mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
1962 lines
76 KiB
Plaintext
1962 lines
76 KiB
Plaintext
|
||
|
||
Internet-Draft P. Behera
|
||
draft behera-ldap-password-policy-07.txt L. Poitou
|
||
Intended Category: Proposed Standard Sun Microsystems
|
||
Expires: August 2004 J. Sermersheim
|
||
Novell
|
||
|
||
February 2004
|
||
|
||
|
||
Password Policy for LDAP Directories
|
||
|
||
|
||
Status of this Memo
|
||
|
||
This document is an Internet-Draft and is in full conformance with
|
||
all provisions of Section 10 of RFC 2026.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering
|
||
Task Force (IETF), its areas, and its working groups. Note that
|
||
other groups may also distribute working documents as Internet-
|
||
Drafts.
|
||
|
||
Internet-Drafts are draft documents valid for a maximum of six
|
||
months and may be updated, replaced, or obsoleted by other documents
|
||
at any time. It is inappropriate to use Internet- Drafts as
|
||
reference material or to cite them other than as "work in progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
http://www.ietf.org/ietf/1id-abstracts.txt
|
||
|
||
The list of Internet-Draft Shadow Directories can be accessed at
|
||
http://www.ietf.org/shadow.html.
|
||
|
||
Technical discussions of this draft are held on the LDAPEXT Working
|
||
Group mailing list at ietf-ldapext@netscape.com. Editorial comments
|
||
may be sent to the authors listed in Section 13.
|
||
|
||
Copyright (C) The Internet Society (2004). All rights Reserved.
|
||
|
||
Please see the Copyright Section near the end of this document for
|
||
more information.
|
||
|
||
|
||
|
||
Conventions
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document
|
||
are to be interpreted as described in RFC 2119 [RFC-2119].
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 1
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
1. Abstract
|
||
|
||
Password policy as described in this document is a set of rules that
|
||
controls how passwords are used and administered in LDAP
|
||
directories. In order to improve the security of LDAP directories
|
||
and make it difficult for password cracking programs to break into
|
||
directories, it is desirable to enforce a set of rules on password
|
||
usage. These rules are made to ensure that users change their
|
||
passwords periodically, passwords meet construction requirements,
|
||
the re-use of old password is restricted, and users are locked out
|
||
after a certain number of failed attempts.
|
||
|
||
|
||
|
||
2. Overview
|
||
|
||
LDAP-based directory services are currently accepted by many
|
||
organizations as the access protocol for directories. The ability to
|
||
ensure the secure read and update access to directory information
|
||
throughout the network is essential to the successful deployment.
|
||
Most LDAP implementations support many authentication schemes - the
|
||
most basic and widely used is the simple authentication i.e., user
|
||
DN and password. In this case, many LDAP servers have implemented
|
||
some kind of policy related to the password used to authenticate.
|
||
Among other things, this policy includes:
|
||
|
||
- Whether and when passwords expire.
|
||
- Whether failed bind attempts cause the account to be locked.
|
||
- If and how users are able to change their passwords.
|
||
|
||
In order to achieve greater security protection and ensure
|
||
interoperability in a heterogeneous environment, LDAP needs to
|
||
standardize on a common password policy model. This is critical to
|
||
the successful deployment of LDAP directories.
|
||
|
||
2.1. Application of password policy
|
||
|
||
The password policy defined in this document can be applied to any
|
||
attribute holding a user's password used for an authenticated LDAP
|
||
bind operation. In this document, the term "user" represents any
|
||
LDAP client application that has an identity in the directory.
|
||
|
||
This policy is typically applied to the userPassword attribute in
|
||
the case of the LDAP simple authentication method [RFC-2251] or the
|
||
case of password based SASL [RFC-2222] authentication such as CRAM-
|
||
MD5 [RFC-2195] and DIGEST-MD5 [RFC-Digest].
|
||
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 2
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
The policy described in this document assumes that the password
|
||
attribute holds a single value. No considerations are made for
|
||
directories or systems that allow a user to maintain multi-valued
|
||
password attributes.
|
||
|
||
Server implementations MAY institute internal policy whereby certain
|
||
identities (such as directory administrators) are not forced to
|
||
comply with any of password policy. In this case, the password for a
|
||
directory administrator never expires; the account is never locked,
|
||
etc.
|
||
|
||
The term "directory administrator" refers to a user that has
|
||
sufficient access control privileges to modify users' passwords, and
|
||
the pwdPolicy object defined in this document. The access control
|
||
that is used to determine whether an identity is a directory
|
||
administrator is beyond the scope of this document, but typically
|
||
implies that the administrator has 'write' privileges to the
|
||
password attribute.
|
||
|
||
3. Articles of password policy
|
||
|
||
The following sections explain in general terms each aspect of the
|
||
password policy defined in this document as well as the need for
|
||
each. These policies are subdivided into the general groups of
|
||
password usage and password modification. Implementation details are
|
||
presented in Sections 6 and 7.
|
||
|
||
3.1. Password Usage Policy
|
||
|
||
This section describes policy enforced when a password is used to
|
||
authenticate. The general focus of this policy is to minimize the
|
||
threat of intruders once a password is in use.
|
||
|
||
3.1.1. Password Guessing limit
|
||
|
||
In order to prevent intruders from guessing a user's password, a
|
||
mechanism exists to track the number of failed authentication
|
||
attempts, and take action when a limit is reached.
|
||
|
||
This policy consists of five parts:
|
||
|
||
- A configurable limit on failed authentication attempts.
|
||
|
||
- A counter to track the number of failed authentication attempts.
|
||
|
||
- A timeframe in which the limit of consecutive failed
|
||
authentication attempts must happen before action is taken.
|
||
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 3
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
- The action to be taken when the limit is reached. The action will
|
||
either be nothing, or the account will be locked.
|
||
|
||
- An amount of time the account is locked (if it is to be locked).
|
||
This can be indefinite.
|
||
|
||
3.2. Password Modification Policy
|
||
|
||
This section describes policy enforced while users are modifying
|
||
passwords. The general focus of this policy is to ensure that when
|
||
users add or change their passwords, the security and effectiveness
|
||
of their passwords is maximized. In this document, the term "modify
|
||
password operation" refers to any operation that is used to add or
|
||
modify a password attribute. Often this is done by updating the
|
||
userPassword attribute during an add or modify operation, but MAY be
|
||
done by other means such as an extended operation.
|
||
|
||
|
||
3.2.1. Password Expiration, Expiration Warning, and Grace binds
|
||
|
||
One of the key properties of a password is the fact that it is not
|
||
well known. If a password is frequently changed, the chances of that
|
||
user's account being broken into are minimized.
|
||
|
||
Directory administrators may deploy a password policy that causes
|
||
passwords to expire after a given amount of time - thus forcing
|
||
users to change their passwords periodically.
|
||
|
||
As a side effect, there needs to be a way in which users are made
|
||
aware of this need to change their password before actually being
|
||
locked out of their accounts. One or both of the following methods
|
||
handle this:
|
||
|
||
- The user is sent a warning sometime before his password is due to
|
||
expire. If the user fails to heed this warning before the
|
||
expiration time, his account will be locked.
|
||
|
||
- The user may bind to the directory a preset number of times after
|
||
her password has expired. If she fails to change her password
|
||
during one of her 'grace' binds, her account will be locked.
|
||
|
||
3.2.2. Password History
|
||
|
||
When the Password Expiration policy is used, an additional mechanism
|
||
may be employed to prevent users from simply re-using a previous
|
||
password (as this would effectively circumvent the expiration
|
||
policy).
|
||
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 4
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
In order to do this; a history of used passwords is kept. The
|
||
directory administrator sets the number of passwords to be stored at
|
||
any given time. Passwords are stored in this history whenever the
|
||
password is changed. Users aren't allowed to specify any passwords
|
||
that are in the history list while changing passwords.
|
||
|
||
3.2.3. Password Minimum Age
|
||
|
||
Users may circumvent the Password History mechanism by quickly
|
||
performing a series of password changes. If they change their
|
||
password enough times, their 'favorite' password will be pushed out
|
||
of the history list.
|
||
|
||
This process may be made less attractive to users by employing a
|
||
minimum age for passwords. If users are forced to wait 24 hours
|
||
between password changes, they may be less likely to cycle through a
|
||
history of 10 passwords.
|
||
|
||
3.2.4. Password Quality and Minimum length
|
||
|
||
In order to prevent users from creating or updating passwords that
|
||
are easy to guess, a password quality policy may be employed. This
|
||
policy consists of two general mechanisms - ensuring that passwords
|
||
conform to a defined quality criteria and ensuring that they are of
|
||
a minimum length.
|
||
|
||
Forcing a password to comply with the quality policy may imply a
|
||
variety of things including:
|
||
|
||
- Disallowing trivial or well-known words make up the password.
|
||
|
||
- Forcing a certain number of digits be used.
|
||
|
||
- Disallowing anagrams of the user's name.
|
||
|
||
The implementation of this policy meets with the following problems:
|
||
|
||
- If the password to be added or updated is encrypted by the client
|
||
before being sent, the server has no way of enforcing this
|
||
policy. Therefore, the onus of enforcing this policy falls upon
|
||
client implementations.
|
||
|
||
- There are no specific definitions of what 'quality checking'
|
||
means. This can lead to unexpected behavior in a heterogeneous
|
||
environment.
|
||
|
||
3.2.5. User Defined Passwords
|
||
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 5
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
In some cases, it is desirable to disallow users from adding and
|
||
updating their own passwords. This policy makes this functionality
|
||
possible.
|
||
|
||
This implies that certain other policy, such as password expiration
|
||
is not enforced.
|
||
|
||
3.2.6. Password Change After Reset
|
||
|
||
This policy forces the user to update her password after it has been
|
||
set for the first time, or has been reset by the directory
|
||
administrator.
|
||
|
||
This is needed in scenarios where a directory administrator has set
|
||
or reset the password to a well-known value.
|
||
|
||
3.2.7. Safe modification
|
||
|
||
As directories become more commonly used, it will not be unusual for
|
||
clients to connect to a directory and leave the connection open for
|
||
an extended period. This opens up the possibility for an intruder to
|
||
make modifications to a user's password while that user's computer
|
||
is connected but unattended.
|
||
|
||
This policy forces the user to prove his identity by specifying the
|
||
old password during a password modify operation.
|
||
|
||
3.3. Restriction of the Password Policy
|
||
|
||
The password policy defined in this document can apply to any
|
||
attribute containing a password. Password policy state information
|
||
is held in the user's entry, and applies to a password attribute,
|
||
not a particular password attribute value. Thus the server SHOULD
|
||
enforce that the password attribute subject to password policy,
|
||
contains one and only one password value.
|
||
|
||
|
||
4. Schema used for Password Policy
|
||
|
||
The schema elements defined here fall into two general categories. A
|
||
password policy object class is defined which contains a set of
|
||
administrative password policy attributes, and a set of operational
|
||
attributes are defined that hold general password policy state
|
||
information for each user.
|
||
|
||
4.1. The pwdPolicy Object Class
|
||
|
||
This object class contains the attributes defining a password policy
|
||
in effect for a set of users. Section 8 describes the administration
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 6
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
of this object, and the relationship between it and particular
|
||
objects.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.2.1
|
||
NAME 'pwdPolicy'
|
||
SUP top
|
||
AUXILIARY
|
||
MUST ( pwdAttribute )
|
||
MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
|
||
pwdMinLength $ pwdExpireWarning $ pwdGraceLoginLimit $ pwdLockout
|
||
$ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
|
||
pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
|
||
|
||
4.2. Attribute Types used in the pwdPolicy ObjectClass
|
||
|
||
Following are the attribute types used by the pwdPolicy object
|
||
class.
|
||
|
||
4.2.1. pwdAttribute
|
||
|
||
This holds the name of the attribute to which the password policy is
|
||
applied. For example, the password policy may be applied to the
|
||
userPassword attribute.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.1
|
||
NAME 'pwdAttribute'
|
||
EQUALITY objectIdentifierMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
|
||
|
||
4.2.2. pwdMinAge
|
||
|
||
This attribute holds the number of seconds that must elapse between
|
||
modifications to the password. If this attribute is not present, 0
|
||
seconds is assumed.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.2
|
||
NAME 'pwdMinAge'
|
||
EQUALITY integerMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE )
|
||
|
||
4.2.3. pwdMaxAge
|
||
|
||
This attribute holds the number of seconds after which a modified
|
||
password will expire.
|
||
|
||
If this attribute is not present, or if the value is 0 the password
|
||
does not expire. If not 0, the value must be greater than or equal
|
||
to the value of the pwdMinAge.
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 7
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.3
|
||
NAME 'pwdMaxAge'
|
||
EQUALITY integerMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE )
|
||
|
||
4.2.4. pwdInHistory
|
||
|
||
This attribute specifies the maximum number of used passwords stored
|
||
in the pwdHistory attribute.
|
||
|
||
If this attribute is not present, or if the value is 0, used
|
||
passwords are not stored in the pwdHistory attribute and thus may be
|
||
reused.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.4
|
||
NAME 'pwdInHistory'
|
||
EQUALITY integerMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE )
|
||
|
||
4.2.5. pwdCheckQuality
|
||
|
||
This attribute indicates how the password quality will be verified
|
||
while being modified or added. If this attribute is not present, or
|
||
if the value is '0', quality checking will not be enforced. A value
|
||
of '1' indicates that the server will check the quality, and if the
|
||
server is unable to check it (due to a hashed password or other
|
||
reasons) it will be accepted. A value of '2' indicates that the
|
||
server will check the quality, and if the server is unable to verify
|
||
it, it will return an error refusing the password.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.5
|
||
NAME 'pwdCheckQuality'
|
||
EQUALITY integerMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE )
|
||
|
||
4.2.6. pwdMinLength
|
||
|
||
When quality checking is enabled, this attribute holds the minimum
|
||
number of characters that must be used in a password. If this
|
||
attribute is not present, no minimum password length will be
|
||
enforced. If the server is unable to check the length (due to a
|
||
hashed password or otherwise), the server will, depending on the
|
||
value of the pwdCheckQuality attribute, either accept the password
|
||
without checking it ('0' or '1') or refuse it ('2').
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 8
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.6
|
||
NAME 'pwdMinLength'
|
||
EQUALITY integerMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE )
|
||
|
||
4.2.7. pwdExpireWarning
|
||
|
||
This attribute specifies the maximum number of seconds before a
|
||
password is due to expire that expiration warning messages will be
|
||
returned to an authenticating user. If this attribute is not
|
||
present, or if the value is 0 no warnings will be sent. If not 0,
|
||
the value must be smaller than the value of the pwdMaxAge attribute.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.7
|
||
NAME 'pwdExpireWarning'
|
||
EQUALITY integerMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE )
|
||
|
||
4.2.8. pwdGraceLoginLimit
|
||
|
||
This attribute specifies the number of times an expired password can
|
||
be used to authenticate. If this attribute is not present or if the
|
||
value is 0, authentication will fail.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.8
|
||
NAME 'pwdGraceLoginLimit'
|
||
EQUALITY integerMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE )
|
||
|
||
4.2.9. pwdLockout
|
||
|
||
This attribute indicates, when its value is "TRUE", that the
|
||
password may not be used to authenticate after a specified number of
|
||
consecutive failed bind attempts. The maximum number of consecutive
|
||
failed bind attempts is specified in pwdMaxFailure.
|
||
|
||
If this attribute is not present, or if the value is "FALSE", the
|
||
password may be used to authenticate when the number of failed bind
|
||
attempts has been reached.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.9
|
||
NAME 'pwdLockout'
|
||
EQUALITY booleanMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
||
SINGLE-VALUE )
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 9
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
4.2.10. pwdLockoutDuration
|
||
|
||
This attribute holds the number of seconds that the password cannot
|
||
be used to authenticate due to too many failed bind attempts. If
|
||
this attribute is not present, or if the value is 0 the password
|
||
cannot be used to authenticate until reset by an administrator.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.10
|
||
NAME 'pwdLockoutDuration'
|
||
EQUALITY integerMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE )
|
||
|
||
4.2.11. pwdMaxFailure
|
||
|
||
This attribute specifies the number of consecutive failed bind
|
||
attempts after which the password may not be used to authenticate.
|
||
If this attribute is not present, or if the value is 0, this policy
|
||
is not checked, and the value of pwdLockout will be ignored.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.11
|
||
NAME 'pwdMaxFailure'
|
||
EQUALITY integerMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE )
|
||
|
||
4.2.12. pwdFailureCountInterval
|
||
|
||
This attribute holds the number of seconds after which the password
|
||
failures are purged from the failure counter, even though no
|
||
successful authentication occurred.
|
||
|
||
If this attribute is not present, or if its value is 0, the failure
|
||
counter is only reset by a successful authentication.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.12
|
||
NAME 'pwdFailureCountInterval'
|
||
EQUALITY integerMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||
SINGLE-VALUE )
|
||
|
||
4.2.13. pwdMustChange
|
||
|
||
This attribute specifies with a value of "TRUE" that users must
|
||
change their passwords when they first bind to the directory after a
|
||
password is set or reset by the administrator. If this attribute is
|
||
not present, or if the value is "FALSE", users are not required to
|
||
change their password upon binding after the administrator sets or
|
||
resets the password.
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 10
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.13
|
||
NAME 'pwdMustChange'
|
||
EQUALITY booleanMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
||
SINGLE-VALUE )
|
||
|
||
4.2.14. pwdAllowUserChange
|
||
|
||
This attribute indicates whether users can change their own
|
||
passwords, although the change operation is still subject to access
|
||
control. If this attribute is not present, a value of "TRUE" is
|
||
assumed.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.14
|
||
NAME 'pwdAllowUserChange'
|
||
EQUALITY booleanMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
||
SINGLE-VALUE )
|
||
|
||
4.2.15. pwdSafeModify
|
||
|
||
This attribute specifies whether or not the existing password must
|
||
be sent when changing a password. If this attribute is not present,
|
||
a "FALSE" value is assumed.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.15
|
||
NAME 'pwdSafeModify'
|
||
EQUALITY booleanMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
||
SINGLE-VALUE )
|
||
|
||
4.3. Attribute Types for Password Policy State Information
|
||
|
||
Password policy state information must be maintained for each user.
|
||
The information is located in each user entry as a set of
|
||
operational attributes. These operational attributes are:
|
||
pwdChangedTime, pwdAccountLockedTime, pwdExpirationWarned,
|
||
pwdFailureTime, pwdHistory, pwdGraceUseTime, pwdReset,
|
||
pwdPolicySubEntry.
|
||
|
||
4.3.1. Password Policy State Attribute Option
|
||
|
||
Since the password policy could apply to several attributes used to
|
||
store passwords, each of the above operational attributes must have
|
||
an option to specify which pwdAttribute is applies to.
|
||
The password policy option is defined as the following:
|
||
pwd-<passwordAttribute>
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 11
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
where passwordAttribute a string following the OID syntax
|
||
(1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
|
||
(short name) MUST be used.
|
||
|
||
For example, if the pwdPolicy object has for pwdAttribute
|
||
"userPassword" then the pwdChangedTime operational attribute, in a
|
||
user entry, will be:
|
||
pwdChangedTime;pwd-userPassword: 20000103121520Z
|
||
|
||
This attribute option follows sub-typing semantics. If a client
|
||
requests a password policy state attribute to be returned in a
|
||
search operation, and does not specify an option, all subtypes of
|
||
that policy state attribute are returned.
|
||
|
||
|
||
4.3.2. pwdChangedTime
|
||
|
||
This attribute specifies the last time the entry's password was
|
||
changed. This is used by the password expiration policy. If this
|
||
attribute does not exist, the password will never expire.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.16
|
||
NAME 'pwdChangedTime'
|
||
DESC 'The time the password was last changed'
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
||
EQUALITY generalizedTimeMatch
|
||
ORDERING generalizedTimeOrderingMatch
|
||
SINGLE-VALUE
|
||
USAGE directoryOperation)
|
||
|
||
4.3.3. pwdAccountLockedTime
|
||
|
||
This attribute holds the time that the user's account was locked. A
|
||
locked account means that the password may no longer be used to
|
||
authenticate. A 0 value means that the account has been locked
|
||
permanently, and that only an administrator can unlock the account.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.17
|
||
NAME 'pwdAccountLockedTime'
|
||
DESC 'The time an user account was locked'
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
||
EQUALITY generalizedTimeMatch
|
||
ORDERING generalizedTimeOrderingMatch
|
||
SINGLE-VALUE
|
||
USAGE directoryOperation)
|
||
|
||
4.3.4. pwdExpirationWarned
|
||
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 12
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
This attribute contains the time when the password expiration
|
||
warning was first sent to the client. The password will expire in
|
||
the pwdExpireWarning time.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.18
|
||
NAME 'pwdExpirationWarned'
|
||
DESC 'The time the user was first warned about the coming
|
||
expiration of the password'
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
||
EQUALITY generalizedTimeMatch
|
||
ORDERING generalizedTimeOrderingMatch
|
||
SINGLE-VALUE
|
||
USAGE directoryOperation )
|
||
|
||
4.3.5. pwdFailureTime
|
||
|
||
This attribute holds the timestamps of the consecutive
|
||
authentication failures.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.19
|
||
NAME 'pwdFailureTime'
|
||
DESC 'The timestamps of the last consecutive authentication
|
||
failures'
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
||
EQUALITY generalizedTimeMatch
|
||
ORDERING generalizedTimeOrderingMatch
|
||
USAGE directoryOperation )
|
||
|
||
|
||
4.3.6. pwdHistory
|
||
|
||
This attribute holds a history of previously used passwords.
|
||
|
||
Values of this attribute are transmitted in string format as given
|
||
by the following ABNF:
|
||
|
||
pwdHistory = time "#" syntaxOID "#" length "#" data
|
||
|
||
time = <generalizedTimeString as specified in 6.14 of
|
||
[RFC2252]>
|
||
|
||
syntaxOID = numericoid ; the string representation of the
|
||
; dotted-decimal OID that defines the
|
||
; syntax used to store the password.
|
||
; numericoid is described in 4.1 of
|
||
; [RFC2252].
|
||
|
||
length = numericstring ; the number of octets in data.
|
||
; numericstring is described in 4.1 of
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 13
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
; [RFC2252].
|
||
|
||
data = <octets representing the password in the format
|
||
specified by syntaxOID>.
|
||
|
||
This format allows the server to store, and transmit a history of
|
||
passwords that have been used. In order for equality matching to
|
||
function properly, the time field needs to adhere to a consistent
|
||
format. For this purpose, the time field MUST be in GMT format.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.20
|
||
NAME 'pwdHistory'
|
||
DESC 'The history of user s passwords'
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
||
EQUALITY octetStringMatch
|
||
USAGE directoryOperation)
|
||
|
||
4.3.7. pwdGraceUseTime
|
||
|
||
This attribute holds the timestamps of grace login once a password
|
||
has expired.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.21
|
||
NAME 'pwdGraceUseTime'
|
||
DESC 'The timestamps of the grace login once the password has
|
||
expired'
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
|
||
EQUALITY generalizedTimeMatch
|
||
|
||
USAGE directoryOperation)
|
||
|
||
4.3.8. pwdReset
|
||
|
||
This attribute holds a flag to indicate (when TRUE) that the
|
||
password has been reset and therefore must be changed by the user on
|
||
first authentication.
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.22
|
||
NAME 'pwdReset'
|
||
DESC 'The indication that the password has been reset'
|
||
EQUALITY booleanMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
|
||
SINGLE-VALUE
|
||
USAGE directoryOperation)
|
||
|
||
4.3.9. pwdPolicySubentry
|
||
|
||
This attribute points to the pwdPolicy subentry in effect for this
|
||
object.
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 14
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
( 1.3.6.1.4.1.42.2.27.8.1.23
|
||
NAME 'pwdPolicySubentry'
|
||
DESC 'The pwdPolicy subentry in effect for this object'
|
||
EQUALITY distinguishedNameMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
|
||
SINGLE-VALUE
|
||
USAGE directoryOperation)
|
||
|
||
5. Controls used for Password Policy
|
||
|
||
This section details the controls used while enforcing password
|
||
policy. A request control is defined that is sent by a client with a
|
||
request operation in order to elicit a response control. The
|
||
response control contains various warnings and errors associated
|
||
with password policy.
|
||
|
||
5.1. Request Control
|
||
|
||
This control MAY be sent with any LDAP request message in order to
|
||
convey to the server that this client is aware of, and can process
|
||
the response control described in this document. When a server
|
||
receives this control, it will return the response control when
|
||
appropriate and with the proper data.
|
||
|
||
The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the criticality
|
||
MUST be FALSE. There is no controlValue.
|
||
|
||
passwordPolicyRequest
|
||
|
||
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
|
||
criticality: FALSE
|
||
controlValue: None
|
||
|
||
5.2. Response Control
|
||
|
||
If the client has sent a passwordPolicyRequest control, the server
|
||
sends this control with the following operation responses:
|
||
bindResponse, modifyResponse, addResponse, compareResponse and
|
||
possibly extendedResponse, to inform of various conditions, and MAY
|
||
be sent with other operations (in the case of the changeAfterReset
|
||
error).
|
||
|
||
passwordPolicyResponse
|
||
|
||
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
|
||
criticality: FALSE
|
||
controlValue: an OCTET STRING, whose value is the BER encoding of the
|
||
following type:
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 15
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
PasswordPolicyResponseValue ::= SEQUENCE {
|
||
warning [0] CHOICE {
|
||
timeBeforeExpiration [0] INTEGER (0 .. maxInt),
|
||
graceLoginsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL
|
||
error [1] ENUMERATED {
|
||
passwordExpired (0),
|
||
accountLocked (1),
|
||
changeAfterReset (2),
|
||
passwordModNotAllowed (3),
|
||
mustSupplyOldPassword (4),
|
||
insufficientPasswordQuality (5),
|
||
passwordTooShort (6),
|
||
passwordTooYoung (7),
|
||
passwordInHistory (8) } OPTIONAL }
|
||
|
||
The timeBeforeExpiration warning specifies the number of seconds
|
||
before a password will expire. The graceLoginsRemaining warning
|
||
specifies the remaining number of times a user will be allowed to
|
||
authenticate with an expired password. The passwordExpired error
|
||
signifies that the password has expired and must be reset. The
|
||
changeAfterReset error signifies that the password must be changed
|
||
before the user will be allowed to perform any operation other than
|
||
bind and modify. The passwordModNotAllowed error is set when a user
|
||
is restricted from changing her password. The
|
||
insufficientPasswordQuality error is set when a password doesn't
|
||
pass quality checking. The passwordTooYoung error is set if the age
|
||
of the password to be modified is not yet old enough.
|
||
|
||
Typically, only either a warning or an error will be encoded though
|
||
there may be exceptions. For example, if the user is required to
|
||
change a password after the administrator set it, and the password
|
||
will expire in a short amount of time, the control may include the
|
||
timeBeforeExpiration warning and the changeAfterReset error.
|
||
|
||
|
||
6. Server Implementation by LDAP operation
|
||
|
||
The following sections contain detailed instructions that refer to
|
||
attributes of the pwdPolicy object class. When doing so, the
|
||
attribute of the pwdPolicy object that governs the entry being
|
||
discussed is implied.
|
||
|
||
The server SHOULD enforce that the password attribute subject to a
|
||
password policy as defined in this document, contains one and only
|
||
one password value.
|
||
|
||
The scenarios in the following operations assume that the client has
|
||
attached a passwordPolicyRequest control to the request message of
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 16
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
the operation. In the event that the passwordPolicyRequest control
|
||
was not sent, no passwordPolicyRequest control is returned. All
|
||
other instructions remain the same.
|
||
|
||
|
||
6.1. Bind Operation
|
||
|
||
When processing a bind request, the server MUST perform the
|
||
following steps:
|
||
|
||
1. Check for a locked account:
|
||
|
||
If the value of the pwdAccountLockedTime attribute is 0, or if
|
||
the current time is less than the value of the
|
||
pwdAccountLockedTime attribute added to the value of the
|
||
pwdLockoutDuration, the account is locked.
|
||
|
||
If the account is locked, the server MUST send a bindResponse to
|
||
the client with the resultCode: unwillingToPerform (53), and MUST
|
||
include the passwordPolicyResponse in the controls field of the
|
||
bindResponse message with the error: accountLocked (1).
|
||
|
||
If the account is not locked, the server MUST proceed with the
|
||
bind operation.
|
||
|
||
2. Check the result of the bind operation:
|
||
|
||
If the bind operation succeeds with authentication, the server
|
||
MUST do the following:
|
||
|
||
A. Delete the pwdFailureTime attribute.
|
||
|
||
B. Check whether the password must be changed now.
|
||
|
||
If the pwdMustChange attribute is set to TRUE, and if the
|
||
pwdReset attribute is set to TRUE, the password must be
|
||
changed now.
|
||
|
||
If the password must be changed now, the server MUST send a
|
||
bindResponse to the client with the resultCode: success (0),
|
||
and MUST include the passwordPolicyResponse in the controls
|
||
field of the bindResponse message with the warning:
|
||
changeAfterReset specified.
|
||
The server MUST then disallow all operations issued by this
|
||
user except modify password, bind, unbind, abandon and
|
||
StartTLS extended operation.
|
||
|
||
If the password does not need to be changed now, the operation
|
||
proceeds.
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 17
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
C. Check for password expiration
|
||
|
||
The password has expired when either of the following
|
||
conditions is met:
|
||
|
||
- If the value of the pwdExpireWarning attribute is 0, the
|
||
server subtracts the current time from the time stored in
|
||
pwdChangedTime to arrive at the password's age. If the age
|
||
is greater than the value in the pwdMaxAge attribute, the
|
||
password has expired.
|
||
|
||
- If the value of the pwdExpireWarning attribute is non-
|
||
zero, and the pwdExpirationWarned attribute is present and
|
||
has a time value, the server subtracts the current time
|
||
from the time stored in the pwdExpirationWarned to arrive
|
||
at the first warning age. If the age is greater than the
|
||
value in the pwdExpireWarning attribute, the password has
|
||
expired.
|
||
|
||
If the password has expired, the server MUST check for
|
||
remaining grace logins.
|
||
|
||
If the pwdGraceUseTime attribute is present, the server
|
||
MUST count the number of values in that attribute and
|
||
subtract it from the pwdGraceLoginLimit. A positive result
|
||
specifies the number of remaining grace logins.
|
||
|
||
If there are remaining grace logins, the server MUST add a
|
||
new value with the current time in pwdGraceUseTime. Then
|
||
it MUST send a bindResponse with the resultCode: success
|
||
(0), and MUST include the passwordPolicyResponse in the
|
||
controls field of the bindResponse message with the
|
||
warning: graceLoginsRemaining choice set to the number of
|
||
grace logins left.
|
||
|
||
If there are no remaining grace logins, the server MUST
|
||
send a bindResponse with the resultCode:
|
||
invalidCredentials (49), and MUST include the
|
||
passwordPolicyResponse in the controls field of the
|
||
bindResponse message with the error: passwordExpired (0)
|
||
set.
|
||
|
||
If the password has not expired, execution continues.
|
||
|
||
D. Calculates whether the time before expiration warning should
|
||
be sent.
|
||
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 18
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
If the pwdExpireWarning attribute is present and contains a
|
||
value, the server MUST perform the following steps.
|
||
|
||
If the pwdExpirationWarned attribute is present and has a
|
||
time value, the warning time is the value of the
|
||
pwdExpirationWarned attribute plus the value of the
|
||
pwdExpireWarning attribute minus the current time.
|
||
|
||
If the pwdExpirationWarned attribute is not present, the
|
||
server MUST subtract the current time from the time stored
|
||
in pwdChangedTime to arrive at the password's age. If the
|
||
age is greater than the value of the pwdMaxAge attribute
|
||
minus the value of the pwdExpireWarning attribute, the
|
||
server MUST set the current time as the value of the
|
||
pwdExpirationWarned attribute, and the warning time is the
|
||
value of pwdMaxAge minus the password's age.
|
||
|
||
If the warning time is a positive number, the server MUST
|
||
send a bindResponse with the resultCode: success (0), and
|
||
MUST include the passwordPolicyResponse in the controls
|
||
field of the bindResponse message with the warning:
|
||
timeBeforeExiration set to the value as described above.
|
||
|
||
If the warning time is zero, or wasn't calculated, the
|
||
server MUST send a bindResponse with the resultCode:
|
||
success (0), and MUST include the passwordPolicyResponse
|
||
with nothing in the SEQUENCE.
|
||
|
||
If the pwdExpireWarning attribute is not present, the server
|
||
MUST send a bindResponse with the resultCode: success (0),
|
||
and MUST include the passwordPolicyResponse with nothing in
|
||
the SEQUENCE.
|
||
|
||
If the bind operation fails authentication due to invalid
|
||
credentials, the server MUST do the following:
|
||
|
||
A. Add the current time as a value of the pwdFailureTime
|
||
attribute.
|
||
|
||
B. If the pwdLockout attribute is TRUE, the server MUST also do
|
||
the following:
|
||
|
||
Count the number of values in the pwdFailureTime attribute
|
||
that are younger than pwdFailureCountInterval.
|
||
|
||
If the number of these failures is greater or equal to the
|
||
pwdMaxFailure attribute, the server MUST lock the account
|
||
by setting the value of the pwdAccountLockedTime attribute
|
||
to the current time. After locking the account, the server
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 19
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
MUST send a bindResponse to the client with the
|
||
resultCode: unwillingToPerform (53), and MUST include the
|
||
passwordPolicyResponse in the controls field of the
|
||
bindResponse message with the error: accountLocked (1).
|
||
|
||
If the number of failures is less than the pwdMaxFailure
|
||
attribute, operation proceeds.
|
||
|
||
C. Failure times that are old by more than
|
||
pwdFailureCountInterval are purged from the pwdFailureTime
|
||
attribute.
|
||
|
||
|
||
|
||
6.2. Modify Password Operation
|
||
|
||
Because the password is stored in an attribute, the modify operation
|
||
may be used to create or update a password. But some alternate
|
||
mechanisms have been defined or may be defined, such as the LDAP
|
||
Password Modify Extended Operation [RFC-3062].
|
||
|
||
|
||
|
||
|
||
While processing a password modification, the server MUST perform
|
||
the following steps:
|
||
|
||
1. Check the pwdSafeModify attribute. If set to TRUE, the server
|
||
MUST ensure that the modify password operation included the
|
||
user's existing password. When the LDAP modify operation is used
|
||
to modify a password, this is done by specifying both a delete
|
||
action and an add or replace action, where the delete action is
|
||
first, and specifies the existing password, and the add or
|
||
replace action specifies the new password. Other password modify
|
||
operations SHOULD employ a similar mechanism. Otherwise this
|
||
policy will fail.
|
||
|
||
If the existing password is not specified, the server MUST NOT
|
||
process the operation and MUST send the appropriate response
|
||
message to the client with the resultCode: unwillingToPerform
|
||
(53), and MUST include the passwordPolicyResponse in the controls
|
||
field of the response message with the error:
|
||
mustSupplyOldPassword (4).
|
||
|
||
|
||
2. Check the value of the pwdMustChange attribute. If TRUE, the
|
||
server MUST check the pwdReset attribute in the user's entry, to
|
||
see if a directory administrator has reset the password. If so,
|
||
it MUST ensure that the modify password operation contains no
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 20
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
modifications other than the modification of the password
|
||
attribute. If other modifications exist, the server MUST send a
|
||
response message to the client with the resultCode:
|
||
unwillingToPerform (53), and MUST include the
|
||
passwordPolicyResponse in the controls field of the response
|
||
message with the error: changeAfterReset (2).
|
||
|
||
3. Check to see whether the bound identity has sufficient rights to
|
||
modify the password. If the bound identity is a user changing its
|
||
own password, this MAY be done by checking the pwdAllowUserChange
|
||
attribute or using an access control mechanism. The determination
|
||
of this is implementation specific. If the user is not allowed to
|
||
change her password, the server MUST send a response message to
|
||
the client with the resultCode: unwillingToPerform (53), and MUST
|
||
include the passwordPolicyResponse in the controls field of the
|
||
response message with the error: passwordModNotAllowed (3).
|
||
|
||
4. Check the value of the pwdMinAge attribute. If it is set to a
|
||
non-zero value, the server MUST subtract the current time from
|
||
the value of the pwdChangedTime attribute to arrive at the
|
||
password's age. If the password's age is less than the value of
|
||
the pwdMinAge attribute, the password is too young to modify. In
|
||
this case, the server MUST send a response message to the client
|
||
with the resultCode: constraintViolation (19), and MUST include
|
||
the passwordPolicyResponse in the controls field of the response
|
||
message with the error: passwordTooYoung (7).
|
||
|
||
5. Check the value of the pwdCheckQuality attribute.
|
||
|
||
If the value is non-zero, The server:
|
||
|
||
A. MUST ensure that the password meets the quality criteria
|
||
enforced by the server. This enforcement is implementation
|
||
specific.
|
||
|
||
If the server is unable to check the quality (due to a hashed
|
||
password or otherwise), the value of pwdCheckQuality is
|
||
evaluated. If the value is 1, operation MUST continue. If the
|
||
value is 2, the server MUST send a response message to the
|
||
client with the resultCode: constraintViolation (19), and MUST
|
||
include the passwordPolicyResponse in the controls field of
|
||
the response message with the error:
|
||
insufficientPasswordQuality (5).
|
||
|
||
If the server is able to check the password quality, and the
|
||
check fails, the server MUST send a response message to the
|
||
client with the resultCode: constraintViolation (19), and MUST
|
||
include the passwordPolicyResponse in the controls field of
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 21
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
the response message with the error:
|
||
insufficientPasswordQuality (5).
|
||
|
||
B. MUST check the value of the pwdMinLength attribute. If the
|
||
value is non-zero, it MUST ensure that the new password is of
|
||
at least the minimum length.
|
||
|
||
If the server is unable to check the length (due to a hashed
|
||
password or otherwise), the value of pwdCheckQuality is
|
||
evaluated. If the value is 1, operation MUST continue. If the
|
||
value is 2, the server MUST send a response message to the
|
||
client with the resultCode: constraintViolation (19), and MUST
|
||
include the passwordPolicyResponse in the controls field of
|
||
the response message with the error: passwordTooShort (6).
|
||
|
||
If the server is able to check the password length, and the
|
||
check fails, the server MUST send a response message to the
|
||
client with the resultCode: constraintViolation (19), and MUST
|
||
include the passwordPolicyResponse in the controls field of
|
||
the response message with the error: passwordTooShort (6).
|
||
|
||
6. Check the value of the pwdInHistory attribute. If the value is
|
||
non-zero, the server MUST check whether this password exists in
|
||
the entry's pwdHistory attribute or in the current password
|
||
attribute. If the password does exist in the pwdHistory attribute
|
||
or in the current password attribute, the server MUST send a
|
||
response message to the client with the resultCode:
|
||
constraintViolation (19), and MUST include the
|
||
passwordPolicyResponse in the controls field of the response
|
||
message with the error: passwordInHistory (8).
|
||
|
||
If the steps have completed without causing an error condition, the
|
||
server MUST follow the following steps in order to update the
|
||
necessary password policy state attributes:
|
||
|
||
7. Check the value of the pwdMaxAge attribute. If the value is non-
|
||
zero, or if the value of the pwdMinAge attribute is non-zero, the
|
||
server MUST update the pwdChangedTime attribute on the entry to
|
||
the current time.
|
||
|
||
8. If the value of the pwdInHistory attribute is non-zero, the
|
||
server MUST add the previous password to the pwdHistory
|
||
attribute. If the number of attributes held in the pwdHistory
|
||
attribute exceeds the value of pwdInHistory, the server MUST
|
||
remove the oldest excess passwords.
|
||
|
||
9. Remove the pwdFailureTime, pwdReset, pwdGraceUseTime and
|
||
pwdExpirationWarned attributes from the user's entry if they
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 22
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
exist.
|
||
|
||
The server MUST then apply the modify password operation.
|
||
|
||
6.3. Add Operation
|
||
|
||
The password MAY be set during an Add operation. If it is, the
|
||
server MUST perform the following steps while processing the add
|
||
operation. Note that these are essentially duplicates of steps 3, 5
|
||
and 7 from Section 6.2 with the exception that pwdAllowUserChange is
|
||
not checked.
|
||
|
||
1. Check to see whether the bound identity has sufficient rights to
|
||
modify the password. This MAY be done by the use of an access
|
||
control mechanism. If the user is not allowed to add this
|
||
password, the server MUST send an addResponse to the client with
|
||
the resultCode: unwillingToPerform (53), and MUST include the
|
||
passwordPolicyResponse in the controls field of the addResponse
|
||
message with the error: passwordModNotAllowed (3).
|
||
|
||
2. Check the value of the pwdCheckQuality attribute.
|
||
|
||
If the value is non-zero, The server:
|
||
|
||
A. MUST ensure that the password meets the quality criteria
|
||
enforced by the server. This enforcement is implementation
|
||
specific.
|
||
|
||
If the server is unable to check the quality (due to a hashed
|
||
password or otherwise), the value of pwdCheckQuality MUST be
|
||
evaluated. If the value is 1, operation MUST continue. If the
|
||
value is 2, the server MUST send an addResponse to the client
|
||
with the resultCode: constraintViolation (19), and MUST
|
||
include the passwordPolicyResponse in the controls field of
|
||
the addResponse message with the error:
|
||
insufficientPasswordQuality (5).
|
||
|
||
If the server is able to check the password quality, and the
|
||
check fails, the server MUST send an addResponse to the client
|
||
with the resultCode: constraintViolation (19), and MUST
|
||
include the passwordPolicyResponse in the controls field of
|
||
the addResponse message with the error:
|
||
insufficientPasswordQuality (5).
|
||
|
||
B. MUST check the value of the pwdMinLength attribute. If the
|
||
value is non-zero, it MUST ensure that the new password is of
|
||
at least the minimum length.
|
||
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 23
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
If the server is unable to check the length (due to a hashed
|
||
password or otherwise), the value of pwdCheckQuality MUST be
|
||
evaluated. If the value is 1, operation MUST continue. If the
|
||
value is 2, the server MUST send an addResponse to the client
|
||
with the resultCode: constraintViolation (19), and MUST
|
||
include the passwordPolicyResponse in the controls field of
|
||
the addResponse message with the error: passwordTooShort (6).
|
||
|
||
If the server is able to check the password length, and the
|
||
check fails, the server MUST send an addResponse to the client
|
||
with the resultCode: constraintViolation (19), and MUST
|
||
include the passwordPolicyResponse in the controls field of
|
||
the addResponse message with the error: passwordTooShort (6).
|
||
|
||
If the steps above have completed without causing an error
|
||
condition, the server MUST follow the steps below in order to update
|
||
the necessary password policy state attributes.
|
||
|
||
3. Check the value of the pwdMaxAge attribute. If the value is non-
|
||
zero, or if the value of the pwdMinAge attribute is non-zero, the
|
||
server MUST update the pwdChangedTime attribute on the entry to
|
||
the current time.
|
||
|
||
6.4. Compare Operation
|
||
|
||
The compare operation MAY be used to compare a password. This might
|
||
be performed when a client wishes to verify that user's supplied
|
||
password is correct. An example of this is an LDAP HTTP
|
||
authentication redirector. It may be desirable to use this rather
|
||
than performing a bind operation in order to reduce possible
|
||
overhead involved in performing a bind. Access Controls SHOULD be
|
||
used to restrict this comparison from being made.
|
||
|
||
If a server supports this behavior, it MUST comply with the
|
||
following. Otherwise the password policy described in this document
|
||
may be circumvented.
|
||
|
||
While comparing password attributes, the server MUST perform the
|
||
following steps:
|
||
|
||
1. Check for a locked account:
|
||
|
||
If the value of the pwdAccountLockedTime attribute is 0, or if
|
||
the current time is less than the value of the
|
||
pwdAccountLockedTime attribute added to the value of the
|
||
pwdLockoutDuration, the account is locked.
|
||
|
||
If the account is locked, the server MUST send a compareResponse
|
||
to the client with the resultCode: compareFalse (5), and MUST
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 24
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
include the passwordPolicyResponse in the controls field of the
|
||
compareResponse message with the error: accountLocked (1).
|
||
|
||
If the account is not locked, the server MUST proceed with the
|
||
compare operation.
|
||
|
||
2. If Access Controls permit, the server MUST proceed with compare
|
||
operation and MUST check the result.
|
||
|
||
If the result of the compare operation is true, the server MUST
|
||
do the following:
|
||
|
||
A. Delete the pwdFailureTime attribute.
|
||
|
||
B. Check for password expiration
|
||
|
||
The password has expired when either of the following
|
||
conditions is met:
|
||
|
||
- If the value of the pwdExpireWarning attribute is 0, the
|
||
server MUST subtract the current time from the time stored
|
||
in pwdChangedTime to arrive at the password's age. If the
|
||
age is greater than the value in the pwdMaxAge attribute,
|
||
the password has expired.
|
||
|
||
- If the value of the pwdExpireWarning attribute is non-
|
||
zero, and the pwdExpirationWarned attribute is present and
|
||
has a time value, the server MUST subtract the current
|
||
time from the time stored in the pwdExpirationWarned to
|
||
arrive at the first warning age. If the age is greater
|
||
than the value in the pwdExpireWarning attribute, the
|
||
password has expired.
|
||
|
||
If the password has expired, the server MUST check for
|
||
remaining grace logins.
|
||
|
||
If the pwdGraceUseTime attribute is present, the server
|
||
MUST count the number of values in that attribute and MUST
|
||
subtract it from the pwdGraceLoginLimit. A positive result
|
||
specifies the number of remaining grace logins.
|
||
|
||
If there are remaining grace logins, the server MUST add a
|
||
new value with the current time in pwdGraceUseTime. Then
|
||
it MUST send a compareResponse with the resultCode:
|
||
compareTrue (6), and MUST include the
|
||
passwordPolicyResponse in the controls field of the
|
||
compareResponse message with the warning:
|
||
graceLoginsRemaining choice set to the number of grace
|
||
logins left.
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 25
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
If there are no remaining grace logins, the server MUST
|
||
send a compareResponse with the resultCode: compareFalse
|
||
(5), and MUST include the passwordPolicyResponse in the
|
||
controls field of the compareResponse message with the
|
||
error: passwordExpired (0) set.
|
||
|
||
If the password has not expired, execution MUST continue.
|
||
|
||
C. Calculate whether the time before expiration warning should be
|
||
sent.
|
||
|
||
If the pwdExpireWarning attribute is present and contains a
|
||
value, the server MUST perform the following steps.
|
||
|
||
If the pwdExpirationWarned attribute is present and has a
|
||
time value, the warning time is the value of the
|
||
pwdExpirationWarned attribute plus the value of the
|
||
pwdExpireWarning attribute minus the current time.
|
||
|
||
If the pwdExpirationWarned attribute is not present, the
|
||
server MUST subtract the current time from the time stored
|
||
in pwdChangedTime to arrive at the password's age. If the
|
||
age is greater than the value of the pwdMaxAge attribute
|
||
minus the value of the pwdExpireWarning attribute, the
|
||
server MUST set the current time as the value of the
|
||
pwdExpirationWarned attribute, and the warning time is the
|
||
value of pwdMaxAge minus the password's age.
|
||
|
||
If the warning time is a positive number, the server MUST
|
||
send a compareResponse with the resultCode: compareTrue
|
||
(6), and MUST include the passwordPolicyResponse in the
|
||
controls field of the compareResponse message with the
|
||
warning: timeBeforeExiration set to the value as described
|
||
above.
|
||
|
||
If the warning time is zero, or wasn't calculated, the
|
||
server MUST send a compareResponse with the resultCode:
|
||
compareTrue (6), and MUST include the
|
||
passwordPolicyResponse with nothing in the SEQUENCE.
|
||
|
||
If the pwdExpireWarning attribute is not present, the server
|
||
MUST send a compareResponse with the resultCode: compareTrue
|
||
(6), and MUST include the passwordPolicyResponse with nothing
|
||
in the SEQUENCE.
|
||
|
||
If the result of the compare operation is false, the server MUST
|
||
do the following:
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 26
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
A. Add the current time as a value of the pwdFailureTime
|
||
attribute.
|
||
|
||
B. If the pwdLockout attribute is TRUE, the server MUST do
|
||
the following:
|
||
|
||
Count the number of values in the pwdFailureTime
|
||
attribute that are younger than
|
||
pwdFailureCountInterval.
|
||
|
||
If the number of these failures is greater or equal to
|
||
the pwdMaxFailure attribute, the server MUST lock the
|
||
account by setting the value of the
|
||
pwdAccountLockedTime attribute to the current time.
|
||
After locking the account, the server MUST send a
|
||
compareResponse to the client with the resultCode:
|
||
compareFalse (5), and MUST include the
|
||
passwordPolicyResponse in the controls field of the
|
||
compareResponse message with the error: accountLocked
|
||
(1).
|
||
|
||
If the number of failures is less than the
|
||
pwdMaxFailure attribute, operation MUST proceed.
|
||
|
||
If the pwdLockout attribute is FALSE, operation MUST
|
||
continue.
|
||
|
||
C. Failure times that are old by more than
|
||
pwdFailureCountInterval, MUST be purged from the
|
||
pwdFailureTime attribute.
|
||
|
||
D. If no errors were returned, the server MUST send a
|
||
compareResponse with the resultCode: compareTrue (6), and
|
||
MUST include the passwordPolicyResponse with nothing in
|
||
the SEQUENCE.
|
||
|
||
7. Client Implementation by LDAP operation
|
||
|
||
These sections illustrate possible scenarios for each LDAP operation
|
||
and define the types of responses that identify those scenarios.
|
||
|
||
The scenarios in the following operations assume that the client
|
||
attached a passwordPolicyRequest control to the request message of
|
||
the operation, and thus MAY receive a passwordPolicyResponse control
|
||
in the response message. In the event that the passwordPolicyRequest
|
||
control was not sent, no passwordPolicyRequest control is returned.
|
||
All other instructions remain the same.
|
||
|
||
7.1. Bind Operation
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 27
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
For every bind response received, the client MUST check the
|
||
resultCode of the bindResponse and MUST check for a
|
||
passwordPolicyResponse to determine if any of the following
|
||
conditions are true and MAY prompt the user accordingly.
|
||
|
||
1. The password failure limit has been reached and the account is
|
||
locked. The user needs to retry later or contact the directory
|
||
administrator to reset the password.
|
||
|
||
resultCode: unwillingToPerform (53)
|
||
passwordPolicyResponse: error: accountLocked (1)
|
||
|
||
2. The user is binding for the first time after the directory
|
||
administrator set the password. In this scenario, the client
|
||
SHOULD prompt the user to change his password immediately.
|
||
|
||
resultCode: success (0)
|
||
passwordPolicyResponse: error: changeAfterReset (2)
|
||
|
||
3. The password has expired but there are remaining grace logins.
|
||
The user needs to change it.
|
||
|
||
resultCode: success (0)
|
||
passwordPolicyResponse: warning: graceLoginsRemaining
|
||
|
||
4. The password has expired and there are no more grace logins. The
|
||
user MUST contact the directory administrator in order to have
|
||
its password reset.
|
||
|
||
resultCode: invalidCredentials (49)
|
||
passwordPolicyResponse: error: passwordExpired (0)
|
||
|
||
5. The user's password will expire in n number of seconds.
|
||
|
||
resultCode: success (0)
|
||
passwordPolicyResponse: warning: timeBeforeExpiration
|
||
|
||
7.2. Modify Operations
|
||
|
||
7.2.1. Modify Request
|
||
|
||
If the application or client encrypts the password prior to sending
|
||
it in a password modification operation (whether done through
|
||
modifyRequest or another password modification mechanism), it SHOULD
|
||
check the values of the pwdMinLength, and pwdCheckQuality attributes
|
||
and SHOULD enforce these policies.
|
||
|
||
7.2.2. Modify Response
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 28
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
If the modifyRequest operation was used to change the password, or
|
||
if another mechanism is used --such as an extendedRequest-- the
|
||
modifyResponse or other appropriate response MAY contain information
|
||
pertinent to password policy. The client MUST check the resultCode
|
||
of the response and MUST check for a passwordPolicyResponse to
|
||
determine if any of the following conditions are true and optionally
|
||
notify the user of the condition.
|
||
|
||
1. The user attempted to change her password without specifying the
|
||
old password but the password policy requires this.
|
||
|
||
resultCode: unwillingToPerform (53)
|
||
passwordPolicyResponse: error: mustSupplyOldPassword (4)
|
||
|
||
2. The user MUST change her password before submitting any other
|
||
LDAP requests.
|
||
|
||
resultCode: unwillingToPerform (53)
|
||
passwordPolicyResponse: error: changeAfterReset (2)
|
||
|
||
3. The user doesn't have sufficient rights to change his password.
|
||
|
||
resultCode: unwillingToPerform (53)
|
||
passwordPolicyResponse: error: passwordModNotAllowed (3)
|
||
|
||
4. It is too soon after the last password modification to change the
|
||
password.
|
||
|
||
resultCode: constraintViolation (19)
|
||
passwordPolicyResponse: error: passwordTooYoung (7)
|
||
|
||
5. The password failed quality checking.
|
||
|
||
resultCode: constraintViolation (19)
|
||
passwordPolicyResponse: error:
|
||
insufficientPasswordQuality (5)
|
||
|
||
6. The length of the password is too short.
|
||
|
||
resultCode: constraintViolation (19)
|
||
passwordPolicyResponse: error: passwordTooShort (6)
|
||
|
||
7. The password has already been used; the user MUST choose a
|
||
different one.
|
||
|
||
resultCode: constraintViolation (19)
|
||
passwordPolicyResponse: error: passwordInHistory (8)
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 29
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
7.3. Add Operation
|
||
|
||
If a password is specified in an addRequest, the client MUST check
|
||
the resultCode of the addResponse and MUST check for a
|
||
passwordPolicyResponse to determine if any of the following
|
||
conditions are true and may prompt the user accordingly.
|
||
|
||
1. The user doesn't have sufficient rights to add this password.
|
||
|
||
resultCode: unwillingToPerform (53)
|
||
passwordPolicyResponse: error: passwordModNotAllowed (3)
|
||
|
||
2. The password failed quality checking.
|
||
|
||
resultCode: constraintViolation (19)
|
||
passwordPolicyResponse: error:
|
||
insufficientPasswordQuality (5)
|
||
|
||
3. The length of the password is too short.
|
||
|
||
resultCode: constraintViolation (19)
|
||
passwordPolicyResponse: error: passwordTooShort (6)
|
||
|
||
|
||
7.4. Compare Operation
|
||
|
||
When a compare operation is used to compare a password, the client
|
||
MUST check the resultCode of the compareResponse and MUST check for
|
||
a passwordPolicyResponse to determine if any of the following
|
||
conditions are true and MAY prompt the user accordingly. These
|
||
conditions assume that the result of the comparison was true.
|
||
|
||
1. The password failure limit has been reached and the account is
|
||
locked. The user needs to retry later or contact the directory
|
||
administrator to reset the password.
|
||
|
||
resultCode: compareFalse (5)
|
||
passwordPolicyResponse: error: accountLocked (1)
|
||
|
||
2. The password has expired but there are remaining grace logins.
|
||
The user needs to change it.
|
||
|
||
resultCode: compareTrue (6)
|
||
passwordPolicyResponse: warning: graceLoginsRemaining
|
||
|
||
3. The password has expired and there are no more grace logins. The
|
||
user MUST contact the directory administrator to reset the
|
||
password.
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 30
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
|
||
resultCode: compareFalse (5)
|
||
passwordPolicyResponse: error: passwordExpired (0)
|
||
|
||
4. The user's password will expire in n number of seconds.
|
||
|
||
resultCode: compareTrue (6)
|
||
passwordPolicyResponse: warning: timeBeforeExpiration
|
||
|
||
|
||
7.5. Other Operations
|
||
|
||
For operations other than bind, unbind, abandon, search or StartTLS,
|
||
the client MUST check the following result code and control to
|
||
determine if the user needs to change the password immediately.
|
||
|
||
1. The user needs to change password. The user SHOULD be prompted to
|
||
change the password immediately.
|
||
|
||
resultCode: unwillingToPerform (53)
|
||
passwordPolicyResponse: error: changeAfterReset (2)
|
||
|
||
8. Administration of a Password Policy
|
||
|
||
|
||
A password policy MUST be defined for a particular subtree of the
|
||
DIT by adding to an LDAP subentry whose immediate superior is the
|
||
root of the subtree, the pwdPolicy auxiliary object class.
|
||
The scope of the password policy is defined by the
|
||
SubtreeSpecification attribute of the LDAP subentry as specified in
|
||
RFC 3672 [RFC-3672].
|
||
|
||
It is possible to define password policies for different password
|
||
attributes within the same pwdPolicy entry, by specifying multiple
|
||
values of the pwdAttribute. But password policies could also be in
|
||
separate sub entries as long as they are contained under the same
|
||
LDAP subentry.
|
||
|
||
Modifying the password policy MUST not result in any change in
|
||
users' entries to which the policy applies.
|
||
|
||
It SHOULD be possible to overwrite the password policy for one user
|
||
by defining a new policy in a subentry of the user entry.
|
||
|
||
Each object that is controlled by password policy SHALL advertise
|
||
the subentry that is being used to control its policy in its
|
||
pwdPolicySubentry attribute. Clients wishing to examine or manage
|
||
password policy for an object, MUST interrogate the
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 31
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
pwdPolicySubentry for that object in order to arrive at the proper
|
||
pwdPolicy subentry.
|
||
|
||
9. Password Policy and Replication
|
||
|
||
The pwdPolicy object defines the password policy for a portion of
|
||
the DIT and MUST be replicated on all the replicas of this subtree,
|
||
as any subentry would be, in order to have a consistent policy among
|
||
all replicated servers.
|
||
|
||
The elements of the password policy that are related to the users
|
||
are stored in the entry themselves as operational attributes.
|
||
As these attributes are subject to modifications even on a read-only
|
||
replica, replicating them must be carefully considered.
|
||
|
||
The pwdChangedTime attribute MUST be replicated on all replicas, to
|
||
allow expiration of the password.
|
||
|
||
The pwdReset attribute MUST be replicated on all replicas, to deny
|
||
access to operations other than bind and modify password.
|
||
|
||
The pwdHistory attribute MUST be replicated to writable replicas. It
|
||
doesn't have to be replicated to a read-only replica, since the
|
||
password will never be directly modified on this server.
|
||
|
||
The pwdAccountLockedTime, pwdExpirationWarned, pwdFailureTime and
|
||
pwdGraceUseTime attributes MUST be replicated to writable replicas,
|
||
making the password policy global for all servers.
|
||
When the user entry is replicated to a read-only replica, these
|
||
attributes SHOULD NOT be replicated. This means that the number of
|
||
failures, of grace logins and the locking will take place on each
|
||
replicated server. For example, the effective number of failed
|
||
attempts on a user password will be N x M (where N is the number of
|
||
servers and M the value of pwdMaxFailure attribute).
|
||
Replicating these attributes to a read-only replica MAY reduce the
|
||
number of tries globally but MAY also introduce some inconstancies
|
||
in the way the password policy is applied.
|
||
|
||
|
||
10. Security Considerations
|
||
|
||
This document defines a set of rules to implement in an LDAP server,
|
||
in order to mitigate some of the security risks associated with the
|
||
use of passwords and to make it difficult for password cracking
|
||
programs to break into directories.
|
||
|
||
Authentication with a password MUST follow the recommendations made
|
||
in RFC 2829 [RFC-2829].
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 32
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
Modifications of passwords SHOULD only occur when the connection is
|
||
protected with confidentiality and secure authentication.
|
||
|
||
Access controls SHOULD be used to restrict access to the password
|
||
policy attributes. Especially all the attributes defined to maintain
|
||
the Password Policy state information SHOULD not be modifiable by
|
||
anyone but the Administrator of the directory server.
|
||
|
||
As it is possible to define a password policy for one specific user
|
||
by adding a subentry immediately under the user's entry, Access
|
||
Controls SHOULD be used to restrict the use of the pwdPolicy object
|
||
class or the LDAP subentry object class.
|
||
|
||
When a password policy is put in place, the LDAP directory is
|
||
subject to a denial of service attack. A malicious user could
|
||
deliberately lock out one specific user's account (or all of them)
|
||
by sending bind requests with wrong passwords. There is no way to
|
||
protect against this kind of attack. The LDAP directory server
|
||
SHOULD log as much information as it can (such as client IP address)
|
||
whenever an account is locked, in order to be able to identify the
|
||
origin of the attack. Denying anonymous access to the LDAP directory
|
||
is also a way to restrict this kind of attacks.
|
||
|
||
|
||
11. Acknowledgement
|
||
|
||
This document is based in part on prior work done by Valerie Chu
|
||
from Netscape Communications Corp, published as draft-vchu-ldap-pwd-
|
||
policy-00.txt (December 1998).
|
||
|
||
|
||
12. Normative References
|
||
|
||
[RFC-2119] S. Bradner, "Key Words for use in RFCs to Indicate
|
||
Requirement Levels", RFC 2119, March 1997.
|
||
|
||
[RFC-2195] J. Klensin, R. Catoe, P. Krumviede, "IMAP/POP AUTHorize
|
||
Extension for Simple Challenge/Response", RFC 2195, September 1997.
|
||
|
||
[RFC-2222] J. Myers, "Simple Authentication and Security Layer
|
||
(SASL)", RFC 2222, October 1997.
|
||
|
||
[RFC-2251] Wahl, M., Howes, T., Kille, S., "Lightweight Directory
|
||
Access Protocol (v3)", RFC 2251, August 1997.
|
||
|
||
[RFC-2252] Wahl, M., Coulbeck, A., Howes, T., Kille, S.,
|
||
"Lightweight Directory Access Protocol (v3): Attribute Syntax
|
||
Definitions", RFC 2252, December 1997.
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 33
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
[RFC-Digest] Paul J. Leach, Chris Newman, "Using Digest
|
||
Authentication as a SASL Mechanism", RFC 2831, May 2000.
|
||
|
||
[RFC-3062] K. Zeilenga, "LDAP Password Modify Extended Operation",
|
||
RFC 3062, February 2001.
|
||
|
||
[RFC-3672] K. Zeilenga, S. Legg, "Subentries in the Lightweight
|
||
Directory Access Protocol (LDAP)", RFC 3672, December.
|
||
|
||
|
||
13. Authors' Addresses
|
||
|
||
Prasanta Behera
|
||
18366 Chelmsford Dr.
|
||
Cupertino, CA 95014
|
||
USA
|
||
prasantabehera@yahoo.com
|
||
|
||
Ludovic Poitou
|
||
Sun Microsystems Inc.
|
||
180, Avenue de l'Europe
|
||
Zirst de Montbonnot
|
||
38334 Saint Ismier cedex
|
||
France
|
||
+33 476 188 212
|
||
ludovic.poitou@sun.com
|
||
|
||
Jim Sermersheim
|
||
Novell, Inc.
|
||
1800 South Novell Place
|
||
Provo, Utah 84606, USA
|
||
+1 801 861-3088
|
||
jimse@novell.com
|
||
|
||
14. Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2004). All Rights
|
||
Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published
|
||
and distributed, in whole or in part, without restriction of any
|
||
kind, provided that the above copyright notice and this paragraph
|
||
are included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 34
|
||
|
||
INTERNET DRAFT LDAP Password Policy 15 February 2004
|
||
|
||
|
||
copyrights defined in the Internet Standards process must be
|
||
followed, or as required to translate it into languages other than
|
||
English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Behera, et. al. Expires August 15, 2004 Page 35
|
||
|
||
|