|
|
|
<t>The current time is less than the value of the pwdStartTime
|
|
attribute.</t>
|
|
|
|
<t>The current time is greater than or equal to the value of the
|
|
pwdEndTime attribute.</t>
|
|
|
|
<t>The current time is greater than or equal to the value of the
|
|
pwdLastSuccess attribute added to the value of the pwdMaxIdle
|
|
attribute. If pwdLastSuccess attribute is not present, pwdChangedTime
|
|
value is used instead.</t>
|
|
|
|
<t>The current time is less than the value of the
|
|
pwdAccountLockedTime attribute added to the value of the
|
|
pwdLockoutDuration.</t>
|
|
</list></t>
|
|
|
|
<t>Otherwise a status of false is returned.</t>
|
|
</section>
|
|
|
|
|
|
<section anchor="changenow" title="Password Must be Changed Now Check">
|
|
|
|
<t>A status of true is returned to indicate that the password must be
|
|
changed if all of these conditions are met:
|
|
|
|
<list style="symbols">
|
|
<t>The pwdMustChange attribute is set to TRUE.</t>
|
|
|
|
<t>The pwdReset attribute is set to TRUE.</t>
|
|
</list></t>
|
|
|
|
<t>Otherwise a status of false is returned.</t>
|
|
</section>
|
|
|
|
<section anchor="expcheck" title="Password Expiration Check">
|
|
|
|
<t>A status of true is returned indicating that the password has expired
|
|
if the current time minus the value of pwdChangedTime is greater than
|
|
the value of the pwdMaxAge.</t>
|
|
|
|
<t>Otherwise, a status of false is returned.</t>
|
|
</section>
|
|
|
|
|
|
<section anchor="gracecheck" title="Remaining Grace AuthN Check">
|
|
|
|
<t>If the pwdGraceExpiry attribute is present, and the current time is
|
|
greater than the password expiration time plus the pwdGraceExpiry
|
|
value, zero is returned.</t>
|
|
|
|
<t>If the pwdGraceUseTime attribute is present, the number of values in
|
|
that attribute subtracted from the value of pwdGraceAuthNLimit is
|
|
returned. Otherwise zero is returned. A positive result specifies
|
|
the number of remaining grace authentications.</t>
|
|
</section>
|
|
|
|
|
|
<section anchor="expwarn" title="Time Before Expiration Check">
|
|
|
|
<t>If the pwdExpireWarning attribute is not present a zero status is
|
|
returned. Otherwise the following steps are followed:</t>
|
|
|
|
<t>Subtract the time stored in pwdChangedTime from the current time to
|
|
arrive at the password's age. If the password's age is greater than
|
|
than the value of the pwdMaxAge attribute, a zero status is returned.
|
|
Subtract the value of the pwdExpireWarning attribute from the value
|
|
of the pwdMaxAge attribute to arrive at the warning age. If the
|
|
password's age is equal to or greater than the warning age, the value
|
|
of pwdMaxAge minus the password's age is returned.</t>
|
|
</section>
|
|
|
|
<section anchor="intruderlock" title="Intruder Lockout Check">
|
|
|
|
<t>A status of true indicating that an intruder has been detected is
|
|
returned if the following conditions are met:
|
|
|
|
<list style="symbols">
|
|
<t>The pwdLockout attribute is TRUE.</t>
|
|
|
|
<t>The number of values in the pwdFailureTime attribute that are
|
|
younger than pwdFailureCountInterval is greater or equal to the
|
|
pwdMaxFailure attribute.</t>
|
|
</list></t>
|
|
|
|
<t>Otherwise a status of false is returned.</t>
|
|
|
|
<t>While performing this check, values of pwdFailureTime that are old by
|
|
more than pwdFailureCountInterval are purged and not counted.</t>
|
|
</section>
|
|
|
|
|
|
<section anchor="delaycheck" title="Intruder Delay Check">
|
|
|
|
<t>If the pwdMinDelay attribute is 0 or not set, zero is returned.</t>
|
|
|
|
<t>Otherwise, a delay time is computed based on the number of values
|
|
in the pwdFailureTime attribute. If the computed value is greater
|
|
than the pwdMaxDelay attribute, the pwdMaxDelay value is returned.</t>
|
|
|
|
<t>While performing this check, values of pwdFailureTime that are old by
|
|
more than pwdFailureCountInterval are purged and not counted.</t>
|
|
</section>
|
|
|
|
<section anchor="tooyoung" title="Password Too Young Check">
|
|
|
|
<t>If the <xref target="changenow"/> check returned true then this
|
|
check will return false, to allow the password to be changed.</t>
|
|
|
|
<t>A status of true indicating that not enough time has passed since the
|
|
password was last updated is returned if:
|
|
|
|
<list style="symbols">
|
|
<t>The value of pwdMinAge is non-zero and pwdChangedTime is present.</t>
|
|
|
|
<t>The value of pwdMinAge is greater than the current time minus the
|
|
value of pwdChangedTime.</t>
|
|
</list></t>
|
|
|
|
<t>Otherwise a false status is returned.</t>
|
|
</section>
|
|
</section>
|
|
|
|
<section anchor="server_enforce" title="Server Policy Enforcement Points">
|
|
|
|
<t>The server SHOULD enforce that the password attribute subject to a
|
|
password policy as defined in this document, contains one and only
|
|
one password value.</t>
|
|
|
|
<t>Note: The case where a single password value is stored in multiple
|
|
formats simultaneously is still considered to be only one
|
|
password value.</t>
|
|
|
|
<t>The scenarios in the following operations assume that the client has
|
|
attached a passwordPolicyRequest control to the request message of
|
|
the operation. In the event that the passwordPolicyRequest control
|
|
was not sent, no passwordPolicyResponse control is returned. All
|
|
other instructions remain the same.</t>
|
|
|
|
<t>For successfully completed operations, unless otherwise stated, no
|
|
passwordPolicyResponse control is returned.</t>
|
|
|
|
<section title="Password-based Authentication">
|
|
|
|
<t>This section contains the policy enforcement rules and policy data
|
|
updates used while validating a password. Operations that validate
|
|
passwords include, but are not limited to, the Bind operation where
|
|
the simple choice specifies a password, and the Compare operation
|
|
where the attribute being compared holds a password. Note that while
|
|
the Compare operation does not authenticate a user to the LDAP
|
|
server, it may be used by an external application for purposes of
|
|
authentication.</t>
|
|
|
|
<section title="Fail if the account is locked">
|
|
|
|
<t>If the account is locked as specified in <xref target="lockcheck"/>, the server
|
|
fails the operation with an appropriate resultCode (i.e.
|
|
invalidCredentials (49) in the case of a bind operation, compareFalse
|
|
(5) in the case of a compare operation, etc.). The server MAY set
|
|
the error: accountLocked (1) in the passwordPolicyResponse in the
|
|
controls field of the message.</t>
|
|
</section>
|
|
|
|
|
|
<section title="Validated Password Procedures">
|
|
|
|
<t>If the validation operation indicates that the password validated,
|
|
these procedures are followed in order:</t>
|
|
|
|
<section title="Policy state updates">
|
|
|
|
<t>Delete the pwdFailureTime and pwdAccountLockedTime attributes.</t>
|
|
|
|
<t>Set the value of the pwdLastSuccess attribute to the current time.</t>
|
|
|
|
<t>Note: setting pwdLastSuccess is optional, but it is required if
|
|
the policy has pwdMaxIdle defined.</t>
|
|
</section>
|
|
|
|
<section title="Password must be changed now">
|
|
|
|
<t>If the decision in <xref target="changenow"/> returns true, the server sends to the
|
|
client a response with an appropriate successful resultCode (i.e.
|
|
success (0), compareTrue (6), etc.), and includes the
|
|
passwordPolicyResponse in the controls field of the bindResponse
|
|
message with the warning: changeAfterReset specified.</t>
|
|
|
|
<t>For bind, the server MUST then disallow all operations issued by this
|
|
user except modify password, bind, unbind, abandon and StartTLS
|
|
extended operation.</t>
|
|
</section>
|
|
|
|
<section title="Expired password">
|
|
|
|
<t>If the password has expired as per <xref target="expcheck"/>, the server either
|
|
returns a success or failure based on the state of grace
|
|
authentications.</t>
|
|
|
|
<section title="Remaining Grace Authentications">
|
|
|
|
<t>If there are remaining grace authentications as per <xref target="gracecheck"/>, the
|
|
server adds a new value with the current time in pwdGraceUseTime.
|
|
Then it sends to the client a response with an appropriate successful
|
|
resultCode (i.e. success (0), compareTrue (6), etc.), and includes
|
|
the passwordPolicyResponse in the controls field of the response
|
|
message with the warning: graceAuthNsRemaining choice set to the
|
|
number of grace authentications left.</t>
|
|
|
|
<t>Implementor's note: The system time of the host machine may be more
|
|
granular than is needed to ensure unique values of this attribute.
|
|
It is recommended that a mechanism is used to ensure unique
|
|
generalized time values. The fractional seconds field may be used
|
|
for this purpose.</t>
|
|
</section>
|
|
|
|
|
|
<section title="No Remaining Grace Authentications">
|
|
|
|
<t>If there are no remaining grace authentications, the server fails the
|
|
operation with an appropriate resultCode (invalidCredentials (49),
|
|
compareFalse (5), etc.), and includes the passwordPolicyResponse in
|
|
the controls field of the bindResponse message with the error:
|
|
passwordExpired (0) set.</t>
|
|
</section>
|
|
</section>
|
|
|
|
<section title="Expiration Warning">
|
|
|
|
<t>If the result of <xref target="expwarn"/> is a positive number, the server sends
|
|
to the client a response with an appropriate successful resultCode
|
|
(i.e. success (0), compareTrue (6), etc.), and includes the
|
|
passwordPolicyResponse in the controls field of the bindResponse
|
|
message with the warning: timeBeforeExiration set to the value as
|
|
described above. Otherwise, the server sends a successful response,
|
|
and omits the passwordPolicyResponse.</t>
|
|
</section>
|
|
</section>
|
|
|
|
<section title="AuthN Failed Procedures">
|
|
|
|
<t>If the authentication process indicates that the password failed
|
|
validation due to invalid credentials, these procedures are followed:</t>
|
|
|
|
<section title="Policy state update">
|
|
|
|
<t>Add the current time as a value of the pwdFailureTime attribute.</t>
|
|
|
|
<t>Implementor's note: The system time of the host machine may be more
|
|
granular than is needed to ensure unique values of this attribute.
|
|
It is recommended that a mechanism is used to ensure unique
|
|
generalized time values. The fractional seconds field may be used
|
|
for this purpose.</t>
|
|
</section>
|
|
|
|
|
|
<section title="Handle Intruder Detection">
|
|
|
|
<t>If the check in <xref target="intruderlock"/> returns a true state, the server locks
|
|
the account by setting the value of the pwdAccountLockedTime
|
|
attribute to the current time. After locking the account, the server
|
|
fails the operation with an appropriate resultCode
|
|
(invalidCredentials (49), compareFalse (5), etc.), and includes the
|
|
passwordPolicyResponse in the controls field of the message with the
|
|
error: accountLocked (1).</t>
|
|
|
|
<t>If the check in <xref target="delaycheck"/> returns a non-zero value,
|
|
the server waits that number of seconds before sending the authentication
|
|
response back to the client.</t>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
<section title="Password Update Operations">
|
|
|
|
<t>Because the password is stored in an attribute, various operations
|
|
(like add and modify) may be used to create or update a password.
|
|
But some alternate mechanisms have been defined or may be defined,
|
|
such as the LDAP Password Modify Extended Operation <xref target="RFC3062"/>.</t>
|
|
|
|
<t>While processing a password update, the server performs the following
|
|
steps:</t>
|
|
|
|
<section title="Safe Modification">
|
|
|
|
<t>If pwdSafeModify is set to TRUE and if there is an existing password
|
|
value, the server ensures that the password update operation includes
|
|
the user's existing password.</t>
|
|
|
|
<t>When the LDAP modify operation is used to modify a password, this is
|
|
done by specifying both a delete action and an add or replace action,
|
|
where the delete action specifies the existing password, and the add
|
|
or replace action specifies the new password. Other password update
|
|
operations SHOULD employ a similar mechanism. Otherwise this policy
|
|
will fail.</t>
|
|
|
|
<t>If the existing password is not specified, the server does not
|
|
process the operation and sends the appropriate response message to
|
|
the client with the resultCode: insufficientAccessRights (50), and
|
|
includes the passwordPolicyResponse in the controls field of the
|
|
response message with the error: mustSupplyOldPassword (4).</t>
|
|
</section>
|
|
|
|
<section title="Change After Reset">
|
|
|
|
<t>If the decision in <xref target="changenow"/> returns true, the server ensures that
|
|
the password update operation contains no modifications other than
|
|
the modification of the password attribute. If other modifications
|
|
exist, the server sends a response message to the client with the
|
|
resultCode: insufficientAccessRights (50), and includes the
|
|
passwordPolicyResponse in the controls field of the response message
|
|
with the error: changeAfterReset (2).</t>
|
|
</section>
|
|
|
|
<section title="Rights Check">
|
|
|
|
<t>Check to see whether the bound identity has sufficient rights to
|
|
update the password. If the bound identity is a user changing its
|
|
own password, this MAY be done by checking the pwdAllowUserChange
|
|
attribute or using an access control mechanism. The determination of
|
|
this is implementation specific. If the user is not allowed to
|
|
update her password, the server sends a response message to the
|
|
client with the resultCode: insufficientAccessRights (50), and
|
|
includes the passwordPolicyResponse in the controls field of the
|
|
response message with the error: passwordModNotAllowed (3).</t>
|
|
</section>
|
|
|
|
<section title="Too Early to Update">
|
|
|
|
<t>If the check in <xref target="tooyoung"/> results in a true status The server sends
|
|
a response message to the client with the resultCode:
|
|
constraintViolation (19), and includes the passwordPolicyResponse in
|
|
the controls field of the response message with the error:
|
|
passwordTooYoung (7).</t>
|
|
</section>
|
|
|
|
<section title="Password Quality">
|
|
|
|
<t>Check the value of the pwdCheckQuality attribute. If the value is
|
|
non-zero, the server:
|
|
|
|
<list style="symbols">
|
|
<t>Ensure that the password meets the quality criteria enforced by
|
|
the server. This enforcement is implementation specific.
|
|
If the server is unable to check the quality (due to a hashed
|
|
password or otherwise), the value of pwdCheckQuality is evaluated.
|
|
If the value is 1, operation continues. If the value is 2, the
|
|
server sends a response message to the client with the resultCode:
|
|
constraintViolation (19), and includes the passwordPolicyResponse
|
|
in the controls field of the response message with the error:
|
|
insufficientPasswordQuality (5).<vspace blankLines="1"/>
|
|
If the server is able to check the password quality, and the check
|
|
fails, the server sends a response message to the client with the
|
|
resultCode: constraintViolation (19), and includes the
|
|
passwordPolicyResponse in the controls field of the response
|
|
message with the error: insufficientPasswordQuality (5).</t>
|
|
|
|
<t>checks the value of the pwdMinLength attribute. If the value is
|
|
non-zero, it ensures that the new password is of at least the
|
|
minimum length.<vspace blankLines="1"/>
|
|
If the server is unable to check the length (due to a hashed
|
|
password or otherwise), the value of pwdCheckQuality is evaluated.
|
|
If the value is 1, operation continues. If the value is 2, the
|
|
server sends a response message to the client with the resultCode:
|
|
constraintViolation (19), and includes the passwordPolicyResponse
|
|
in the controls field of the response message with the error:
|
|
passwordTooShort (6).<vspace blankLines="1"/>
|
|
If the server is able to check the password length, and the check
|
|
fails, the server sends a response message to the client with the
|
|
resultCode: constraintViolation (19), and includes the
|
|
passwordPolicyResponse in the controls field of the response
|
|
message with the error: passwordTooShort (6).</t>
|
|
|
|
<t>checks the value of the pwdMaxLength attribute. If the value is
|
|
non-zero, it ensures that the new password is of at most the
|
|
maximum length.<vspace blankLines="1"/>
|
|
If the server is unable to check the length (due to a hashed
|
|
password or otherwise), the value of pwdCheckQuality is evaluated.
|
|
If the value is 1, operation continues. If the value is 2, the
|
|
server sends a response message to the client with the resultCode:
|
|
constraintViolation (19), and includes the passwordPolicyResponse
|
|
in the controls field of the response message with the error:
|
|
passwordTooLong (9).<vspace blankLines="1"/>
|
|
If the server is able to check the password length, and the check
|
|
fails, the server sends a response message to the client with the
|
|
resultCode: constraintViolation (19), and includes the
|
|
passwordPolicyResponse in the controls field of the response
|
|
message with the error: passwordTooLong (9).</t>
|
|
</list></t>
|
|
</section>
|
|
|
|
|
|
<section title="Invalid Reuse">
|
|
|
|
<t>If pwdInHistory is present and its value is non-zero, the server
|
|
checks whether this password exists in the entry's pwdHistory
|
|
attribute or in the current password attribute. If the password does
|
|
exist in the pwdHistory attribute or in the current password
|
|
attribute, the server sends a response message to the client with the
|
|
resultCode: constraintViolation (19), and includes the
|
|
passwordPolicyResponse in the controls field of the response message
|
|
with the error: passwordInHistory (8).</t>
|
|
</section>
|
|
|
|
<section title="Policy State Updates">
|
|
|
|
<t>If the steps have completed without causing an error condition, the
|
|
server performs the following steps in order to update the necessary
|
|
password policy state attributes:</t>
|
|
|
|
<t>If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
|
|
updates the pwdChangedTime attribute on the entry to the current
|
|
time.</t>
|
|
|
|
<t>If the value of pwdInHistory is non-zero, the server adds the
|
|
previous password (if one existed) to the pwdHistory attribute. If
|
|
the number of attributes held in the pwdHistory attribute exceeds the
|
|
value of pwdInHistory, the server removes the oldest excess
|
|
passwords.</t>
|
|
|
|
<t>If the value the pwdMustChange is TRUE and the modification is
|
|
performed by a password administrator, then the pwdReset attribute is
|
|
set to TRUE. Otherwise, the pwdReset is removed from the user's
|
|
entry if it exists.</t>
|
|
|
|
<t>The pwdFailureTime, pwdGraceUseTime, pwdLastSuccess attributes are
|
|
removed from the user's entry if they exist.</t>
|
|
</section>
|
|
</section>
|
|
|
|
<section title="Other Operations">
|
|
|
|
<t>For operations other than bind, password update, unbind, abandon or
|
|
StartTLS, if the decision in <xref target="changenow"/> returns true, the server
|
|
sends a response message to the client with the resultCode:
|
|
insufficientAccessRights (50), and includes the
|
|
passwordPolicyResponse in the controls field of the response message
|
|
with the error: changeAfterReset (2).</t>
|
|
</section>
|
|
</section>
|
|
|
|
<section anchor="client_enforce" title="Client Policy Enforcement Points">
|
|
|
|
<t>These sections illustrate possible scenarios for each LDAP operation
|
|
and define the types of responses that identify those scenarios.</t>
|
|
|
|
<t>The scenarios in the following operations assume that the client
|
|
attached a passwordPolicyRequest control to the request message of
|
|
the operation, and thus may receive a passwordPolicyResponse control
|
|
in the response message. In the event that the passwordPolicyRequest
|
|
control was not sent, no passwordPolicyResponse control is returned.
|
|
All other instructions remain the same.</t>
|
|
|
|
<section title="Bind Operation">
|
|
|
|
<t>For every bind response received, the client checks the resultCode of
|
|
the bindResponse and checks for a passwordPolicyResponse control to
|
|
determine if any of the following conditions are true and MAY prompt
|
|
the user accordingly.
|
|
|
|
<list style="symbols">
|
|
<t>bindResponse.resultCode = insufficientAccessRights (50),
|
|
passwordPolicyResponse.error = accountLocked (1): The password
|
|
failure limit has been reached and the account is locked. The
|
|
user needs to retry later or contact the password administrator to
|
|
reset the password.</t>
|
|
|
|
<t>bindResponse.resultCode = success (0),
|
|
passwordPolicyResponse.error = changeAfterReset (2): The user is
|
|
binding for the first time after the password administrator set
|
|
the password. In this scenario, the client SHOULD prompt the user
|
|
to change his password immediately.</t>
|
|
|
|
<t>bindResponse.resultCode = success (0),
|
|
passwordPolicyResponse.warning = graceAuthNsRemaining: The
|
|
password has expired but there are remaining grace
|
|
authentications. The user needs to change it.</t>
|
|
|
|
<t>bindResponse.resultCode = invalidCredentials (49),
|
|
passwordPolicyResponse.error = passwordExpired (0): The password
|
|
has expired and there are no more grace authentications. The user
|
|
contacts the password administrator in order to have its password
|
|
reset.</t>
|
|
|
|
<t>bindResponse.resultCode = success (0),
|
|
passwordPolicyResponse.warning = timeBeforeExpiration: The user's
|
|
password will expire in n number of seconds.</t>
|
|
</list></t>
|
|
</section>
|
|
|
|
<section title="Modify Operations">
|
|
|
|
<section title="Modify Request">
|
|
|
|
<t>If the application or client encrypts the password prior to sending
|
|
it in a password modification operation (whether done through
|
|
modifyRequest or another password modification mechanism), it SHOULD
|
|
check the values of the pwdMinLength, and pwdCheckQuality attributes
|
|
and SHOULD enforce these policies.</t>
|
|
</section>
|
|
|
|
<section title="Modify Response">
|
|
|
|
<t>If the modifyRequest operation was used to change the password, or if
|
|
another mechanism is used --such as an extendedRequest-- the
|
|
modifyResponse or other appropriate response MAY contain information
|
|
pertinent to password policy. The client checks the resultCode of
|
|
the response and checks for a passwordPolicyResponse control to
|
|
determine if any of the following conditions are true and optionally
|
|
notify the user of the condition.
|
|
|
|
<list style="symbols">
|
|
<t>pwdModResponse.resultCode = insufficientAccessRights (50),
|
|
passwordPolicyResponse.error = mustSupplyOldPassword (4): The user
|
|
attempted to change her password without specifying the old
|
|
password but the password policy requires this.</t>
|
|
|
|
<t>pwdModResponse.resultCode = insufficientAccessRights (50),
|
|
passwordPolicyResponse.error = changeAfterReset (2): The user must
|
|
change her password before submitting any other LDAP requests.</t>
|
|
|
|
<t>pwdModResponse.resultCode = insufficientAccessRights (50),
|
|
passwordPolicyResponse.error = passwordModNotAllowed (3): The user
|
|
doesn't have sufficient rights to change his password.</t>
|
|
|
|
<t>pwdModResponse.resultCode = constraintViolation (19),
|
|
passwordPolicyResponse.error = passwordTooYoung (7): It is too
|
|
soon after the last password modification to change the password.</t>
|
|
|
|
<t>pwdModResponse.resultCode = constraintViolation (19),
|
|
passwordPolicyResponse.error = insufficientPasswordQuality (5):
|
|
The password failed quality checking.</t>
|
|
|
|
<t>pwdModResponse.resultCode = constraintViolation (19),
|
|
passwordPolicyResponse.error = passwordTooShort (6): The length of
|
|
the password is too short.</t>
|
|
|
|
<t>pwdModResponse.resultCode = constraintViolation (19),
|
|
passwordPolicyResponse.error = passwordInHistory (8): The password
|
|
has already been used; the user must choose a different one.</t>
|
|
|
|
<t>pwdModResponse.resultCode = constraintViolation (19),
|
|
passwordPolicyResponse.error = passwordTooLong (9): The length of
|
|
the password is too long.</t>
|
|
</list></t>
|
|
</section>
|
|
</section>
|
|
|
|
<section title="Add Operation">
|
|
|
|
<t>If a password is specified in an addRequest, the client checks the
|
|
resultCode of the addResponse and checks for a passwordPolicyResponse
|
|
control to determine if any of the following conditions are true and
|
|
may prompt the user accordingly.
|
|
|
|
<list style="symbols">
|
|
<t>addResponse.resultCode = insufficientAccessRights (50),
|
|
passwordPolicyResponse.error = passwordModNotAllowed (3): The user
|
|
doesn't have sufficient rights to add this password.</t>
|
|
|
|
<t>addResponse.resultCode = constraintViolation (19),
|
|
passwordPolicyResponse.error = insufficientPasswordQuality (5):
|
|
The password failed quality checking.</t>
|
|
|
|
<t>addResponse.resultCode = constraintViolation (19),
|
|
passwordPolicyResponse.error = passwordTooShort (6): The length of
|
|
the password is too short.</t>
|
|
|
|
<t>addResponse.resultCode = constraintViolation (19),
|
|
passwordPolicyResponse.error = passwordTooLong (9): The length of
|
|
the password is too long.</t>
|
|
</list></t>
|
|
</section>
|
|
|
|
|
|
<section title="Compare Operation">
|
|
|
|
<t>When a compare operation is used to compare a password, the client
|
|
checks the resultCode of the compareResponse and checks for a
|
|
passwordPolicyResponse to determine if any of the following
|
|
conditions are true and MAY prompt the user accordingly. These
|
|
conditions assume that the result of the comparison was true.
|
|
|
|
<list style="symbols">
|
|
<t>compareResponse.resultCode = compareFalse (5),
|
|
passwordPolicyResponse.error = accountLocked (1): The password
|
|
failure limit has been reached and the account is locked. The
|
|
user needs to retry later or contact the password administrator to
|
|
reset the password.</t>
|
|
|
|
<t>compareResponse.resultCode = compareTrue (6),
|
|
passwordPolicyResponse.warning = graceAuthNsRemaining: The
|
|
password has expired but there are remaining grace
|
|
authentications. The user needs to change it.</t>
|
|
|
|
<t>compareResponse.resultCode = compareFalse (5),
|
|
passwordPolicyResponse.error = passwordExpired (0): The password
|
|
has expired and there are no more grace authentications. The user
|
|
must contact the password administrator to reset the password.</t>
|
|
|
|
<t>compareResponse.resultCode = compareTrue (6),
|
|
passwordPolicyResponse.warning = timeBeforeExpiration: The user's
|
|
password will expire in n number of seconds.</t>
|
|
</list></t>
|
|
</section>
|
|
|
|
|
|
<section title="Other Operations">
|
|
|
|
<t>For operations other than bind, unbind, abandon or StartTLS, the
|
|
client checks the result code and control to determine if
|
|
the user needs to change the password immediately.
|
|
|
|
<list style="symbols">
|
|
<t><Response>.resultCode = insufficientAccessRights (50),
|
|
passwordPolicyResponse.error = changeAfterReset (2) : The user
|
|
needs to change the password immediately.</t>
|
|
</list></t>
|
|
</section>
|
|
</section>
|
|
|
|
<section anchor="admin" title="Administration of the Password Policy">
|
|
|
|
<t>{TODO: Need to define an administrativeRole (need OID). Need to
|
|
describe whether pwdPolicy admin areas can overlap}</t>
|
|
|
|
<t>A password policy is defined for a particular subtree of the DIT by
|
|
adding to an LDAP subentry whose immediate superior is the root of
|
|
the subtree, the pwdPolicy auxiliary object class. The scope of the
|
|
password policy is defined by the SubtreeSpecification attribute of
|
|
the LDAP subentry as specified in <xref target="RFC3672"/>.</t>
|
|
|
|
<t>It is possible to define password policies for different password
|
|
attributes within the same pwdPolicy entry, by specifying multiple
|
|
values of the pwdAttribute. But password policies could also be in
|
|
separate sub entries as long as they are contained under the same
|
|
LDAP subentry.</t>
|
|
|
|
<t>Only one policy may be in effect for a given password attribute
|
|
in any entry. If multiple policies exist which overlap in the range
|
|
of entries affected, the resulting behavior is undefined.</t>
|
|
|
|
<t>Modifying the password policy MUST NOT result in any change in users'
|
|
entries to which the policy applies.</t>
|
|
|
|
<t>It SHOULD be possible to overwrite the password policy for one user
|
|
by defining a new policy in a subentry of the user entry.</t>
|
|
|
|
<t>Each object that is controlled by password policy advertises the
|
|
subentry that is being used to control its policy in its
|
|
pwdPolicySubentry attribute. Clients wishing to examine or manage
|
|
password policy for an object may interrogate the pwdPolicySubentry
|
|
for that object in order to arrive at the proper pwdPolicy subentry.</t>
|
|
</section>
|
|
|
|
<section title="Password Policy and Replication">
|
|
|
|
<t>{TODO: This section needs to be changed to highlight the pitfalls of
|
|
replication, suggest some implementation choices to overcome those
|
|
pitfalls, but remove prescriptive language relating to the update of
|
|
state information}</t>
|
|
|
|
<t>The pwdPolicy object defines the password policy for a portion of the
|
|
DIT and MUST be replicated on all the replicas of this subtree, as
|
|
any subentry would be, in order to have a consistent policy among all
|
|
replicated servers.</t>
|
|
|
|
<t>The elements of the password policy that are related to the users are
|
|
stored in the entry themselves as operational attributes. As these
|
|
attributes are subject to modifications even on a read-only replica,
|
|
replicating them must be carefully considered.</t>
|
|
|
|
<t>The pwdChangedTime attribute MUST be replicated on all replicas, to
|
|
allow expiration of the password.</t>
|
|
|
|
<t>The pwdReset attribute MUST be replicated on all replicas, to deny
|
|
access to operations other than bind and modify password.</t>
|
|
|
|
<t>The pwdHistory attribute MUST be replicated to writable replicas. It
|
|
doesn't have to be replicated to a read-only replica, since the
|
|
password will never be directly modified on this server.</t>
|
|
|
|
<t>The pwdAccountLockedTime, pwdFailureTime, pwdGraceUseTime and
|
|
pwdLastSuccess attributes SHOULD be replicated to writable replicas,
|
|
making the password policy global for all servers. When the user entry
|
|
is replicated to a read-only replica, these attributes SHOULD NOT be
|
|
replicated. This means that the number of failures, of grace
|
|
authentications and the locking will take place on each replicated
|
|
server. For example, the effective number of failed attempts on a
|
|
user password will be N x M (where N is the number of servers and M
|
|
the value of pwdMaxFailure attribute). Replicating these attributes
|
|
to a read-only replica MAY reduce the number of tries globally but
|
|
MAY also introduce some inconstancies in the way the password policy
|
|
is applied.</t>
|
|
|
|
<t>Note: there are some situations where global replication of these
|
|
state attributes may not be desired. For example, if two clusters of
|
|
replicas are geographically remote and joined by a slow network link,
|
|
and their users only login from one of the two locations, it may be
|
|
unnecessary to propagate all of the state changes from one cluster
|
|
to the other. Servers SHOULD allow administrators to control which
|
|
attributes are replicated on a case-by-case basis.</t>
|
|
|
|
<t>Servers participating in a loosely consistent multi-master
|
|
replication agreement SHOULD employ a mechanism which ensures
|
|
uniqueness of values when populating the attributes pwdFailureTime
|
|
and pwdGraceUseTime. The method of achieving this is a local matter
|
|
and may consist of using a single authoritative source for the
|
|
generation of unique time values, or may consist of the use of the
|
|
fractional seconds part to hold a replica identifier.</t>
|
|
</section>
|
|
|
|
<section title="Security Considerations">
|
|
|
|
<t>This document defines a set of rules to implement in an LDAP server,
|
|
in order to mitigate some of the security risks associated with the
|
|
use of passwords and to make it difficult for password cracking
|
|
programs to break into directories.</t>
|
|
|
|
<t>Authentication with a password MUST follow the recommendations made
|
|
in <xref target="RFC4513"/>.</t>
|
|
|
|
<t>Modifications of passwords SHOULD only occur when the connection is
|
|
protected with confidentiality and secure authentication.</t>
|
|
|
|
<t>Access controls SHOULD be used to restrict access to the password
|
|
policy attributes. The attributes defined to maintain the password
|
|
policy state information SHOULD only be modifiable by the password
|
|
administrator or higher authority. The pwdHistory attribute MUST be
|
|
subject to the same level of access control as the attrbute holding
|
|
the password.</t>
|
|
|
|
<t>As it is possible to define a password policy for one specific user
|
|
by adding a subentry immediately under the user's entry, Access
|
|
Controls SHOULD be used to restrict the use of the pwdPolicy object
|
|
class or the LDAP subentry object class.</t>
|
|
|
|
<t>When the intruder detection password policy is enforced, the LDAP
|
|
directory is subject to a denial of service attack. A malicious user
|
|
could deliberately lock out one specific user's account (or all of
|
|
them) by sending bind requests with wrong passwords. There is no way
|
|
to protect against this kind of attack. The LDAP directory server
|
|
SHOULD log as much information as it can (such as client IP address)
|
|
whenever an account is locked, in order to be able to identify the
|
|
origin of the attack. Denying anonymous access to the LDAP directory
|
|
is also a way to restrict this kind of attack. Using the login
|
|
delay instead of the lockout mechanism will also help avoid this
|
|
denial of service.</t>
|
|
|
|
<t>Returning certain status codes (such as passwordPolicyResponse.error
|
|
= accountLocked) allows a denial of service attacker to know that it
|
|
has successfully denied service to an account. Servers SHOULD
|
|
implement additional checks which return the same status when it is
|
|
sensed that some number of failed authentication requests has occured
|
|
on a single connection, or from a client address. Server
|
|
implementors are encouraged to invent other checks similar to this in
|
|
order to thwart this type of DoS attack.</t>
|
|
</section>
|
|
|
|
<section title="IANA Considerations">
|
|
|
|
<t>In accordance with <xref target="RFC4520"/> the following
|
|
registrations are requested.</t>
|
|
<section title="Object Identifiers">
|
|
<t>The OIDs used in this specification are derived from
|
|
iso(1) identified-organization(3) dod(6) internet(1) private(4)
|
|
enterprise(1) Sun(42) products(2) LDAP(27) ppolicy(8). These
|
|
OIDs have been in use since at least July 2001 when version 04
|
|
of this draft was published. No additional OID assignment
|
|
is being requested.</t>
|
|
</section>
|
|
<section title="LDAP Protocol Mechanisms">
|
|
<t>Registration of the protocol mechanisms specified in this
|
|
document is requested.
|
|
|
|
<list style="empty">
|
|
<t>Subject: Request for LDAP Protocol Mechanism Registration</t>
|
|
<t>Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1</t>
|
|
<t>Description: Password Policy Request and Response Control</t>
|
|
<t>Person & email address to contact for further information:
|
|
<list style="empty">
|
|
<t>Howard Chu <hyc@symas.com></t>
|
|
</list></t>
|
|
<t>Usage: Control</t>
|
|
<t>Specification: (I-D) draft-behera-ldap-password-policy</t>
|
|
<t>Author/Change Controller: IESG</t>
|
|
<t>Comments:</t>
|
|
</list></t>
|
|
</section>
|
|
<section title="LDAP Descriptors">
|
|
<t>Registration of the descriptors specified in this
|
|
document is requested.
|
|
|
|
<list style="empty">
|
|
<t>Subject: Request for LDAP Descriptor Registration</t>
|
|
<t>Descriptor (short name): see table</t>
|
|
<t>Object Identifier: see table</t>
|
|
<t>Description: see table</t>
|
|
<t>Person & email address to contact for further information:
|
|
<list style="empty">
|
|
<t>Howard Chu <hyc@symas.com></t>
|
|
</list></t>
|
|
<t>Specification: (I-D) draft-behera-ldap-password-policy</t>
|
|
<t>Author/Change Controller: IESG</t>
|
|
<t>Comments:
|
|
<figure><artwork>
|
|
Name Type OID
|
|
----------------------- ---- ------------------------------
|
|
pwdPolicy O 1.3.6.1.4.1.42.2.27.8.2.1
|
|
pwdAttribute A 1.3.6.1.4.1.42.2.27.8.1.1
|
|
pwdMinAge A 1.3.6.1.4.1.42.2.27.8.1.2
|
|
pwdMaxAge A 1.3.6.1.4.1.42.2.27.8.1.3
|
|
pwdInHistory A 1.3.6.1.4.1.42.2.27.8.1.4
|
|
pwdCheckQuality A 1.3.6.1.4.1.42.2.27.8.1.5
|
|
pwdMinLength A 1.3.6.1.4.1.42.2.27.8.1.6
|
|
pwdMaxLength A 1.3.6.1.4.1.42.2.27.8.1.31
|
|
pwdExpireWarning A 1.3.6.1.4.1.42.2.27.8.1.7
|
|
pwdGraceAuthNLimit A 1.3.6.1.4.1.42.2.27.8.1.8
|
|
pwdGraceExpiry A 1.3.6.1.4.1.42.2.27.8.1.30
|
|
pwdLockout A 1.3.6.1.4.1.42.2.27.8.1.9
|
|
pwdLockoutDuration A 1.3.6.1.4.1.42.2.27.8.1.10
|
|
pwdMaxFailure A 1.3.6.1.4.1.42.2.27.8.1.11
|
|
pwdFailureCountInterval A 1.3.6.1.4.1.42.2.27.8.1.12
|
|
pwdMustChange A 1.3.6.1.4.1.42.2.27.8.1.13
|
|
pwdAllowUserChange A 1.3.6.1.4.1.42.2.27.8.1.14
|
|
pwdSafeModify A 1.3.6.1.4.1.42.2.27.8.1.15
|
|
pwdMinDelay A 1.3.6.1.4.1.42.2.27.8.1.24
|
|
pwdMaxDelay A 1.3.6.1.4.1.42.2.27.8.1.25
|
|
pwdMaxIdle A 1.3.6.1.4.1.42.2.27.8.1.26
|
|
pwdChangedTime A 1.3.6.1.4.1.42.2.27.8.1.16
|
|
pwdAccountLockedTime A 1.3.6.1.4.1.42.2.27.8.1.17
|
|
pwdFailureTime A 1.3.6.1.4.1.42.2.27.8.1.19
|
|
pwdHistory A 1.3.6.1.4.1.42.2.27.8.1.20
|
|
pwdGraceUseTime A 1.3.6.1.4.1.42.2.27.8.1.21
|
|
pwdReset A 1.3.6.1.4.1.42.2.27.8.1.22
|
|
pwdPolicySubEntry A 1.3.6.1.4.1.42.2.27.8.1.23
|
|
pwdStartTime A 1.3.6.1.4.1.42.2.27.8.1.27
|
|
pwdEndTime A 1.3.6.1.4.1.42.2.27.8.1.28
|
|
pwdLastSuccess A 1.3.6.1.4.1.42.2.27.8.1.29
|
|
</artwork></figure>
|
|
<figure><artwork>
|
|
Legend
|
|
--------------------
|
|
A => Attribute Type
|
|
O => Object Class
|
|
</artwork></figure>
|
|
</t>
|
|
</list></t>
|
|
|
|
</section>
|
|
<section title="LDAP AttributeDescription Options">
|
|
|
|
<t>Registration of the AttributeDescription option specified
|
|
in this document is requested.
|
|
|
|
<list style="empty">
|
|
<t>Subject: Request for LDAP Attribute Description Option Registration</t>
|
|
<t>Option Name: pwd-</t>
|
|
<t>Family of Options: YES</t>
|
|
<t>Person & email address to contact for further information:
|
|
<list style="empty">
|
|
<t>Howard Chu <hyc@symas.com></t>
|
|
</list></t>
|
|
<t>Specification: (I-D) draft-behera-ldap-password-policy</t>
|
|
<t>Author/Change Controller: IESG</t>
|
|
<t>Comments:
|
|
<list style="empty">
|
|
<t>Used with policy state attributes to specify to which password attribute
|
|
the state belongs.</t></list>
|
|
</t>
|
|
</list></t>
|
|
</section>
|
|
</section>
|
|
<section title="Acknowledgement">
|
|
|
|
<t>This document is based in part on prior work done by Valerie Chu from
|
|
Netscape Communications Corp, published as
|
|
draft-vchu-ldap-pwd-policy-00.txt (December 1998). Prasanta Behera
|
|
participated in early revisions of this document.</t>
|
|
</section>
|
|
</middle>
|
|
<back>
|
|
<references title="Normative References">
|
|
&rfc2119;
|
|
&rfc2195;
|
|
&rfc4422;
|
|
&rfc4511;
|
|
&rfc4512;
|
|
&rfc4513;
|
|
&rfc4517;
|
|
&rfc2831;
|
|
&rfc3062;
|
|
&rfc4520;
|
|
&rfc3672;
|
|
|
|
<reference anchor="X.680">
|
|
<front>
|
|
<title>Abstract Syntax Notation One (ASN.1): Specification of basic notation</title>
|
|
<author>
|
|
<organization abbrev="ITU-T">
|
|
International Telecommunications Union</organization>
|
|
</author>
|
|
<date month="July" year="2002" />
|
|
</front>
|
|
<seriesInfo name="ITU-T Recommendation" value="X.680" />
|
|
</reference>
|
|
|
|
<reference anchor="X.690">
|
|
<front>
|
|
<title>Information Technology - ASN.1 encoding rules: Specification of Basic
|
|
Encoding Rules (BER), Canonical Encoding Rules (CER) and
|
|
Distinguished Encoding Rules (DER)</title>
|
|
<author>
|
|
<organization abbrev="ITU-T">
|
|
International Telecommunications Union</organization>
|
|
</author>
|
|
<date month="July" year="2002" />
|
|
</front>
|
|
<seriesInfo name="ITU-T Recommendation" value="X.690" />
|
|
</reference>
|
|
</references>
|
|
</back>
|
|
</rfc>
|