1# OpenLDAP: pkg/ldap/servers/slapd/schema/ppolicy.schema,v 1.7.2.5 2010/04/13 20:23:49 kurt Exp 2## This work is part of OpenLDAP Software <http://www.openldap.org/>. 3## 4## Copyright 2004-2010 The OpenLDAP Foundation. 5## All rights reserved. 6## 7## Redistribution and use in source and binary forms, with or without 8## modification, are permitted only as authorized by the OpenLDAP 9## Public License. 10## 11## A copy of this license is available in the file LICENSE in the 12## top-level directory of the distribution or, alternatively, at 13## <http://www.OpenLDAP.org/license.html>. 14# 15## Portions Copyright (C) The Internet Society (2004). 16## Please see full copyright statement below. 17 18# Definitions from Draft behera-ldap-password-policy-07 (a work in progress) 19# Password Policy for LDAP Directories 20# With extensions from Hewlett-Packard: 21# pwdCheckModule etc. 22 23# Contents of this file are subject to change (including deletion) 24# without notice. 25# 26# Not recommended for production use! 27# Use with extreme caution! 28 29#Network Working Group J. Sermersheim 30#Internet-Draft Novell, Inc 31#Expires: April 24, 2005 L. Poitou 32# Sun Microsystems 33# October 24, 2004 34# 35# 36# Password Policy for LDAP Directories 37# draft-behera-ldap-password-policy-08.txt 38# 39#Status of this Memo 40# 41# This document is an Internet-Draft and is subject to all provisions 42# of section 3 of RFC 3667. By submitting this Internet-Draft, each 43# author represents that any applicable patent or other IPR claims of 44# which he or she is aware have been or will be disclosed, and any of 45# which he or she become aware will be disclosed, in accordance with 46# RFC 3668. 47# 48# Internet-Drafts are working documents of the Internet Engineering 49# Task Force (IETF), its areas, and its working groups. Note that 50# other groups may also distribute working documents as 51# Internet-Drafts. 52# 53# Internet-Drafts are draft documents valid for a maximum of six months 54# and may be updated, replaced, or obsoleted by other documents at any 55# time. It is inappropriate to use Internet-Drafts as reference 56# material or to cite them other than as "work in progress." 57# 58# The list of current Internet-Drafts can be accessed at 59# http://www.ietf.org/ietf/1id-abstracts.txt. 60# 61# The list of Internet-Draft Shadow Directories can be accessed at 62# http://www.ietf.org/shadow.html. 63# 64# This Internet-Draft will expire on April 24, 2005. 65# 66#Copyright Notice 67# 68# Copyright (C) The Internet Society (2004). 69# 70#Abstract 71# 72# Password policy as described in this document is a set of rules that 73# controls how passwords are used and administered in Lightweight 74# Directory Access Protocol (LDAP) based directories. In order to 75# improve the security of LDAP directories and make it difficult for 76# password cracking programs to break into directories, it is desirable 77# to enforce a set of rules on password usage. These rules are made to 78# 79# [trimmed] 80# 81#5. Schema used for Password Policy 82# 83# The schema elements defined here fall into two general categories. A 84# password policy object class is defined which contains a set of 85# administrative password policy attributes, and a set of operational 86# attributes are defined that hold general password policy state 87# information for each user. 88# 89#5.2 Attribute Types used in the pwdPolicy ObjectClass 90# 91# Following are the attribute types used by the pwdPolicy object class. 92# 93#5.2.1 pwdAttribute 94# 95# This holds the name of the attribute to which the password policy is 96# applied. For example, the password policy may be applied to the 97# userPassword attribute. 98 99attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 100 NAME 'pwdAttribute' 101 EQUALITY objectIdentifierMatch 102 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 103 104#5.2.2 pwdMinAge 105# 106# This attribute holds the number of seconds that must elapse between 107# modifications to the password. If this attribute is not present, 0 108# seconds is assumed. 109 110attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 111 NAME 'pwdMinAge' 112 EQUALITY integerMatch 113 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 114 SINGLE-VALUE ) 115 116#5.2.3 pwdMaxAge 117# 118# This attribute holds the number of seconds after which a modified 119# password will expire. 120# 121# If this attribute is not present, or if the value is 0 the password 122# does not expire. If not 0, the value must be greater than or equal 123# to the value of the pwdMinAge. 124 125attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 126 NAME 'pwdMaxAge' 127 EQUALITY integerMatch 128 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 129 SINGLE-VALUE ) 130 131#5.2.4 pwdInHistory 132# 133# This attribute specifies the maximum number of used passwords stored 134# in the pwdHistory attribute. 135# 136# If this attribute is not present, or if the value is 0, used 137# passwords are not stored in the pwdHistory attribute and thus may be 138# reused. 139 140attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 141 NAME 'pwdInHistory' 142 EQUALITY integerMatch 143 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 144 SINGLE-VALUE ) 145 146#5.2.5 pwdCheckQuality 147# 148# {TODO: Consider changing the syntax to OID. Each OID will list a 149# quality rule (like min len, # of special characters, etc). These 150# rules can be specified outsid ethis document.} 151# 152# {TODO: Note that even though this is meant to be a check that happens 153# during password modification, it may also be allowed to happen during 154# authN. This is useful for situations where the password is encrypted 155# when modified, but decrypted when used to authN.} 156# 157# This attribute indicates how the password quality will be verified 158# while being modified or added. If this attribute is not present, or 159# if the value is '0', quality checking will not be enforced. A value 160# of '1' indicates that the server will check the quality, and if the 161# server is unable to check it (due to a hashed password or other 162# reasons) it will be accepted. A value of '2' indicates that the 163# server will check the quality, and if the server is unable to verify 164# it, it will return an error refusing the password. 165 166attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 167 NAME 'pwdCheckQuality' 168 EQUALITY integerMatch 169 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 170 SINGLE-VALUE ) 171 172#5.2.6 pwdMinLength 173# 174# When quality checking is enabled, this attribute holds the minimum 175# number of characters that must be used in a password. If this 176# attribute is not present, no minimum password length will be 177# enforced. If the server is unable to check the length (due to a 178# hashed password or otherwise), the server will, depending on the 179# value of the pwdCheckQuality attribute, either accept the password 180# without checking it ('0' or '1') or refuse it ('2'). 181 182attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 183 NAME 'pwdMinLength' 184 EQUALITY integerMatch 185 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 186 SINGLE-VALUE ) 187 188#5.2.7 pwdExpireWarning 189# 190# This attribute specifies the maximum number of seconds before a 191# password is due to expire that expiration warning messages will be 192# returned to an authenticating user. 193# 194# If this attribute is not present, or if the value is 0 no warnings 195# will be returned. If not 0, the value must be smaller than the value 196# of the pwdMaxAge attribute. 197 198attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 199 NAME 'pwdExpireWarning' 200 EQUALITY integerMatch 201 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 202 SINGLE-VALUE ) 203 204#5.2.8 pwdGraceAuthNLimit 205# 206# This attribute specifies the number of times an expired password can 207# be used to authenticate. If this attribute is not present or if the 208# value is 0, authentication will fail. 209 210attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 211 NAME 'pwdGraceAuthNLimit' 212 EQUALITY integerMatch 213 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 214 SINGLE-VALUE ) 215 216#5.2.9 pwdLockout 217# 218# This attribute indicates, when its value is "TRUE", that the password 219# may not be used to authenticate after a specified number of 220# consecutive failed bind attempts. The maximum number of consecutive 221# failed bind attempts is specified in pwdMaxFailure. 222# 223# If this attribute is not present, or if the value is "FALSE", the 224# password may be used to authenticate when the number of failed bind 225# attempts has been reached. 226 227attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9 228 NAME 'pwdLockout' 229 EQUALITY booleanMatch 230 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 231 SINGLE-VALUE ) 232 233#5.2.10 pwdLockoutDuration 234# 235# This attribute holds the number of seconds that the password cannot 236# be used to authenticate due to too many failed bind attempts. If 237# this attribute is not present, or if the value is 0 the password 238# cannot be used to authenticate until reset by a password 239# administrator. 240 241attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 242 NAME 'pwdLockoutDuration' 243 EQUALITY integerMatch 244 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 245 SINGLE-VALUE ) 246 247#5.2.11 pwdMaxFailure 248# 249# This attribute specifies the number of consecutive failed bind 250# attempts after which the password may not be used to authenticate. 251# If this attribute is not present, or if the value is 0, this policy 252# is not checked, and the value of pwdLockout will be ignored. 253 254attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 255 NAME 'pwdMaxFailure' 256 EQUALITY integerMatch 257 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 258 SINGLE-VALUE ) 259 260#5.2.12 pwdFailureCountInterval 261# 262# This attribute holds the number of seconds after which the password 263# failures are purged from the failure counter, even though no 264# successful authentication occurred. 265# 266# If this attribute is not present, or if its value is 0, the failure 267# counter is only reset by a successful authentication. 268 269attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12 270 NAME 'pwdFailureCountInterval' 271 EQUALITY integerMatch 272 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 273 SINGLE-VALUE ) 274 275#5.2.13 pwdMustChange 276# 277# This attribute specifies with a value of "TRUE" that users must 278# change their passwords when they first bind to the directory after a 279# password is set or reset by a password administrator. If this 280# attribute is not present, or if the value is "FALSE", users are not 281# required to change their password upon binding after the password 282# administrator sets or resets the password. This attribute is not set 283# due to any actions specified by this document, it is typically set by 284# a password administrator after resetting a user's password. 285 286attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13 287 NAME 'pwdMustChange' 288 EQUALITY booleanMatch 289 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 290 SINGLE-VALUE ) 291 292#5.2.14 pwdAllowUserChange 293# 294# This attribute indicates whether users can change their own 295# passwords, although the change operation is still subject to access 296# control. If this attribute is not present, a value of "TRUE" is 297# assumed. This attribute is intended to be used in the absense of an 298# access control mechanism. 299 300attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14 301 NAME 'pwdAllowUserChange' 302 EQUALITY booleanMatch 303 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 304 SINGLE-VALUE ) 305 306#5.2.15 pwdSafeModify 307# 308# This attribute specifies whether or not the existing password must be 309# sent along with the new password when being changed. If this 310# attribute is not present, a "FALSE" value is assumed. 311 312attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15 313 NAME 'pwdSafeModify' 314 EQUALITY booleanMatch 315 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 316 SINGLE-VALUE ) 317 318# HP extensions 319# 320# pwdCheckModule 321# 322# This attribute names a user-defined loadable module that provides 323# a check_password() function. If pwdCheckQuality is set to '1' or '2' 324# this function will be called after all of the internal password 325# quality checks have been passed. The function has this prototype: 326# 327# int check_password( char *password, char **errormessage, void *arg ) 328# 329# The function should return LDAP_SUCCESS for a valid password. 330 331attributetype ( 1.3.6.1.4.1.4754.1.99.1 332 NAME 'pwdCheckModule' 333 EQUALITY caseExactIA5Match 334 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 335 DESC 'Loadable module that instantiates "check_password() function' 336 SINGLE-VALUE ) 337 338objectclass ( 1.3.6.1.4.1.4754.2.99.1 339 NAME 'pwdPolicyChecker' 340 SUP top 341 AUXILIARY 342 MAY ( pwdCheckModule ) ) 343 344#5.1 The pwdPolicy Object Class 345# 346# This object class contains the attributes defining a password policy 347# in effect for a set of users. Section 10 describes the 348# administration of this object, and the relationship between it and 349# particular objects. 350# 351objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1 352 NAME 'pwdPolicy' 353 SUP top 354 AUXILIARY 355 MUST ( pwdAttribute ) 356 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ 357 pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout 358 $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ 359 pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) 360 361#5.3 Attribute Types for Password Policy State Information 362# 363# Password policy state information must be maintained for each user. 364# The information is located in each user entry as a set of operational 365# attributes. These operational attributes are: pwdChangedTime, 366# pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime, 367# pwdReset, pwdPolicySubEntry. 368# 369#5.3.1 Password Policy State Attribute Option 370# 371# Since the password policy could apply to several attributes used to 372# store passwords, each of the above operational attributes must have 373# an option to specify which pwdAttribute it applies to. The password 374# policy option is defined as the following: 375# 376# pwd-<passwordAttribute> 377# 378# where passwordAttribute a string following the OID syntax 379# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor 380# (short name) MUST be used. 381# 382# For example, if the pwdPolicy object has for pwdAttribute 383# "userPassword" then the pwdChangedTime operational attribute, in a 384# user entry, will be: 385# 386# pwdChangedTime;pwd-userPassword: 20000103121520Z 387# 388# This attribute option follows sub-typing semantics. If a client 389# requests a password policy state attribute to be returned in a search 390# operation, and does not specify an option, all subtypes of that 391# policy state attribute are returned. 392# 393#5.3.2 pwdChangedTime 394# 395# This attribute specifies the last time the entry's password was 396# changed. This is used by the password expiration policy. If this 397# attribute does not exist, the password will never expire. 398# 399# ( 1.3.6.1.4.1.42.2.27.8.1.16 400# NAME 'pwdChangedTime' 401# DESC 'The time the password was last changed' 402# EQUALITY generalizedTimeMatch 403# ORDERING generalizedTimeOrderingMatch 404# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 405# SINGLE-VALUE 406# USAGE directoryOperation ) 407# 408#5.3.3 pwdAccountLockedTime 409# 410# This attribute holds the time that the user's account was locked. A 411# locked account means that the password may no longer be used to 412# authenticate. A 000001010000Z value means that the account has been 413# locked permanently, and that only a password administrator can unlock 414# the account. 415# 416# ( 1.3.6.1.4.1.42.2.27.8.1.17 417# NAME 'pwdAccountLockedTime' 418# DESC 'The time an user account was locked' 419# EQUALITY generalizedTimeMatch 420# ORDERING generalizedTimeOrderingMatch 421# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 422# SINGLE-VALUE 423# USAGE directoryOperation ) 424# 425#5.3.4 pwdFailureTime 426# 427# This attribute holds the timestamps of the consecutive authentication 428# failures. 429# 430# ( 1.3.6.1.4.1.42.2.27.8.1.19 431# NAME 'pwdFailureTime' 432# DESC 'The timestamps of the last consecutive authentication 433# failures' 434# EQUALITY generalizedTimeMatch 435# ORDERING generalizedTimeOrderingMatch 436# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 437# USAGE directoryOperation ) 438# 439#5.3.5 pwdHistory 440# 441# This attribute holds a history of previously used passwords. Values 442# of this attribute are transmitted in string format as given by the 443# following ABNF: 444# 445# pwdHistory = time "#" syntaxOID "#" length "#" data 446# 447# time = <generalizedTimeString as specified in 6.14 448# of [RFC2252]> 449# 450# syntaxOID = numericoid ; the string representation of the 451# ; dotted-decimal OID that defines the 452# ; syntax used to store the password. 453# ; numericoid is described in 4.1 454# ; of [RFC2252]. 455# 456# length = numericstring ; the number of octets in data. 457# ; numericstring is described in 4.1 458# ; of [RFC2252]. 459# 460# data = <octets representing the password in the format 461# specified by syntaxOID>. 462# 463# This format allows the server to store, and transmit a history of 464# passwords that have been used. In order for equality matching to 465# function properly, the time field needs to adhere to a consistent 466# format. For this purpose, the time field MUST be in GMT format. 467# 468# ( 1.3.6.1.4.1.42.2.27.8.1.20 469# NAME 'pwdHistory' 470# DESC 'The history of user s passwords' 471# EQUALITY octetStringMatch 472# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 473# USAGE directoryOperation ) 474# 475#5.3.6 pwdGraceUseTime 476# 477# This attribute holds the timestamps of grace authentications after a 478# password has expired. 479# 480# ( 1.3.6.1.4.1.42.2.27.8.1.21 481# NAME 'pwdGraceUseTime' 482# DESC 'The timestamps of the grace authentication after the 483# password has expired' 484# EQUALITY generalizedTimeMatch 485# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 486# 487#5.3.7 pwdReset 488# 489# This attribute holds a flag to indicate (when TRUE) that the password 490# has been updated by the password administrator and must be changed by 491# the user on first authentication. 492# 493# ( 1.3.6.1.4.1.42.2.27.8.1.22 494# NAME 'pwdReset' 495# DESC 'The indication that the password has been reset' 496# EQUALITY booleanMatch 497# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 498# SINGLE-VALUE 499# USAGE directoryOperation ) 500# 501#5.3.8 pwdPolicySubentry 502# 503# This attribute points to the pwdPolicy subentry in effect for this 504# object. 505# 506# ( 1.3.6.1.4.1.42.2.27.8.1.23 507# NAME 'pwdPolicySubentry' 508# DESC 'The pwdPolicy subentry in effect for this object' 509# EQUALITY distinguishedNameMatch 510# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 511# SINGLE-VALUE 512# USAGE directoryOperation ) 513# 514# 515#Disclaimer of Validity 516# 517# This document and the information contained herein are provided on an 518# "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 519# OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 520# ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 521# INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 522# INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 523# WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 524# 525# 526#Copyright Statement 527# 528# Copyright (C) The Internet Society (2004). This document is subject 529# to the rights, licenses and restrictions contained in BCP 78, and 530# except as set forth therein, the authors retain all their rights. 531 532