1.lf 1 stdin 2.TH SLAPO_PPOLICY 5 "2020/04/28" "OpenLDAP 2.4.50" 3.\" Copyright 2004-2020 The OpenLDAP Foundation All Rights Reserved. 4.\" Copying restrictions apply. See COPYRIGHT/LICENSE. 5.\" $OpenLDAP$ 6.SH NAME 7slapo\-ppolicy \- Password Policy overlay to slapd 8.SH SYNOPSIS 9/etc/openldap/slapd.conf 10.SH DESCRIPTION 11.LP 12The 13.B ppolicy 14overlay 15is an implementation of the most recent IETF Password 16Policy proposal for LDAP. When instantiated, it intercepts, 17decodes and applies specific password policy controls to overall 18use of a backend database, changes to user password fields, etc. 19.P 20The overlay provides a variety of password control mechanisms. They 21include password aging -- both minimum and maximum ages, password 22reuse and duplication control, account time-outs, mandatory password 23resets, acceptable password content, and even grace logins. 24Different groups of users may be associated with different password 25policies, and there is no limit to the number of password policies 26that may be created. 27.P 28Note that some of the policies do not take effect when the operation 29is performed with the 30.B rootdn 31identity; all the operations, when performed with any other identity, 32may be subjected to constraints, like access control. This overlay 33requires a rootdn to be configured on the database. 34.P 35Note that the IETF Password Policy proposal for LDAP makes sense 36when considering a single-valued password attribute, while 37the userPassword attribute allows multiple values. This implementation 38enforces a single value for the userPassword attribute, despite 39its specification. 40 41.SH CONFIGURATION 42These 43.B slapd.conf 44configuration options apply to the ppolicy overlay. They should appear 45after the 46.B overlay 47directive. 48.TP 49.B ppolicy_default <policyDN> 50Specify the DN of the pwdPolicy object to use when no specific policy is 51set on a given user's entry. If there is no specific policy for an entry 52and no default is given, then no policies will be enforced. 53.TP 54.B ppolicy_forward_updates 55Specify that policy state changes that result from Bind operations (such 56as recording failures, lockout, etc.) on a consumer should be forwarded 57to a master instead of being written directly into the consumer's local 58database. This setting is only useful on a replication consumer, and 59also requires the 60.B updateref 61setting and 62.B chain 63overlay to be appropriately configured. 64.TP 65.B ppolicy_hash_cleartext 66Specify that cleartext passwords present in Add and Modify requests should 67be hashed before being stored in the database. This violates the X.500/LDAP 68information model, but may be needed to compensate for LDAP clients that 69don't use the Password Modify extended operation to manage passwords. It 70is recommended that when this option is used that compare, search, and 71read access be denied to all directory users. 72.TP 73.B ppolicy_use_lockout 74A client will always receive an LDAP 75.B InvalidCredentials 76response when 77Binding to a locked account. By default, when a Password Policy control 78was provided on the Bind request, a Password Policy response will be 79included with no special error code set. This option changes the 80Password Policy response to include the 81.B AccountLocked 82error code. Note 83that sending the 84.B AccountLocked 85error code provides useful information 86to an attacker; sites that are sensitive to security issues should not 87enable this option. 88 89.SH OBJECT CLASS 90The 91.B ppolicy 92overlay depends on the 93.B pwdPolicy 94object class. The definition of that class is as follows: 95.LP 96.RS 4 97( 1.3.6.1.4.1.42.2.27.8.2.1 98 NAME 'pwdPolicy' 99 AUXILIARY 100 SUP top 101 MUST ( pwdAttribute ) 102 MAY ( 103 pwdMinAge $ pwdMaxAge $ pwdInHistory $ 104 pwdCheckQuality $ pwdMinLength $ 105 pwdExpireWarning $ pwdGraceAuthnLimit $ 106 pwdLockout $ pwdLockoutDuration $ 107 pwdMaxFailure $ pwdFailureCountInterval $ 108 pwdMustChange $ pwdAllowUserChange $ 109 pwdSafeModify $ pwdMaxRecordedFailure ) ) 110.RE 111 112This implementation also provides an additional 113.B pwdPolicyChecker 114objectclass, used for password quality checking (see below). 115.LP 116.RS 4 117( 1.3.6.1.4.1.4754.2.99.1 118 NAME 'pwdPolicyChecker' 119 AUXILIARY 120 SUP top 121 MAY ( pwdCheckModule ) ) 122.RE 123.P 124Every account that should be subject to password policy control should 125have a 126.B 127pwdPolicySubentry 128attribute containing the DN of a valid 129.B pwdPolicy 130entry, or they can simply use the configured default. 131In this way different users may be managed according to 132different policies. 133 134.SH OBJECT CLASS ATTRIBUTES 135.P 136Each one of the sections below details the meaning and use of a particular 137attribute of this 138.B pwdPolicy 139object class. 140.P 141 142.B pwdAttribute 143.P 144This attribute contains the name of the attribute to which the password 145policy is applied. For example, the password policy may be applied 146to the 147.B userPassword 148attribute. 149.P 150Note: in this implementation, the only 151value accepted for 152.B pwdAttribute 153is 154.IR " userPassword ". 155.LP 156.RS 4 157( 1.3.6.1.4.1.42.2.27.8.1.1 158 NAME 'pwdAttribute' 159 EQUALITY objectIdentifierMatch 160 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 161.RE 162 163.B pwdMinAge 164.P 165This attribute contains the number of seconds that must elapse 166between modifications allowed to the password. If this attribute 167is not present, zero seconds is assumed (i.e. the password may be 168modified whenever and however often is desired). 169.LP 170.RS 4 171( 1.3.6.1.4.1.42.2.27.8.1.2 172 NAME 'pwdMinAge' 173 EQUALITY integerMatch 174 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 175 SINGLE\-VALUE ) 176.RE 177 178.B pwdMaxAge 179.P 180This attribute contains the number of seconds after which a modified 181password will expire. If this attribute is not present, or if its 182value is zero (0), then passwords will not expire. 183.LP 184.RS 4 185( 1.3.6.1.4.1.42.2.27.8.1.3 186 NAME 'pwdMaxAge' 187 EQUALITY integerMatch 188 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 189 SINGLE\-VALUE ) 190.RE 191 192.B pwdInHistory 193.P 194This attribute is used to specify the maximum number of used 195passwords that will be stored in the 196.B pwdHistory 197attribute. If the 198.B pwdInHistory 199attribute is not present, or if its value is 200zero (0), used passwords will not be stored in 201.B pwdHistory 202and thus any previously-used password may be reused. 203No history checking occurs if the password is being modified by the 204.BR rootdn , 205although the password is saved in the history. 206.LP 207.RS 4 208( 1.3.6.1.4.1.42.2.27.8.1.4 209 NAME 'pwdInHistory' 210 EQUALITY integerMatch 211 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 212 SINGLE\-VALUE ) 213.RE 214 215.B pwdCheckQuality 216.P 217This attribute indicates if and how password syntax will be checked 218while a password is being modified or added. If this attribute is 219not present, or its value is zero (0), no syntax checking will be 220done. If its value is one (1), the server will check the syntax, 221and if the server is unable to check the syntax, 222whether due to a client-side hashed password or some other reason, 223it will be 224accepted. If its value is two (2), the server will check the syntax, 225and if the server is unable to check the syntax it will return an 226error refusing the password. 227.LP 228.RS 4 229( 1.3.6.1.4.1.42.2.27.8.1.5 230 NAME 'pwdCheckQuality' 231 EQUALITY integerMatch 232 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 233 SINGLE\-VALUE ) 234.RE 235 236.B pwdMinLength 237.P 238When syntax checking is enabled 239(see also the 240.B pwdCheckQuality 241attribute), this attribute contains the minimum 242number of characters that will be accepted in a password. If this 243attribute is not present, minimum password length is not 244enforced. If the server is unable to check the length of the password, 245whether due to a client-side hashed password or some other reason, 246the server will, depending on the 247value of 248.BR pwdCheckQuality , 249either accept the password 250without checking it (if 251.B pwdCheckQuality 252is zero (0) or one (1)) or refuse it (if 253.B pwdCheckQuality 254is two (2)). 255.LP 256.RS 4 257( 1.3.6.1.4.1.42.2.27.8.1.6 258 NAME 'pwdMinLength' 259 EQUALITY integerMatch 260 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 261 SINGLE\-VALUE ) 262.RE 263 264.B pwdExpireWarning 265.P 266This attribute contains the maximum number of seconds before a 267password is due to expire that expiration warning messages will be 268returned to a user who is authenticating to the directory. 269If this attribute is not 270present, or if the value is zero (0), no warnings will be sent. 271.LP 272.RS 4 273( 1.3.6.1.4.1.42.2.27.8.1.7 274 NAME 'pwdExpireWarning' 275 EQUALITY integerMatch 276 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 277 SINGLE\-VALUE ) 278.RE 279 280.B pwdGraceAuthnLimit 281.P 282This attribute contains the number of times that an expired password 283may be used to authenticate a user to the directory. If this 284attribute is not present or if its value is zero (0), users with 285expired passwords will not be allowed to authenticate to the 286directory. 287.LP 288.RS 4 289( 1.3.6.1.4.1.42.2.27.8.1.8 290 NAME 'pwdGraceAuthnLimit' 291 EQUALITY integerMatch 292 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 293 SINGLE\-VALUE ) 294.RE 295 296.B pwdLockout 297.P 298This attribute specifies the action that should be taken 299by the directory when a user has made a number of failed attempts 300to authenticate to the directory. If 301.B pwdLockout 302is set (its value is "TRUE"), the user will not be allowed to 303attempt to authenticate to the directory after there have been a 304specified number of consecutive failed bind attempts. The maximum 305number of consecutive failed bind attempts allowed is specified by 306the 307.B pwdMaxFailure 308attribute. If 309.B pwdLockout 310is not present, or if its value is "FALSE", the password may be 311used to authenticate no matter how many consecutive failed bind 312attempts have been made. 313.LP 314.RS 4 315( 1.3.6.1.4.1.42.2.27.8.1.9 316 NAME 'pwdLockout' 317 EQUALITY booleanMatch 318 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 319 SINGLE\-VALUE ) 320.RE 321 322.B pwdLockoutDuration 323.P 324This attribute contains the number of seconds during 325which the password cannot be used to authenticate the 326user to the directory due to too many consecutive failed 327bind attempts. 328(See also 329.B pwdLockout 330and 331.BR pwdMaxFailure .) 332If 333.B pwdLockoutDuration 334is not present, or if its value is zero (0), the password 335cannot be used to authenticate the user to the directory 336again until it is reset by an administrator. 337.LP 338.RS 4 339( 1.3.6.1.4.1.42.2.27.8.1.10 340 NAME 'pwdLockoutDuration' 341 EQUALITY integerMatch 342 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 343 SINGLE\-VALUE ) 344.RE 345 346.B pwdMaxFailure 347.P 348This attribute contains the number of consecutive failed bind 349attempts after which the password may not be used to authenticate 350a user to the directory. 351If 352.B pwdMaxFailure 353is not present, or its value is zero (0), then a user will 354be allowed to continue to attempt to authenticate to 355the directory, no matter how many consecutive failed 356bind attempts have occurred with that user's DN. 357(See also 358.B pwdLockout 359and 360.BR pwdLockoutDuration .) 361.LP 362.RS 4 363( 1.3.6.1.4.1.42.2.27.8.1.11 364 NAME 'pwdMaxFailure' 365 EQUALITY integerMatch 366 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 367 SINGLE\-VALUE ) 368.RE 369 370.B pwdMaxRecordedFailure 371.P 372This attribute contains the maximum number of failed bind 373attempts to store in a user's entry. 374If 375.B pwdMaxRecordedFailure 376is not present, or its value is zero (0), then it defaults 377to the value of 378.BR pwdMaxFailure . 379If that value is also 0, the default is 5. 380.LP 381.RS 4 382( 1.3.6.1.4.1.42.2.27.8.1.16 383 NAME 'pwdMaxRecordedFailure' 384 EQUALITY integerMatch 385 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 386 SINGLE\-VALUE ) 387.RE 388 389.B pwdFailureCountInterval 390.P 391This attribute contains the number of seconds after which old 392consecutive failed bind attempts are purged from the failure counter, 393even though no successful authentication has occurred. 394If 395.B pwdFailureCountInterval 396is not present, or its value is zero (0), the failure 397counter will only be reset by a successful authentication. 398.LP 399.RS 4 400( 1.3.6.1.4.1.42.2.27.8.1.12 401 NAME 'pwdFailureCountInterval' 402 EQUALITY integerMatch 403 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 404 SINGLE\-VALUE ) 405.RE 406 407.B pwdMustChange 408.P 409This attribute specifies whether users must change their passwords 410when they first bind to the directory after a password is set or 411reset by the administrator, or not. If 412.B pwdMustChange 413has a value of "TRUE", users must change their passwords when they 414first bind to the directory after a password is set or reset by 415the administrator. If 416.B pwdMustChange 417is not present, or its value is "FALSE", 418users are not required to change their password upon binding after 419the administrator sets or resets the password. 420.LP 421.RS 4 422( 1.3.6.1.4.1.42.2.27.8.1.13 423 NAME 'pwdMustChange' 424 EQUALITY booleanMatch 425 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 426 SINGLE\-VALUE ) 427.RE 428 429.B pwdAllowUserChange 430.P 431This attribute specifies whether users are allowed to change their own 432passwords or not. If 433.B pwdAllowUserChange 434is set to "TRUE", or if the attribute is not present, users will be 435allowed to change their own passwords. If its value is "FALSE", 436users will not be allowed to change their own passwords. 437.LP 438Note: this implies that when 439.B pwdAllowUserChange 440is set to "TRUE", 441users will still be able to change the password of another user, 442subjected to access control. 443This restriction only applies to modifications of ones's own password. 444It should also be noted that 445.B pwdAllowUserChange 446was defined in the specification to provide rough access control 447to the password attribute in implementations that do not allow fine-grain 448access control. 449Since OpenLDAP provides fine-grain access control, the use of this attribute 450is discouraged; ACLs should be used instead 451(see 452.BR slapd.access (5) 453for details). 454.LP 455.RS 4 456( 1.3.6.1.4.1.42.2.27.8.1.14 457 NAME 'pwdAllowUserChange' 458 EQUALITY booleanMatch 459 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 460 SINGLE\-VALUE ) 461.RE 462 463.B pwdSafeModify 464.P 465This attribute denotes whether the user's existing password must be sent 466along with their new password when changing a password. If 467.B pwdSafeModify 468is set to "TRUE", the existing password must be sent 469along with the new password. If the attribute is not present, or 470its value is "FALSE", the existing password need not be sent 471along with the new password. 472.LP 473.RS 4 474( 1.3.6.1.4.1.42.2.27.8.1.15 475 NAME 'pwdSafeModify' 476 EQUALITY booleanMatch 477 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 478 SINGLE\-VALUE ) 479.RE 480 481.B pwdCheckModule 482.P 483This attribute names a user-defined loadable module that must 484instantiate the check_password() function. This function 485will be called to further check a new password if 486.B pwdCheckQuality 487is set to one (1) or two (2), 488after all of the built-in password compliance checks have 489been passed. This function will be called according to this 490function prototype: 491.RS 4 492int 493.I check_password 494(char *pPasswd, char **ppErrStr, Entry *pEntry); 495.RE 496The 497.B pPasswd 498parameter contains the clear-text user password, the 499.B ppErrStr 500parameter contains a double pointer that allows the function 501to return human-readable details about any error it encounters. 502The optional 503.B pEntry 504parameter, if non-NULL, carries a pointer to the 505entry whose password is being checked. 506If 507.B ppErrStr 508is NULL, then 509.I funcName 510must NOT attempt to use it/them. 511A return value of LDAP_SUCCESS from the called 512function indicates that the password is ok, any other value 513indicates that the password is unacceptable. If the password is 514unacceptable, the server will return an error to the client, and 515.B ppErrStr 516may be used to return a human-readable textual explanation of the 517error. The error string must be dynamically allocated as it will 518be free()'d by slapd. 519.LP 520.RS 4 521( 1.3.6.1.4.1.4754.1.99.1 522 NAME 'pwdCheckModule' 523 EQUALITY caseExactIA5Match 524 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 525 SINGLE\-VALUE ) 526.RE 527.P 528Note: 529The user-defined loadable module named by 530.B pwdCheckModule 531must be in 532.B slapd's 533standard executable search PATH. 534.P 535Note: 536.B pwdCheckModule 537is a non-standard extension to the LDAP password 538policy proposal. 539 540.SH OPERATIONAL ATTRIBUTES 541.P 542The operational attributes used by the 543.B ppolicy 544module are stored in the user's entry. Most of these attributes 545are not intended to be changed directly by users; they are there 546to track user activity. They have been detailed here so that 547administrators and users can both understand the workings of 548the 549.B ppolicy 550module. 551 552.P 553Note that the current IETF Password Policy proposal does not define 554how these operational attributes are expected to behave in a 555replication environment. In general, authentication attempts on 556a slave server only affect the copy of the operational attributes 557on that slave and will not affect any attributes for 558a user's entry on the master server. Operational attribute changes 559resulting from authentication attempts on a master server 560will usually replicate to the slaves (and also overwrite 561any changes that originated on the slave). 562These behaviors are not guaranteed and are subject to change 563when a formal specification emerges. 564 565.B userPassword 566.P 567The 568.B userPassword 569attribute is not strictly part of the 570.B ppolicy 571module. It is, however, the attribute that is tracked and controlled 572by the module. Please refer to the standard OpenLDAP schema for 573its definition. 574 575.B pwdPolicySubentry 576.P 577This attribute refers directly to the 578.B pwdPolicy 579subentry that is to be used for this particular directory user. 580If 581.B pwdPolicySubentry 582exists, it must contain the DN of a valid 583.B pwdPolicy 584object. If it does not exist, the 585.B ppolicy 586module will enforce the default password policy rules on the 587user associated with this authenticating DN. If there is no 588default, or the referenced subentry does not exist, then no 589policy rules will be enforced. 590.LP 591.RS 4 592( 1.3.6.1.4.1.42.2.27.8.1.23 593 NAME 'pwdPolicySubentry' 594 DESC 'The pwdPolicy subentry in effect for 595 this object' 596 EQUALITY distinguishedNameMatch 597 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 598 SINGLE\-VALUE 599 NO\-USER\-MODIFICATION 600 USAGE directoryOperation) 601.RE 602 603.B pwdChangedTime 604.P 605This attribute denotes the last time that the entry's password was 606changed. This value is used by the password expiration policy to 607determine whether the password is too old to be allowed to be used 608for user authentication. If 609.B pwdChangedTime 610does not exist, the user's password will not expire. 611.LP 612.RS 4 613( 1.3.6.1.4.1.42.2.27.8.1.16 614 NAME 'pwdChangedTime' 615 DESC 'The time the password was last changed' 616 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 617 EQUALITY generalizedTimeMatch 618 ORDERING generalizedTimeOrderingMatch 619 SINGLE\-VALUE 620 NO\-USER\-MODIFICATION 621 USAGE directoryOperation) 622.RE 623 624.B pwdAccountLockedTime 625.P 626This attribute contains the time that the user's account was locked. 627If the account has been locked, the password may no longer be used to 628authenticate the user to the directory. If 629.B pwdAccountLockedTime 630is set to 000001010000Z, the user's account has been permanently locked 631and may only be unlocked by an administrator. Note that account locking 632only takes effect when the 633.B pwdLockout 634password policy attribute is set to "TRUE". 635.LP 636.RS 4 637( 1.3.6.1.4.1.42.2.27.8.1.17 638 NAME 'pwdAccountLockedTime' 639 DESC 'The time an user account was locked' 640 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 641 EQUALITY generalizedTimeMatch 642 ORDERING generalizedTimeOrderingMatch 643 SINGLE\-VALUE 644 NO\-USER\-MODIFICATION 645 USAGE directoryOperation) 646.RE 647 648.B pwdFailureTime 649.P 650This attribute contains the timestamps of each of the consecutive 651authentication failures made upon attempted authentication to this 652DN (i.e. account). If too many timestamps accumulate here (refer to 653the 654.B pwdMaxFailure 655password policy attribute for details), 656and the 657.B pwdLockout 658password policy attribute is set to "TRUE", the 659account may be locked. 660(Please also refer to the 661.B pwdLockout 662password policy attribute.) 663Excess timestamps beyond those allowed by 664.B pwdMaxFailure 665or 666.B pwdMaxRecordedFailure 667may also be purged. If a successful authentication is made to this 668DN (i.e. to this user account), then 669.B pwdFailureTime 670will be cleansed of entries. 671.LP 672.RS 4 673( 1.3.6.1.4.1.42.2.27.8.1.19 674 NAME 'pwdFailureTime' 675 DESC 'The timestamps of the last consecutive 676 authentication failures' 677 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 678 EQUALITY generalizedTimeMatch 679 ORDERING generalizedTimeOrderingMatch 680 NO\-USER\-MODIFICATION 681 USAGE directoryOperation ) 682.RE 683 684.B pwdHistory 685.P 686This attribute contains the history of previously used passwords 687for this DN (i.e. for this user account). 688The values of this attribute are stored in string format as follows: 689 690.RS 4 691 692pwdHistory= 693.RS 4 694time "#" syntaxOID "#" length "#" data 695.RE 696 697time= 698.RS 4 699GeneralizedTime as specified in section 3.3.13 of [RFC4517] 700.RE 701 702.P 703syntaxOID = numericoid 704.RS 4 705This is the string representation of the dotted-decimal OID that 706defines the syntax used to store the password. numericoid is 707described in section 1.4 of [RFC4512]. 708.RE 709 710length = NumericString 711.RS 4 712The number of octets in the data. NumericString is described in 713section 3.3.23 of [RFC4517]. 714.RE 715 716data = 717.RS 4 718Octets representing the password in the format specified by syntaxOID. 719.RE 720 721.RE 722 723This format allows the server to store and transmit a history of 724passwords that have been used. In order for equality matching 725on the values in this attribute to function properly, the time 726field is in GMT format. 727.LP 728.RS 4 729( 1.3.6.1.4.1.42.2.27.8.1.20 730 NAME 'pwdHistory' 731 DESC 'The history of user passwords' 732 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 733 EQUALITY octetStringMatch 734 NO\-USER\-MODIFICATION 735 USAGE directoryOperation) 736.RE 737 738.B pwdGraceUseTime 739This attribute contains the list of timestamps of logins made after 740the user password in the DN has expired. These post-expiration 741logins are known as "\fIgrace logins\fP". 742If too many 743.I grace logins 744have been used (please refer to the 745.B pwdGraceAuthnLimit 746password policy attribute), then the DN will no longer be allowed 747to be used to authenticate the user to the directory until the 748administrator changes the DN's 749.B userPassword 750attribute. 751.LP 752.RS 4 753( 1.3.6.1.4.1.42.2.27.8.1.21 754 NAME 'pwdGraceUseTime' 755 DESC 'The timestamps of the grace login once the password has expired' 756 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 757 EQUALITY generalizedTimeMatch 758 NO\-USER\-MODIFICATION 759 USAGE directoryOperation) 760.RE 761 762.B pwdReset 763.P 764This attribute indicates whether the user's password has been reset 765by the administrator and thus must be changed upon first use of this 766DN for authentication to the directory. If 767.B pwdReset 768is set to "TRUE", then the password was reset and the user must change 769it upon first authentication. If the attribute does not exist, or 770is set to "FALSE", the user need not change their password due to 771administrative reset. 772.LP 773.RS 4 774( 1.3.6.1.4.1.42.2.27.8.1.22 775 NAME 'pwdReset' 776 DESC 'The indication that the password has 777 been reset' 778 EQUALITY booleanMatch 779 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 780 SINGLE\-VALUE 781 USAGE directoryOperation) 782.RE 783 784.SH EXAMPLES 785.LP 786.RS 787.nf 788database bdb 789suffix dc=example,dc=com 790\|... 791overlay ppolicy 792ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com" 793.fi 794.RE 795 796.SH SEE ALSO 797.BR ldap (3), 798.BR slapd.conf (5), 799.BR slapd\-config (5), 800.BR slapo\-chain (5). 801.LP 802"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) 803.LP 804IETF LDAP password policy proposal by P. Behera, L. Poitou and J. 805Sermersheim: documented in IETF document 806"draft-behera-ldap-password-policy-09.txt". 807 808.SH BUGS 809The LDAP Password Policy specification is not yet an approved standard, 810and it is still evolving. This code will continue to be in flux until the 811specification is finalized. 812 813.SH ACKNOWLEDGEMENTS 814.P 815This module was written in 2004 by Howard Chu of Symas Corporation 816with significant input from Neil Dunbar and Kartik Subbarao of Hewlett-Packard. 817.P 818This manual page borrows heavily and shamelessly from the specification 819upon which the password policy module it describes is based. This 820source is the 821IETF LDAP password policy proposal by P. Behera, L. 822Poitou and J. Sermersheim. 823The proposal is fully documented in 824the 825IETF document named draft-behera-ldap-password-policy-09.txt, 826written in July of 2005. 827.P 828.lf 1 ./../Project 829.\" Shared Project Acknowledgement Text 830.B "OpenLDAP Software" 831is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. 832.B "OpenLDAP Software" 833is derived from the University of Michigan LDAP 3.3 Release. 834.lf 828 stdin 835