From 8605eedb315bf36f696e9e10885894ee9d316330 Mon Sep 17 00:00:00 2001 From: Michael Stroeder Date: Fri, 18 Jul 2014 13:03:21 -0700 Subject: [PATCH] ITS#7838 add ORDERING rules to ppolicy attrs --- .../draft-behera-ldap-password-policy-xx.txt | 812 ++++++++++-------- .../draft-behera-ldap-password-policy-xx.xml | 43 +- servers/slapd/schema/ppolicy.ldif | 31 +- servers/slapd/schema/ppolicy.schema | 10 + 4 files changed, 521 insertions(+), 375 deletions(-) diff --git a/doc/drafts/draft-behera-ldap-password-policy-xx.txt b/doc/drafts/draft-behera-ldap-password-policy-xx.txt index ebf4893dda..616a418379 100644 --- a/doc/drafts/draft-behera-ldap-password-policy-xx.txt +++ b/doc/drafts/draft-behera-ldap-password-policy-xx.txt @@ -4,58 +4,14 @@ Network Working Group J. Sermersheim Internet-Draft Novell, Inc Intended status: Standards Track L. Poitou -Expires: February 10, 2010 Sun Microsystems +Expires: January 19, 2015 Sun Microsystems H. Chu, Ed. Symas Corp. - August 9, 2009 + July 18, 2014 Password Policy for LDAP Directories - draft-behera-ldap-password-policy-10.txt - -Status of this Memo - - This Internet-Draft is submitted to IETF in full conformance with the - provisions of BCP 78 and BCP 79. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six months - and may be updated, replaced, or obsoleted by other documents at any - time. It is inappropriate to use Internet-Drafts as reference - material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on February 10, 2010. - -Copyright Notice - - Copyright (c) 2009 IETF Trust and the persons identified as the - document authors. All rights reserved. - - This document is subject to BCP 78 and the IETF Trust's Legal - Provisions Relating to IETF Documents in effect on the date of - publication of this document (http://trustee.ietf.org/license-info). - Please review these documents carefully, as they describe your rights - and restrictions with respect to this document. - - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 1] - -Internet-Draft Password Policy for LDAP Directories August 2009 - + draft-behera-ldap-password-policy-11 Abstract @@ -69,48 +25,92 @@ Abstract construction requirements, the re-use of old password is restricted, and to deter password guessing attacks. +Status of this Memo + + This Internet-Draft is submitted in full conformance with the + provisions of BCP 78 and BCP 79. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF). Note that other groups may also distribute + working documents as Internet-Drafts. The list of current Internet- + Drafts is at http://datatracker.ietf.org/drafts/current/. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + This Internet-Draft will expire on January 19, 2015. + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 2] +Sermersheim, et al. Expires January 19, 2015 [Page 1] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 + + + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 2] + +Internet-Draft Password Policy for LDAP Directories July 2014 Table of Contents @@ -125,7 +125,7 @@ Table of Contents 5. Schema used for Password Policy . . . . . . . . . . . . . . 12 5.1. The pwdPolicy Object Class . . . . . . . . . . . . . . . . . 12 5.2. Attribute Types used in the pwdPolicy ObjectClass . . . . . 12 - 5.3. Attribute Types for Password Policy State Information . . . 18 + 5.3. Attribute Types for Password Policy State Information . . . 19 6. Controls used for Password Policy . . . . . . . . . . . . . 24 6.1. Request Control . . . . . . . . . . . . . . . . . . . . . . 24 6.2. Response Control . . . . . . . . . . . . . . . . . . . . . . 24 @@ -136,7 +136,7 @@ Table of Contents 7.4. Remaining Grace AuthN Check . . . . . . . . . . . . . . . . 27 7.5. Time Before Expiration Check . . . . . . . . . . . . . . . . 27 7.6. Intruder Lockout Check . . . . . . . . . . . . . . . . . . . 27 - 7.7. Intruder Delay Check . . . . . . . . . . . . . . . . . . . . 27 + 7.7. Intruder Delay Check . . . . . . . . . . . . . . . . . . . . 28 7.8. Password Too Young Check . . . . . . . . . . . . . . . . . . 28 8. Server Policy Enforcement Points . . . . . . . . . . . . . . 29 8.1. Password-based Authentication . . . . . . . . . . . . . . . 29 @@ -152,21 +152,21 @@ Table of Contents 11. Password Policy and Replication . . . . . . . . . . . . . . 40 12. Security Considerations . . . . . . . . . . . . . . . . . . 42 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . 43 - 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 44 - 15. Normative References . . . . . . . . . . . . . . . . . . . . 45 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 46 + 13.1. Object Identifiers . . . . . . . . . . . . . . . . . . . . . 43 + 13.2. LDAP Protocol Mechanisms . . . . . . . . . . . . . . . . . . 43 + 13.3. LDAP Descriptors . . . . . . . . . . . . . . . . . . . . . . 43 + 13.4. LDAP AttributeDescription Options . . . . . . . . . . . . . 45 + 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 46 + 15. Normative References . . . . . . . . . . . . . . . . . . . . 47 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 48 - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 3] +Sermersheim, et al. Expires January 19, 2015 [Page 3] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 1. Overview @@ -220,9 +220,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 4] +Sermersheim, et al. Expires January 19, 2015 [Page 4] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 2. Conventions @@ -276,9 +276,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 5] +Sermersheim, et al. Expires January 19, 2015 [Page 5] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 3. Application of Password Policy @@ -332,9 +332,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 6] +Sermersheim, et al. Expires January 19, 2015 [Page 6] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 4. Articles of Password Policy @@ -388,9 +388,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 7] +Sermersheim, et al. Expires January 19, 2015 [Page 7] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 o An amount of time the account is locked (if it is to be locked). @@ -444,9 +444,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 8] +Sermersheim, et al. Expires January 19, 2015 [Page 8] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 o The user may bind to the directory a preset number of times after @@ -500,9 +500,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 9] +Sermersheim, et al. Expires January 19, 2015 [Page 9] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 o If the password to be added or updated is encrypted by the client @@ -556,9 +556,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 10] +Sermersheim, et al. Expires January 19, 2015 [Page 10] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 contains one and only one password value. @@ -612,9 +612,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 11] +Sermersheim, et al. Expires January 19, 2015 [Page 11] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 5. Schema used for Password Policy @@ -668,14 +668,15 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 12] +Sermersheim, et al. Expires January 19, 2015 [Page 12] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -691,6 +692,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -706,6 +708,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -718,17 +721,17 @@ Internet-Draft Password Policy for LDAP Directories August 2009 {TODO: Note that even though this is meant to be a check that happens during password modification, it may also be allowed to happen during authN. This is useful for situations where the password is encrypted + + + +Sermersheim, et al. Expires January 19, 2015 [Page 13] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + when modified, but decrypted when used to authN.} This attribute indicates how the password quality will be verified - - - -Sermersheim, et al. Expires February 10, 2010 [Page 13] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - while being modified or added. If this attribute is not present, or if the value is '0', quality checking will not be enforced. A value of '1' indicates that the server will check the quality, and if the @@ -740,6 +743,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -756,6 +760,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -769,22 +774,24 @@ Internet-Draft Password Policy for LDAP Directories August 2009 value of the pwdCheckQuality attribute, either accept the password without checking it ('0' or '1') or refuse it ('2'). + + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 14] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + ( 1.3.6.1.4.1.42.2.27.8.1.31 NAME 'pwdMaxLength' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 14] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - 5.2.8. pwdExpireWarning This attribute specifies the maximum number of seconds before a @@ -798,6 +805,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -810,6 +818,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -822,7 +831,16 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdGraceExpire' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + + + +Sermersheim, et al. Expires January 19, 2015 [Page 15] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + SINGLE-VALUE ) 5.2.11. pwdLockout @@ -833,14 +851,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the value is "FALSE", the - - - -Sermersheim, et al. Expires February 10, 2010 [Page 15] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - password may be used to authenticate when the number of failed bind attempts has been reached. @@ -861,6 +871,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -875,8 +886,17 @@ Internet-Draft Password Policy for LDAP Directories August 2009 NAME 'pwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ORDERING integerOrderingMatch SINGLE-VALUE ) + + + +Sermersheim, et al. Expires January 19, 2015 [Page 16] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + 5.2.14. pwdFailureCountInterval This attribute holds the number of seconds after which the password @@ -886,21 +906,11 @@ Internet-Draft Password Policy for LDAP Directories August 2009 If this attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication. - - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 16] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ORDERING integerOrderingMatch SINGLE-VALUE ) 5.2.15. pwdMustChange @@ -934,6 +944,15 @@ Internet-Draft Password Policy for LDAP Directories August 2009 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 17] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + 5.2.17. pwdSafeModify This attribute specifies whether or not the existing password must be @@ -946,13 +965,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - - -Sermersheim, et al. Expires February 10, 2010 [Page 17] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - 5.2.18. pwdMinDelay This attribute specifies the number of seconds to delay responding to @@ -963,6 +975,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.24 NAME 'pwdMinDelay' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -978,6 +991,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 ( 1.3.6.1.4.1.42.2.27.8.1.25 NAME 'pwdMaxDelay' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -987,9 +1001,18 @@ Internet-Draft Password Policy for LDAP Directories August 2009 unused before it becomes locked. If this attribute is not set or is 0, no check is performed. + + + +Sermersheim, et al. Expires January 19, 2015 [Page 18] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + ( 1.3.6.1.4.1.42.2.27.8.1.26 NAME 'pwdMaxIdle' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -1002,13 +1025,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 pwdReset, pwdPolicySubEntry, pwdStartTime, pwdEndTime, pwdLastSuccess. - - -Sermersheim, et al. Expires February 10, 2010 [Page 18] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - 5.3.1. Password Policy State Attribute Option Since the password policy could apply to several attributes used to @@ -1018,7 +1034,7 @@ Internet-Draft Password Policy for LDAP Directories August 2009 pwd- - where passwordAttribute a string following the OID syntax + where passwordAttribute is a string following the OID syntax (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor (short name) MUST be used. @@ -1039,6 +1055,16 @@ Internet-Draft Password Policy for LDAP Directories August 2009 changed. This is used by the password expiration policy. If this attribute does not exist, the password will never expire. + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 19] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + ( 1.3.6.1.4.1.42.2.27.8.1.16 NAME 'pwdChangedTime' DESC 'The time the password was last changed' @@ -1057,14 +1083,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 locked permanently, and that only a password administrator can unlock the account. - - - -Sermersheim, et al. Expires February 10, 2010 [Page 19] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime' DESC 'The time an user account was locked' @@ -1096,6 +1114,13 @@ Internet-Draft Password Policy for LDAP Directories August 2009 of this attribute are transmitted in string format as given by the following ABNF: + + +Sermersheim, et al. Expires January 19, 2015 [Page 20] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + pwdHistory = time "#" syntaxOID "#" length "#" data time = GeneralizedTime @@ -1113,14 +1138,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 number are specified in 1.4 of [RFC4512]. This format allows the server to store, and transmit a history of - - - -Sermersheim, et al. Expires February 10, 2010 [Page 20] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - passwords that have been used. In order for equality matching to function properly, the time field needs to adhere to a consistent format. For this purpose, the time field MUST be in GMT format. @@ -1153,6 +1170,13 @@ Internet-Draft Password Policy for LDAP Directories August 2009 has been updated by the password administrator and must be changed by the user. + + +Sermersheim, et al. Expires January 19, 2015 [Page 21] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + ( 1.3.6.1.4.1.42.2.27.8.1.22 NAME 'pwdReset' DESC 'The indication that the password has been reset' @@ -1166,17 +1190,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 This attribute points to the pwdPolicy subentry in effect for this object. - - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 21] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - ( 1.3.6.1.4.1.42.2.27.8.1.23 NAME 'pwdPolicySubentry' DESC 'The pwdPolicy subentry in effect for this object' @@ -1210,6 +1223,16 @@ Internet-Draft Password Policy for LDAP Directories August 2009 time will fail, regardless of expiration or grace settings. If this attribute does not exist, then this restriction does not apply. + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 22] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + ( 1.3.6.1.4.1.42.2.27.8.1.28 NAME 'pwdEndTime' DESC 'The time the password becomes disabled' @@ -1223,16 +1246,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 Note that pwdStartTime may be set to a time greater than or equal to pwdEndTime; this simply disables the account. - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 22] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - 5.3.11. pwdLastSuccess This attribute holds the timestamp of the last successful @@ -1271,22 +1284,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 - - - - - - - - - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 23] +Sermersheim, et al. Expires January 19, 2015 [Page 23] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 6. Controls used for Password Policy @@ -1340,9 +1340,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 24] +Sermersheim, et al. Expires January 19, 2015 [Page 24] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 before a password will expire. The graceAuthNsRemaining warning @@ -1396,9 +1396,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 25] +Sermersheim, et al. Expires January 19, 2015 [Page 25] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 7. Policy Decision Points @@ -1452,9 +1452,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 26] +Sermersheim, et al. Expires January 19, 2015 [Page 26] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 7.3. Password Expiration Check @@ -1467,6 +1467,10 @@ Internet-Draft Password Policy for LDAP Directories August 2009 7.4. Remaining Grace AuthN Check + If the pwdGraceExpiry attribute is present, and the current time is + greater than the password expiration time plus the pwdGraceExpiry + value, zero is returned. + If the pwdGraceUseTime attribute is present, the number of values in that attribute subtracted from the value of pwdGraceAuthNLimit is returned. Otherwise zero is returned. A positive result specifies @@ -1501,18 +1505,18 @@ Internet-Draft Password Policy for LDAP Directories August 2009 While performing this check, values of pwdFailureTime that are old by more than pwdFailureCountInterval are purged and not counted. + + + +Sermersheim, et al. Expires January 19, 2015 [Page 27] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + 7.7. Intruder Delay Check If the pwdMinDelay attribute is 0 or not set, zero is returned. - - - -Sermersheim, et al. Expires February 10, 2010 [Page 27] - -Internet-Draft Password Policy for LDAP Directories August 2009 - - Otherwise, a delay time is computed based on the number of values in the pwdFailureTime attribute. If the computed value is greater than the pwdMaxDelay attribute, the pwdMaxDelay value is returned. @@ -1560,13 +1564,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 28] +Sermersheim, et al. Expires January 19, 2015 [Page 28] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 8. Server Policy Enforcement Points @@ -1620,9 +1620,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 29] +Sermersheim, et al. Expires January 19, 2015 [Page 29] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 Set the value of the pwdLastSuccess attribute to the current time. @@ -1676,9 +1676,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 30] +Sermersheim, et al. Expires January 19, 2015 [Page 30] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 8.1.2.4. Expiration Warning @@ -1732,9 +1732,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 31] +Sermersheim, et al. Expires January 19, 2015 [Page 31] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 8.2.1. Safe Modification @@ -1788,9 +1788,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 32] +Sermersheim, et al. Expires January 19, 2015 [Page 32] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 8.2.5. Password Quality @@ -1806,28 +1806,32 @@ Internet-Draft Password Policy for LDAP Directories August 2009 sends a response message to the client with the resultCode: constraintViolation (19), and includes the passwordPolicyResponse in the controls field of the response message with the error: - insufficientPasswordQuality (5). If the server is able to check - the password quality, and the check fails, the server sends a - response message to the client with the resultCode: - constraintViolation (19), and includes the passwordPolicyResponse - in the controls field of the response message with the error: insufficientPasswordQuality (5). + If the server is able to check the password quality, and the check + fails, the server sends a response message to the client with the + resultCode: constraintViolation (19), and includes the + passwordPolicyResponse in the controls field of the response + message with the error: insufficientPasswordQuality (5). + o checks the value of the pwdMinLength attribute. If the value is non-zero, it ensures that the new password is of at least the - minimum length. If the server is unable to check the length (due - to a hashed password or otherwise), the value of pwdCheckQuality - is evaluated. If the value is 1, operation continues. If the - value is 2, the server sends a response message to the client with - the resultCode: constraintViolation (19), and includes the - passwordPolicyResponse in the controls field of the response - message with the error: passwordTooShort (6). If the server is - able to check the password length, and the check fails, the server - sends a response message to the client with the resultCode: + minimum length. + + If the server is unable to check the length (due to a hashed + password or otherwise), the value of pwdCheckQuality is evaluated. + If the value is 1, operation continues. If the value is 2, the + server sends a response message to the client with the resultCode: constraintViolation (19), and includes the passwordPolicyResponse in the controls field of the response message with the error: passwordTooShort (6). + If the server is able to check the password length, and the check + fails, the server sends a response message to the client with the + resultCode: constraintViolation (19), and includes the + passwordPolicyResponse in the controls field of the response + message with the error: passwordTooShort (6). + 8.2.6. Invalid Reuse If pwdInHistory is present and its value is non-zero, the server @@ -1837,18 +1841,16 @@ Internet-Draft Password Policy for LDAP Directories August 2009 attribute, the server sends a response message to the client with the resultCode: constraintViolation (19), and includes the passwordPolicyResponse in the controls field of the response message - with the error: passwordInHistory (8). - - - -Sermersheim, et al. Expires February 10, 2010 [Page 33] +Sermersheim, et al. Expires January 19, 2015 [Page 33] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 + with the error: passwordInHistory (8). + 8.2.7. Policy State Updates If the steps have completed without causing an error condition, the @@ -1898,11 +1900,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 - - -Sermersheim, et al. Expires February 10, 2010 [Page 34] +Sermersheim, et al. Expires January 19, 2015 [Page 34] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 9. Client Policy Enforcement Points @@ -1956,9 +1956,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 35] +Sermersheim, et al. Expires January 19, 2015 [Page 35] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 9.2. Modify Operations @@ -2012,9 +2012,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 36] +Sermersheim, et al. Expires January 19, 2015 [Page 36] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 9.3. Add Operation @@ -2068,22 +2068,16 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 37] +Sermersheim, et al. Expires January 19, 2015 [Page 37] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 9.5. Other Operations For operations other than bind, unbind, abandon or StartTLS, the - client checks the result code and control to determine if any other - actions are needed. - - o .resultCode = insufficientAccessRights (50), - passwordPolicyResponse.error = accountLocked (1) : The password - failure limit has been reached and the account is locked. The - user needs to retry later or contact the password administrator to - reset the password. + client checks the result code and control to determine if the user + needs to change the password immediately. o .resultCode = insufficientAccessRights (50), passwordPolicyResponse.error = changeAfterReset (2) : The user @@ -2124,9 +2118,15 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 38] + + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 38] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 10. Administration of the Password Policy @@ -2180,9 +2180,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 39] +Sermersheim, et al. Expires January 19, 2015 [Page 39] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 11. Password Policy and Replication @@ -2236,9 +2236,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 40] +Sermersheim, et al. Expires January 19, 2015 [Page 40] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 Servers participating in a loosely consistent multi-master @@ -2292,9 +2292,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 41] +Sermersheim, et al. Expires January 19, 2015 [Page 41] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 12. Security Considerations @@ -2348,65 +2348,177 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 42] +Sermersheim, et al. Expires January 19, 2015 [Page 42] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 13. IANA Considerations - <<>> + In accordance with [RFC4520] the following registrations are + requested. + +13.1. Object Identifiers + + The OIDs used in this specification are derived from iso(1) + identified-organization(3) dod(6) internet(1) private(4) + enterprise(1) Sun(42) products(2) LDAP(27) ppolicy(8). These OIDs + have been in use since at least July 2001 when version 04 of this + draft was published. No additional OID assignment is being + requested. + +13.2. LDAP Protocol Mechanisms + + Registration of the protocol mechanisms specified in this document is + requested. + + Subject: Request for LDAP Protocol Mechanism Registration + + Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1 + + Description: Password Policy Request and Response Control + + Person & email address to contact for further information: + + Howard Chu + + Usage: Control + + Specification: (I-D) draft-behera-ldap-password-policy + + Author/Change Controller: IESG + + Comments: + +13.3. LDAP Descriptors + + Registration of the descriptors specified in this document is + requested. + + Subject: Request for LDAP Descriptor Registration + + Descriptor (short name): see table + + Object Identifier: see table - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Sermersheim, et al. Expires February 10, 2010 [Page 43] +Sermersheim, et al. Expires January 19, 2015 [Page 43] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 + + + Description: see table + + Person & email address to contact for further information: + + Howard Chu + + Specification: (I-D) draft-behera-ldap-password-policy + + Author/Change Controller: IESG + + Comments: + + Name Type OID + ----------------------- ---- ------------------------------ + pwdPolicy O 1.3.6.1.4.1.42.2.27.8.2.1 + pwdAttribute A 1.3.6.1.4.1.42.2.27.8.1.1 + pwdMinAge A 1.3.6.1.4.1.42.2.27.8.1.2 + pwdMaxAge A 1.3.6.1.4.1.42.2.27.8.1.3 + pwdInHistory A 1.3.6.1.4.1.42.2.27.8.1.4 + pwdCheckQuality A 1.3.6.1.4.1.42.2.27.8.1.5 + pwdMinLength A 1.3.6.1.4.1.42.2.27.8.1.6 + pwdMaxLength A 1.3.6.1.4.1.42.2.27.8.1.31 + pwdExpireWarning A 1.3.6.1.4.1.42.2.27.8.1.7 + pwdGraceAuthNLimit A 1.3.6.1.4.1.42.2.27.8.1.8 + pwdGraceExpiry A 1.3.6.1.4.1.42.2.27.8.1.30 + pwdLockout A 1.3.6.1.4.1.42.2.27.8.1.9 + pwdLockoutDuration A 1.3.6.1.4.1.42.2.27.8.1.10 + pwdMaxFailure A 1.3.6.1.4.1.42.2.27.8.1.11 + pwdFailureCountInterval A 1.3.6.1.4.1.42.2.27.8.1.12 + pwdMustChange A 1.3.6.1.4.1.42.2.27.8.1.13 + pwdAllowUserChange A 1.3.6.1.4.1.42.2.27.8.1.14 + pwdSafeModify A 1.3.6.1.4.1.42.2.27.8.1.15 + pwdMinDelay A 1.3.6.1.4.1.42.2.27.8.1.24 + pwdMaxDelay A 1.3.6.1.4.1.42.2.27.8.1.25 + pwdMaxIdle A 1.3.6.1.4.1.42.2.27.8.1.26 + pwdChangedTime A 1.3.6.1.4.1.42.2.27.8.1.16 + pwdAccountLockedTime A 1.3.6.1.4.1.42.2.27.8.1.17 + pwdFailureTime A 1.3.6.1.4.1.42.2.27.8.1.19 + pwdHistory A 1.3.6.1.4.1.42.2.27.8.1.20 + pwdGraceUseTime A 1.3.6.1.4.1.42.2.27.8.1.21 + pwdReset A 1.3.6.1.4.1.42.2.27.8.1.22 + pwdPolicySubEntry A 1.3.6.1.4.1.42.2.27.8.1.23 + pwdStartTime A 1.3.6.1.4.1.42.2.27.8.1.27 + pwdEndTime A 1.3.6.1.4.1.42.2.27.8.1.28 + pwdLastSuccess A 1.3.6.1.4.1.42.2.27.8.1.29 + + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 44] + +Internet-Draft Password Policy for LDAP Directories July 2014 + + + Legend + -------------------- + A => Attribute Type + O => Object Class + +13.4. LDAP AttributeDescription Options + + Registration of the AttributeDescription option specified in this + document is requested. + + Subject: Request for LDAP Attribute Description Option + Registration + + Option Name: pwd- + + Family of Options: YES + + Person & email address to contact for further information: + + Howard Chu + + Specification: (I-D) draft-behera-ldap-password-policy + + Author/Change Controller: IESG + + Comments: + + Used with policy state attributes to specify to which password + attribute the state belongs. + + + + + + + + + + + + + + + + + + + + + + +Sermersheim, et al. Expires January 19, 2015 [Page 45] + +Internet-Draft Password Policy for LDAP Directories July 2014 14. Acknowledgement @@ -2460,9 +2572,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 44] +Sermersheim, et al. Expires January 19, 2015 [Page 46] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 15. Normative References @@ -2480,10 +2592,6 @@ Internet-Draft Password Policy for LDAP Directories August 2009 [RFC3062] Zeilenga, K., "LDAP Password Modify Extended Operation", RFC 3062, February 2001. - [RFC3383] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) - Considerations for the Lightweight Directory Access - Protocol (LDAP)", RFC 3383, September 2002. - [RFC3672] Zeilenga, K., "Subentries in the Lightweight Directory Access Protocol (LDAP)", RFC 3672, December 2003. @@ -2504,6 +2612,10 @@ Internet-Draft Password Policy for LDAP Directories August 2009 [RFC4517] Legg, S., "Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules", RFC 4517, June 2006. + [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) + Considerations for the Lightweight Directory Access + Protocol (LDAP)", BCP 64, RFC 4520, June 2006. + [X.680] International Telecommunications Union, "Abstract Syntax Notation One (ASN.1): Specification of basic notation", ITU-T Recommendation X.680, July 2002. @@ -2516,9 +2628,9 @@ Internet-Draft Password Policy for LDAP Directories August 2009 -Sermersheim, et al. Expires February 10, 2010 [Page 45] +Sermersheim, et al. Expires January 19, 2015 [Page 47] -Internet-Draft Password Policy for LDAP Directories August 2009 +Internet-Draft Password Policy for LDAP Directories July 2014 Authors' Addresses @@ -2572,5 +2684,5 @@ Authors' Addresses -Sermersheim, et al. Expires February 10, 2010 [Page 46] +Sermersheim, et al. Expires January 19, 2015 [Page 48] diff --git a/doc/drafts/draft-behera-ldap-password-policy-xx.xml b/doc/drafts/draft-behera-ldap-password-policy-xx.xml index 8a0f057b70..7582aeb7eb 100644 --- a/doc/drafts/draft-behera-ldap-password-policy-xx.xml +++ b/doc/drafts/draft-behera-ldap-password-policy-xx.xml @@ -1,19 +1,19 @@ - - - - - - - - - - + + + + + + + + + + + ]> - + @@ -21,7 +21,7 @@ - + Password Policy for LDAP Directories @@ -64,7 +64,7 @@ hyc@symas.com - + Password policy as described in this document is a set of rules that @@ -438,6 +438,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -457,6 +458,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -476,6 +478,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -506,6 +509,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -526,6 +530,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -546,6 +551,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.31 NAME 'pwdMaxLength' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -566,6 +572,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -582,6 +589,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -599,6 +607,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdGraceExpire' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -638,6 +647,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -656,6 +666,7 @@ NAME 'pwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ORDERING integerOrderingMatch SINGLE-VALUE ) @@ -675,6 +686,7 @@ NAME 'pwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + ORDERING integerOrderingMatch SINGLE-VALUE ) @@ -746,6 +758,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.24 NAME 'pwdMinDelay' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -765,6 +778,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.25 NAME 'pwdMaxDelay' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -781,6 +795,7 @@ ( 1.3.6.1.4.1.42.2.27.8.1.26 NAME 'pwdMaxIdle' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) diff --git a/servers/slapd/schema/ppolicy.ldif b/servers/slapd/schema/ppolicy.ldif index b2f3867789..fa10b88584 100644 --- a/servers/slapd/schema/ppolicy.ldif +++ b/servers/slapd/schema/ppolicy.ldif @@ -35,28 +35,37 @@ cn: ppolicy olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in - tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in - tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY - integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 + .27 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL - ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.27 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY - integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121. + 1.27 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA - LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + LITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115. + 121.1.27 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ - UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11 + 5.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E - QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + QUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.1 + 15.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL - ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1 + 21.1.27 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter - val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE - ) + val' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1. + 1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' diff --git a/servers/slapd/schema/ppolicy.schema b/servers/slapd/schema/ppolicy.schema index 6c5fb701ba..ab155839e4 100644 --- a/servers/slapd/schema/ppolicy.schema +++ b/servers/slapd/schema/ppolicy.schema @@ -110,6 +110,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -125,6 +126,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -140,6 +142,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -166,6 +169,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -182,6 +186,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -198,6 +203,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -210,6 +216,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -241,6 +248,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -254,6 +262,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -269,6 +278,7 @@ attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch + ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )