upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-01-01 20:49:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#3655 patch from Ralf rhafer@suse.de update to draft 8 behavior

Browse source
This commit is contained in:
Howard Chu 2005-04-22 09:09:12 +00:00
parent 18d18d25dc
commit 3400b96d71
2 changed files with 492 additions and 534 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
servers/slapd/overlays/ppolicy.c
View file

@ -74,7 +74,7 @@ typedef struct pass_policy {
int pwdMinLength; /* minimum number of chars in password */
int pwdExpireWarning; /* number of seconds that warning controls are
sent before a password expires */
int pwdGraceLoginLimit; /* number of times you can log in with an
int pwdGraceAuthNLimit; /* number of times you can log in with an
expired password */
int pwdLockout; /* 0 = do not lockout passwords, 1 = lock them out */
int pwdLockoutDuration; /* time in seconds a password is locked out for */
@ -101,8 +101,8 @@ typedef struct pw_hist {
/* Operational attributes */
static AttributeDescription *ad_pwdChangedTime, *ad_pwdAccountLockedTime,
*ad_pwdExpirationWarned, *ad_pwdFailureTime, *ad_pwdHistory,
*ad_pwdGraceUseTime, *ad_pwdReset, *ad_pwdPolicySubentry;
*ad_pwdFailureTime, *ad_pwdHistory, *ad_pwdGraceUseTime, *ad_pwdReset,
*ad_pwdPolicySubentry;
static struct schema_info {
char *def;
@ -124,14 +124,6 @@ static struct schema_info {
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
"SINGLE-VALUE USAGE directoryOperation )",
&ad_pwdAccountLockedTime },
{ "( 1.3.6.1.4.1.42.2.27.8.1.18 "
"NAME ( 'pwdExpirationWarned' ) "
"DESC 'The time the user was first warned about the coming expiration of the password' "
"EQUALITY generalizedTimeMatch "
"ORDERING generalizedTimeOrderingMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
"SINGLE-VALUE USAGE directoryOperation NO-USER-MODIFICATION )",
&ad_pwdExpirationWarned },
{ "( 1.3.6.1.4.1.42.2.27.8.1.19 "
"NAME ( 'pwdFailureTime' ) "
"DESC 'The timestamps of the last consecutive authentication failures' "
@ -174,7 +166,7 @@ static struct schema_info {
/* User attributes */
static AttributeDescription *ad_pwdMinAge, *ad_pwdMaxAge, *ad_pwdInHistory,
*ad_pwdCheckQuality, *ad_pwdMinLength, *ad_pwdMaxFailure,
*ad_pwdGraceLoginLimit, *ad_pwdExpireWarning, *ad_pwdLockoutDuration,
*ad_pwdGraceAuthNLimit, *ad_pwdExpireWarning, *ad_pwdLockoutDuration,
*ad_pwdFailureCountInterval, *ad_pwdCheckModule, *ad_pwdLockout,
*ad_pwdMustChange, *ad_pwdAllowUserChange, *ad_pwdSafeModify,
*ad_pwdAttribute;
@ -189,7 +181,7 @@ static struct schema_info pwd_UsSchema[] = {
TAB(pwdCheckQuality),
TAB(pwdMinLength),
TAB(pwdMaxFailure),
TAB(pwdGraceLoginLimit),
TAB(pwdGraceAuthNLimit),
TAB(pwdExpireWarning),
TAB(pwdLockout),
TAB(pwdLockoutDuration),
@ -370,8 +362,8 @@ ppolicy_get( Operation *op, Entry *e, PassPolicy *pp )
pp->pwdMinLength = atoi(a->a_vals[0].bv_val );
if ((a = attr_find( pe->e_attrs, ad_pwdMaxFailure )))
pp->pwdMaxFailure = atoi(a->a_vals[0].bv_val );
if ((a = attr_find( pe->e_attrs, ad_pwdGraceLoginLimit )))
pp->pwdGraceLoginLimit = atoi(a->a_vals[0].bv_val );
if ((a = attr_find( pe->e_attrs, ad_pwdGraceAuthNLimit )))
pp->pwdGraceAuthNLimit = atoi(a->a_vals[0].bv_val );
if ((a = attr_find( pe->e_attrs, ad_pwdExpireWarning )))
pp->pwdExpireWarning = atoi(a->a_vals[0].bv_val );
if ((a = attr_find( pe->e_attrs, ad_pwdFailureCountInterval )))
@ -846,10 +838,10 @@ grace:
if (!pwExpired) goto check_expiring_password;
if ((a = attr_find( e->e_attrs, ad_pwdGraceUseTime )) == NULL)
ngut = ppb->pp.pwdGraceLoginLimit;
ngut = ppb->pp.pwdGraceAuthNLimit;
else {
for(ngut=0; a->a_nvals[ngut].bv_val; ngut++);
ngut = ppb->pp.pwdGraceLoginLimit - ngut;
ngut = ppb->pp.pwdGraceAuthNLimit - ngut;
}
/*
@ -901,19 +893,8 @@ check_expiring_password:
*/
if (ppb->pp.pwdMaxAge - age < ppb->pp.pwdExpireWarning ) {
/*
* Set the warning value, add expiration warned timestamp to the entry.
* Set the warning value.
*/
if ((a = attr_find( e->e_attrs, ad_pwdExpirationWarned )) == NULL) {
m = ch_calloc( sizeof(Modifications), 1 );
m->sml_op = LDAP_MOD_ADD;
m->sml_type = ad_pwdExpirationWarned->ad_cname;
m->sml_desc = ad_pwdExpirationWarned;
m->sml_values = ch_calloc( sizeof(struct berval), 2 );
ber_str2bv( nowstr, 0, 1, &m->sml_values[0] );
m->sml_next = mod;
mod = m;
}
warn = ppb->pp.pwdMaxAge - age; /* seconds left until expiry */
if (warn < 0) warn = 0; /* something weird here - why is pwExpired not set? */
@ -1054,7 +1035,7 @@ ppolicy_restrict(
rs->sr_ctrls = ctrls;
}
op->o_bd->bd_info = (BackendInfo *)on->on_info;
send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
send_ldap_error( op, rs, LDAP_INSUFFICIENT_ACCESS,
"Operations are restricted to bind/unbind/abandon/StartTLS/modify password" );
return rs->sr_err;
}
@ -1258,7 +1239,7 @@ ppolicy_modify( Operation *op, SlapReply *rs )
if (pwcons[op->o_conn->c_conn_idx].restrict && !mod_pw_only) {
Debug( LDAP_DEBUG_TRACE,
"connection restricted to password changing only\n", 0, 0, 0 );
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password";
pErr = PP_changeAfterReset;
goto return_results;
@ -1338,14 +1319,14 @@ ppolicy_modify( Operation *op, SlapReply *rs )
Debug( LDAP_DEBUG_TRACE,
"change password must use DELETE followed by ADD/REPLACE\n",
0, 0, 0 );
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "Must supply old password to be changed as well as new one";
pErr = PP_mustSupplyOldPassword;
goto return_results;
}
if (!pp.pwdAllowUserChange) {
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "User alteration of password is not allowed";
pErr = PP_passwordModNotAllowed;
goto return_results;
@ -1360,7 +1341,7 @@ ppolicy_modify( Operation *op, SlapReply *rs )
now = slap_get_time();
age = (int)(now - pwtime);
if ((pwtime != (time_t)-1) && (age < pp.pwdMinAge)) {
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
rs->sr_text = "Password is too young to change";
pErr = PP_passwordTooYoung;
goto return_results;
@ -1506,18 +1487,6 @@ do_modify:
modtail = mods;
}
if (attr_find(e->e_attrs, ad_pwdExpirationWarned )) {
mods = (Modifications *) ch_malloc( sizeof( Modifications ) );
mods->sml_op = LDAP_MOD_DELETE;
mods->sml_type.bv_val = NULL;
mods->sml_desc = ad_pwdExpirationWarned;
mods->sml_values = NULL;
mods->sml_nvalues = NULL;
mods->sml_next = NULL;
modtail->sml_next = mods;
modtail = mods;
}
/* Delete the pwdReset attribute, since it's being reset */
if ((zapReset) && (attr_find(e->e_attrs, ad_pwdReset ))) {
mods = (Modifications *) ch_malloc( sizeof( Modifications ) );

965
servers/slapd/schema/ppolicy.schema
View file

@ -26,278 +26,294 @@
# Not recommended for production use!
# Use with extreme caution!
# Internet-Draft P. Behera
# draft behera-ldap-password-policy-07.txt L. Poitou
# Intended Category: Proposed Standard Sun Microsystems
# Expires: August 2004 J. Sermersheim
# Novell
#
# February 2004
#
#
# Password Policy for LDAP Directories
#
#
# Status of this Memo
#
# This document is an Internet-Draft and is in full conformance with
# all provisions of Section 10 of RFC 2026.
#
# Internet-Drafts are working documents of the Internet Engineering
# Task Force (IETF), its areas, and its working groups. Note that
# other groups may also distribute working documents as Internet-
# Drafts.
#
# Internet-Drafts are draft documents valid for a maximum of six
# months and may be updated, replaced, or obsoleted by other documents
# at any time. It is inappropriate to use Internet- Drafts as
# reference material or to cite them other than as "work in progress."
#
# The list of current Internet-Drafts can be accessed at
# http://www.ietf.org/ietf/1id-abstracts.txt
#
# The list of Internet-Draft Shadow Directories can be accessed at
# http://www.ietf.org/shadow.html.
#
# Technical discussions of this draft are held on the LDAPEXT Working
# Group mailing list at ietf-ldapext@netscape.com. Editorial comments
# may be sent to the authors listed in Section 13.
#
# Copyright (C) The Internet Society (2004). All rights Reserved.
#
# Please see the Copyright Section near the end of this document for
# more information.
#
#
# 1. Abstract
#
# Password policy as described in this document is a set of rules that
# controls how passwords are used and administered in LDAP
# directories. In order to improve the security of LDAP directories
# and make it difficult for password cracking programs to break into
# directories, it is desirable to enforce a set of rules on password
# usage. These rules are made to ensure that users change their
# passwords periodically, passwords meet construction requirements,
# the re-use of old password is restricted, and users are locked out
# after a certain number of failed attempts.
#
# [trimmed]
#
#
# 4.2. Attribute Types used in the pwdPolicy ObjectClass
#
# Following are the attribute types used by the pwdPolicy object
# class.
#
# 4.2.1. pwdAttribute
#
# This holds the name of the attribute to which the password policy is
# applied. For example, the password policy may be applied to the
# userPassword attribute.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
NAME 'pwdAttribute'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
# 4.2.2. pwdMinAge
#
# This attribute holds the number of seconds that must elapse between
# modifications to the password. If this attribute is not present, 0
# seconds is assumed.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# 4.2.3. pwdMaxAge
#
# This attribute holds the number of seconds after which a modified
# password will expire.
#
# If this attribute is not present, or if the value is 0 the password
# does not expire. If not 0, the value must be greater than or equal
# to the value of the pwdMinAge.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# 4.2.4. pwdInHistory
#
# This attribute specifies the maximum number of used passwords stored
# in the pwdHistory attribute.
#
# If this attribute is not present, or if the value is 0, used
# passwords are not stored in the pwdHistory attribute and thus may be
# reused.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# 4.2.5. pwdCheckQuality
#
# This attribute indicates how the password quality will be verified
# while being modified or added. If this attribute is not present, or
# if the value is '0', quality checking will not be enforced. A value
# of '1' indicates that the server will check the quality, and if the
# server is unable to check it (due to a hashed password or other
# reasons) it will be accepted. A value of '2' indicates that the
# server will check the quality, and if the server is unable to verify
# it, it will return an error refusing the password.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# 4.2.6. pwdMinLength
#
# When quality checking is enabled, this attribute holds the minimum
# number of characters that must be used in a password. If this
# attribute is not present, no minimum password length will be
# enforced. If the server is unable to check the length (due to a
# hashed password or otherwise), the server will, depending on the
# value of the pwdCheckQuality attribute, either accept the password
# without checking it ('0' or '1') or refuse it ('2').
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# 4.2.7. pwdExpireWarning
#
# This attribute specifies the maximum number of seconds before a
# password is due to expire that expiration warning messages will be
# returned to an authenticating user. If this attribute is not
# present, or if the value is 0 no warnings will be sent. If not 0,
# the value must be smaller than the value of the pwdMaxAge attribute.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# 4.2.8. pwdGraceLoginLimit
#
# This attribute specifies the number of times an expired password can
# be used to authenticate. If this attribute is not present or if the
# value is 0, authentication will fail.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
NAME 'pwdGraceLoginLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# 4.2.9. pwdLockout
#
# This attribute indicates, when its value is "TRUE", that the
# password may not be used to authenticate after a specified number of
# consecutive failed bind attempts. The maximum number of consecutive
# failed bind attempts is specified in pwdMaxFailure.
#
# If this attribute is not present, or if the value is "FALSE", the
# password may be used to authenticate when the number of failed bind
# attempts has been reached.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
#Network Working Group J. Sermersheim
#Internet-Draft Novell, Inc
#Expires: April 24, 2005 L. Poitou
# Sun Microsystems
# October 24, 2004
#
#
# Password Policy for LDAP Directories
# draft-behera-ldap-password-policy-08.txt
#
#Status of this Memo
#
# This document is an Internet-Draft and is subject to all provisions
# of section 3 of RFC 3667. By submitting this Internet-Draft, each
# author represents that any applicable patent or other IPR claims of
# which he or she is aware have been or will be disclosed, and any of
# which he or she become aware will be disclosed, in accordance with
# RFC 3668.
#
# Internet-Drafts are working documents of the Internet Engineering
# Task Force (IETF), its areas, and its working groups. Note that
# other groups may also distribute working documents as
# Internet-Drafts.
#
# Internet-Drafts are draft documents valid for a maximum of six months
# and may be updated, replaced, or obsoleted by other documents at any
# time. It is inappropriate to use Internet-Drafts as reference
# material or to cite them other than as "work in progress."
#
# The list of current Internet-Drafts can be accessed at
# http://www.ietf.org/ietf/1id-abstracts.txt.
#
# The list of Internet-Draft Shadow Directories can be accessed at
# http://www.ietf.org/shadow.html.
#
# This Internet-Draft will expire on April 24, 2005.
#
#Copyright Notice
#
# Copyright (C) The Internet Society (2004).
#
#Abstract
#
# Password policy as described in this document is a set of rules that
# controls how passwords are used and administered in Lightweight
# Directory Access Protocol (LDAP) based directories. In order to
# improve the security of LDAP directories and make it difficult for
# password cracking programs to break into directories, it is desirable
# to enforce a set of rules on password usage. These rules are made to
#
# [trimmed]
#
#5. Schema used for Password Policy
#
# The schema elements defined here fall into two general categories. A
# password policy object class is defined which contains a set of
# administrative password policy attributes, and a set of operational
# attributes are defined that hold general password policy state
# information for each user.
#
#5.2 Attribute Types used in the pwdPolicy ObjectClass
#
# Following are the attribute types used by the pwdPolicy object class.
#
#5.2.1 pwdAttribute
#
# This holds the name of the attribute to which the password policy is
# applied. For example, the password policy may be applied to the
# userPassword attribute.
# 4.2.10. pwdLockoutDuration
#
# This attribute holds the number of seconds that the password cannot
# be used to authenticate due to too many failed bind attempts. If
# this attribute is not present, or if the value is 0 the password
# cannot be used to authenticate until reset by an administrator.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# 4.2.11. pwdMaxFailure
#
# This attribute specifies the number of consecutive failed bind
# attempts after which the password may not be used to authenticate.
# If this attribute is not present, or if the value is 0, this policy
# is not checked, and the value of pwdLockout will be ignored.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# 4.2.12. pwdFailureCountInterval
#
# This attribute holds the number of seconds after which the password
# failures are purged from the failure counter, even though no
# successful authentication occurred.
#
# If this attribute is not present, or if its value is 0, the failure
# counter is only reset by a successful authentication.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
# 4.2.13. pwdMustChange
#
# This attribute specifies with a value of "TRUE" that users must
# change their passwords when they first bind to the directory after a
# password is set or reset by the administrator. If this attribute is
# not present, or if the value is "FALSE", users are not required to
# change their password upon binding after the administrator sets or
# resets the password.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# 4.2.14. pwdAllowUserChange
#
# This attribute indicates whether users can change their own
# passwords, although the change operation is still subject to access
# control. If this attribute is not present, a value of "TRUE" is
# assumed.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# 4.2.15. pwdSafeModify
#
# This attribute specifies whether or not the existing password must
# be sent when changing a password. If this attribute is not present,
# a "FALSE" value is assumed.
#
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
NAME 'pwdAttribute'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
#5.2.2 pwdMinAge
#
# This attribute holds the number of seconds that must elapse between
# modifications to the password. If this attribute is not present, 0
# seconds is assumed.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.3 pwdMaxAge
#
# This attribute holds the number of seconds after which a modified
# password will expire.
#
# If this attribute is not present, or if the value is 0 the password
# does not expire. If not 0, the value must be greater than or equal
# to the value of the pwdMinAge.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.4 pwdInHistory
#
# This attribute specifies the maximum number of used passwords stored
# in the pwdHistory attribute.
#
# If this attribute is not present, or if the value is 0, used
# passwords are not stored in the pwdHistory attribute and thus may be
# reused.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.5 pwdCheckQuality
#
# {TODO: Consider changing the syntax to OID. Each OID will list a
# quality rule (like min len, # of special characters, etc). These
# rules can be specified outsid ethis document.}
#
# {TODO: Note that even though this is meant to be a check that happens
# during password modification, it may also be allowed to happen during
# authN. This is useful for situations where the password is encrypted
# when modified, but decrypted when used to authN.}
#
# This attribute indicates how the password quality will be verified
# while being modified or added. If this attribute is not present, or
# if the value is '0', quality checking will not be enforced. A value
# of '1' indicates that the server will check the quality, and if the
# server is unable to check it (due to a hashed password or other
# reasons) it will be accepted. A value of '2' indicates that the
# server will check the quality, and if the server is unable to verify
# it, it will return an error refusing the password.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.6 pwdMinLength
#
# When quality checking is enabled, this attribute holds the minimum
# number of characters that must be used in a password. If this
# attribute is not present, no minimum password length will be
# enforced. If the server is unable to check the length (due to a
# hashed password or otherwise), the server will, depending on the
# value of the pwdCheckQuality attribute, either accept the password
# without checking it ('0' or '1') or refuse it ('2').
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.7 pwdExpireWarning
#
# This attribute specifies the maximum number of seconds before a
# password is due to expire that expiration warning messages will be
# returned to an authenticating user.
#
# If this attribute is not present, or if the value is 0 no warnings
# will be returned. If not 0, the value must be smaller than the value
# of the pwdMaxAge attribute.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.8 pwdGraceAuthNLimit
#
# This attribute specifies the number of times an expired password can
# be used to authenticate. If this attribute is not present or if the
# value is 0, authentication will fail.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
NAME 'pwdGraceAuthNLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.9 pwdLockout
#
# This attribute indicates, when its value is "TRUE", that the password
# may not be used to authenticate after a specified number of
# consecutive failed bind attempts. The maximum number of consecutive
# failed bind attempts is specified in pwdMaxFailure.
#
# If this attribute is not present, or if the value is "FALSE", the
# password may be used to authenticate when the number of failed bind
# attempts has been reached.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
#5.2.10 pwdLockoutDuration
#
# This attribute holds the number of seconds that the password cannot
# be used to authenticate due to too many failed bind attempts. If
# this attribute is not present, or if the value is 0 the password
# cannot be used to authenticate until reset by a password
# administrator.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.11 pwdMaxFailure
#
# This attribute specifies the number of consecutive failed bind
# attempts after which the password may not be used to authenticate.
# If this attribute is not present, or if the value is 0, this policy
# is not checked, and the value of pwdLockout will be ignored.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.12 pwdFailureCountInterval
#
# This attribute holds the number of seconds after which the password
# failures are purged from the failure counter, even though no
# successful authentication occurred.
#
# If this attribute is not present, or if its value is 0, the failure
# counter is only reset by a successful authentication.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.13 pwdMustChange
#
# This attribute specifies with a value of "TRUE" that users must
# change their passwords when they first bind to the directory after a
# password is set or reset by a password administrator. If this
# attribute is not present, or if the value is "FALSE", users are not
# required to change their password upon binding after the password
# administrator sets or resets the password. This attribute is not set
# due to any actions specified by this document, it is typically set by
# a password administrator after resetting a user's password.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
#5.2.14 pwdAllowUserChange
#
# This attribute indicates whether users can change their own
# passwords, although the change operation is still subject to access
# control. If this attribute is not present, a value of "TRUE" is
# assumed. This attribute is intended to be used in the absense of an
# access control mechanism.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
#5.2.15 pwdSafeModify
#
# This attribute specifies whether or not the existing password must be
# sent along with the new password when being changed. If this
# attribute is not present, a "FALSE" value is assumed.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# HP extensions
#
@ -312,231 +328,204 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
#
# The function should return LDAP_SUCCESS for a valid password.
attributetype ( 1.3.6.1.4.1.4754.1.99.1
attributetype ( 1.3.6.1.4.1.4754.1.99.1
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
DESC 'Loadable module that instantiates "check_password() function'
SINGLE-VALUE )
# 4.1. The pwdPolicy Object Class
#
# This object class contains the attributes defining a password policy
# in effect for a set of users. Section 8 describes the administration
# of this object, and the relationship between it and particular
# objects.
objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
NAME 'pwdPolicy'
SUP top
AUXILIARY
MUST ( pwdAttribute )
MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
pwdMinLength $ pwdExpireWarning $ pwdGraceLoginLimit $ pwdLockout
$ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
objectclass ( 1.3.6.1.4.1.4754.2.99.1
objectclass ( 1.3.6.1.4.1.4754.2.99.1
NAME 'pwdPolicyChecker'
SUP top
AUXILIARY
MAY ( pwdCheckModule ) )
# 4.3. Attribute Types for Password Policy State Information
#
# Password policy state information must be maintained for each user.
# The information is located in each user entry as a set of
# operational attributes. These operational attributes are:
# pwdChangedTime, pwdAccountLockedTime, pwdExpirationWarned,
# pwdFailureTime, pwdHistory, pwdGraceUseTime, pwdReset,
# pwdPolicySubEntry.
#
# 4.3.1. Password Policy State Attribute Option
#
# Since the password policy could apply to several attributes used to
# store passwords, each of the above operational attributes must have
# an option to specify which pwdAttribute is applies to.
# The password policy option is defined as the following:
# pwd-<passwordAttribute>
#
# where passwordAttribute a string following the OID syntax
# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
# (short name) MUST be used.
#
# For example, if the pwdPolicy object has for pwdAttribute
# "userPassword" then the pwdChangedTime operational attribute, in a
# user entry, will be:
# pwdChangedTime;pwd-userPassword: 20000103121520Z
#
# This attribute option follows sub-typing semantics. If a client
# requests a password policy state attribute to be returned in a
# search operation, and does not specify an option, all subtypes of
# that policy state attribute are returned.
#
# 4.3.2. pwdChangedTime
#
# This attribute specifies the last time the entry's password was
# changed. This is used by the password expiration policy. If this
# attribute does not exist, the password will never expire.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.16
# NAME 'pwdChangedTime'
# DESC 'The time the password was last changed'
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SINGLE-VALUE
# USAGE directoryOperation)
#
# 4.3.3. pwdAccountLockedTime
#
# This attribute holds the time that the user's account was locked. A
# locked account means that the password may no longer be used to
# authenticate. A 0 value means that the account has been locked
# permanently, and that only an administrator can unlock the account.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.17
# NAME 'pwdAccountLockedTime'
# DESC 'The time an user account was locked'
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SINGLE-VALUE
# USAGE directoryOperation)
#
# 4.3.4. pwdExpirationWarned
#
# This attribute contains the time when the password expiration
# warning was first sent to the client. The password will expire in
# the pwdExpireWarning time.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.18
# NAME 'pwdExpirationWarned'
# DESC 'The time the user was first warned about the coming
# expiration of the password'
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SINGLE-VALUE
# USAGE directoryOperation )
#
# 4.3.5. pwdFailureTime
#
# This attribute holds the timestamps of the consecutive
# authentication failures.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.19
# NAME 'pwdFailureTime'
# DESC 'The timestamps of the last consecutive authentication
# failures'
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# USAGE directoryOperation )
#
# 4.3.6. pwdHistory
#
# This attribute holds a history of previously used passwords.
#
# Values of this attribute are transmitted in string format as given
# by the following ABNF:
#
# pwdHistory = time "#" syntaxOID "#" length "#" data
#
# time = <generalizedTimeString as specified in 6.14 of
# [RFC2252]>
#
# syntaxOID = numericoid ; the string representation of the
# ; dotted-decimal OID that defines the
# ; syntax used to store the password.
# ; numericoid is described in 4.1 of
# ; [RFC2252].
#
# length = numericstring ; the number of octets in data.
# ; numericstring is described in 4.1 of
# ; [RFC2252].
#
# data = <octets representing the password in the format
# specified by syntaxOID>.
#
# This format allows the server to store, and transmit a history of
# passwords that have been used. In order for equality matching to
# function properly, the time field needs to adhere to a consistent
# format. For this purpose, the time field MUST be in GMT format.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.20
# NAME 'pwdHistory'
# DESC 'The history of user s passwords'
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
# EQUALITY octetStringMatch
# USAGE directoryOperation)
#
# 4.3.7. pwdGraceUseTime
#
# This attribute holds the timestamps of grace login once a password
# has expired.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.21
# NAME 'pwdGraceUseTime'
# DESC 'The timestamps of the grace login once the password has
# expired'
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# EQUALITY generalizedTimeMatch
#
# USAGE directoryOperation)
#
# 4.3.8. pwdReset
#
# This attribute holds a flag to indicate (when TRUE) that the
# password has been reset and therefore must be changed by the user on
# first authentication.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.22
# NAME 'pwdReset'
# DESC 'The indication that the password has been reset'
# EQUALITY booleanMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
# SINGLE-VALUE
# USAGE directoryOperation)
#
# 4.3.9. pwdPolicySubentry
#
# This attribute points to the pwdPolicy subentry in effect for this
# object.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.23
# NAME 'pwdPolicySubentry'
# DESC 'The pwdPolicy subentry in effect for this object'
# EQUALITY distinguishedNameMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
# SINGLE-VALUE
# USAGE directoryOperation)
#
# 14. Copyright Notice
#
# Copyright (C) The Internet Society (2004). All Rights
# Reserved.
#
# This document and translations of it may be copied and furnished to
# others, and derivative works that comment on or otherwise explain it
# or assist in its implementation may be prepared, copied, published
# and distributed, in whole or in part, without restriction of any
# kind, provided that the above copyright notice and this paragraph
# are included on all such copies and derivative works. However, this
# document itself may not be modified in any way, such as by removing
# the copyright notice or references to the Internet Society or other
# Internet organizations, except as needed for the purpose of
# developing Internet standards in which case the procedures for
# copyrights defined in the Internet Standards process must be
# followed, or as required to translate it into languages other than
# English.
#
# The limited permissions granted above are perpetual and will not be
# revoked by the Internet Society or its successors or assigns.
#
# This document and the information contained herein is provided on an
# "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
# TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
# BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
# HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
# MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
#5.1 The pwdPolicy Object Class
#
# This object class contains the attributes defining a password policy
# in effect for a set of users. Section 10 describes the
# administration of this object, and the relationship between it and
# particular objects.
#
objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
NAME 'pwdPolicy'
SUP top
AUXILIARY
MUST ( pwdAttribute )
MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
$ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
#5.3 Attribute Types for Password Policy State Information
#
# Password policy state information must be maintained for each user.
# The information is located in each user entry as a set of operational
# attributes. These operational attributes are: pwdChangedTime,
# pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
# pwdReset, pwdPolicySubEntry.
#
#5.3.1 Password Policy State Attribute Option
#
# Since the password policy could apply to several attributes used to
# store passwords, each of the above operational attributes must have
# an option to specify which pwdAttribute it applies to. The password
# policy option is defined as the following:
#
# pwd-<passwordAttribute>
#
# where passwordAttribute a string following the OID syntax
# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
# (short name) MUST be used.
#
# For example, if the pwdPolicy object has for pwdAttribute
# "userPassword" then the pwdChangedTime operational attribute, in a
# user entry, will be:
#
# pwdChangedTime;pwd-userPassword: 20000103121520Z
#
# This attribute option follows sub-typing semantics. If a client
# requests a password policy state attribute to be returned in a search
# operation, and does not specify an option, all subtypes of that
# policy state attribute are returned.
#
#5.3.2 pwdChangedTime
#
# This attribute specifies the last time the entry's password was
# changed. This is used by the password expiration policy. If this
# attribute does not exist, the password will never expire.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.16
# NAME 'pwdChangedTime'
# DESC 'The time the password was last changed'
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# SINGLE-VALUE
# USAGE directoryOperation )
#
#5.3.3 pwdAccountLockedTime
#
# This attribute holds the time that the user's account was locked. A
# locked account means that the password may no longer be used to
# authenticate. A 000001010000Z value means that the account has been
# locked permanently, and that only a password administrator can unlock
# the account.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.17
# NAME 'pwdAccountLockedTime'
# DESC 'The time an user account was locked'
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# SINGLE-VALUE
# USAGE directoryOperation )
#
#5.3.4 pwdFailureTime
#
# This attribute holds the timestamps of the consecutive authentication
# failures.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.19
# NAME 'pwdFailureTime'
# DESC 'The timestamps of the last consecutive authentication
# failures'
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# USAGE directoryOperation )
#
#5.3.5 pwdHistory
#
# This attribute holds a history of previously used passwords. Values
# of this attribute are transmitted in string format as given by the
# following ABNF:
#
# pwdHistory = time "#" syntaxOID "#" length "#" data
#
# time = <generalizedTimeString as specified in 6.14
# of [RFC2252]>
#
# syntaxOID = numericoid ; the string representation of the
# ; dotted-decimal OID that defines the
# ; syntax used to store the password.
# ; numericoid is described in 4.1
# ; of [RFC2252].
#
# length = numericstring ; the number of octets in data.
# ; numericstring is described in 4.1
# ; of [RFC2252].
#
# data = <octets representing the password in the format
# specified by syntaxOID>.
#
# This format allows the server to store, and transmit a history of
# passwords that have been used. In order for equality matching to
# function properly, the time field needs to adhere to a consistent
# format. For this purpose, the time field MUST be in GMT format.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.20
# NAME 'pwdHistory'
# DESC 'The history of user s passwords'
# EQUALITY octetStringMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
# USAGE directoryOperation )
#
#5.3.6 pwdGraceUseTime
#
# This attribute holds the timestamps of grace authentications after a
# password has expired.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.21
# NAME 'pwdGraceUseTime'
# DESC 'The timestamps of the grace authentication after the
# password has expired'
# EQUALITY generalizedTimeMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
#
#5.3.7 pwdReset
#
# This attribute holds a flag to indicate (when TRUE) that the password
# has been updated by the password administrator and must be changed by
# the user on first authentication.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.22
# NAME 'pwdReset'
# DESC 'The indication that the password has been reset'
# EQUALITY booleanMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
# SINGLE-VALUE
# USAGE directoryOperation )
#
#5.3.8 pwdPolicySubentry
#
# This attribute points to the pwdPolicy subentry in effect for this
# object.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.23
# NAME 'pwdPolicySubentry'
# DESC 'The pwdPolicy subentry in effect for this object'
# EQUALITY distinguishedNameMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
# SINGLE-VALUE
# USAGE directoryOperation )
#
#
#Disclaimer of Validity
#
# This document and the information contained herein are provided on an
# "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
# OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
# ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
# INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
# WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
#
#
#Copyright Statement
#
# Copyright (C) The Internet Society (2004). This document is subject
# to the rights, licenses and restrictions contained in BCP 78, and
# except as set forth therein, the authors retain all their rights.