--- /dev/null
+
+
+
+
+
+
+LDAP-EXT Working Group Valerie Chu
+INTERNET-DRAFT Netscape Communications Corp.
+Expires in six months
+Intended Category: Informational
+ December 1998
+
+
+ Password Policy for LDAP Directories
+ <draft-vchu-ldap-pwd-policy-00.txt>
+
+
+
+1. Status of this Memo
+
+This document is an Internet-Draft. Internet-Drafts are working docu-
+ments of the Internet Engineering Task Force (IETF), its areas, and its
+working groups. Note that other groups may also distribute working docu-
+ments as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months
+and may be updated, replaced, or obsoleted by other documents at any
+time. It is inappropriate to use Internet- Drafts as reference material
+or to cite them other than as ``work in progress.''
+
+To view the entire list of current Internet-Drafts, please check the
+"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe),
+ftp.nic.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org
+(US East Coast), or ftp.isi.edu (US West Coast).
+
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+document are to be interpreted as described in RFC 2119.
+
+2. Abstract
+
+This document describes the implementation of password policy in
+Netscape LDAP directories, and introduces two new object classes,
+twenty-three new attribute types, and two new controls in support of
+password policy.
+
+Password policy is a set of rules that control how passwords are used in
+LDAP directories. In order to improve the security of LDAP directories
+and make it difficult for password cracking programs to break into
+directories, it is desirable to enforce a set of rules on password
+usage. These rules are made to ensure that the users change their pass-
+words periodically, the new password meets construction requirements,
+the re-use of the old password is restricted, and lock out the users
+
+
+
+Chu [Page 1]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+after a certain number of bad password attempts.
+
+3. Overview
+
+LDAP-based directory services currently are accepted by many organiza-
+tions as the access protocol for directories. The ability to ensure the
+secure read, update access to directory information throughout the net-
+work is essential to the successful deployment. There are several secu-
+rity mechanisms which are used in Netscape LDAP implementation to pro-
+tect the directory data. For example, the access control is used to
+prevent unauthorized access to information stored in directories; SASL
+is used to negotiate for integrity and privacy services.[RFC-2251] The
+most fundamental security mechanism in Netscape Directory is the simple
+authentication using password. In many systems, in order to improve the
+security of the system, the simple password-based authentication often
+is used in conjunction with a set of password restrictions to control
+how passwords are used in the system. For example, the passwd program
+in UNIX systems, or the user account policy in WindowsNT, has a set of
+rules that users need to follow to use password authentication. At the
+moment, LDAP does not define a password policy model, but it is needed
+to achieve greater security protection and it is critical to the suc-
+cessful deployment of LDAP directories.
+
+Specifically, the password policy defines:
+
+
+ - The maximum length of time that a given password is valid.
+
+ - The minimum length of time required between password changes.
+
+ - The maximum length of time before a user's password is due to
+ expire that the user will be sent a warning message.
+
+ - Whether users can reuse passwords.
+
+ - The minimum number of characters a password must contain.
+
+ - Whether the password syntax is checked before a new password is
+ saved.
+
+ - Whether users are allowed to change their own passwords.
+
+ - Whether passwords must be changed after they are reset by the
+ administrator.
+
+ - Whether users will be locked out of the directory after a given
+ number of failed bind attempts.
+
+
+
+
+Chu [Page 2]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ - How long users will be locked out of the directory after a given
+ number of failed bind attempts.
+
+ - The length of time before the password failure counter which
+ keeps track of the number of failed password attempts is reset.
+
+The password policy defined in this document is applied to the LDAP sim-
+ple authentication method [RFC-2251] and userPassword attribute values
+only.
+
+In this document, the term "user" represents any application which is an
+LDAP client using the directory to retrieve or store information.
+
+Directory administrators are not forced to comply with any of password
+policies.
+
+4. New Attribute Types and Object Classes
+
+4.1. The passwordPolicy Object Class
+
+The passwordPolicy object class holds the password policy settings for a
+set of user accounts. In the Netscape Directory implementation, they
+are located in the "cn=config" entry.
+
+The description of passwordPolicy object class:
+
+ ( 2.16.840.1.113730.3.2.13
+ NAME 'passwordPolicy'
+ AUXILIARY
+ SUP top
+ DESC 'Password Policy object class to hold password policy information'
+ MAY (
+ passwordMaxAge $ passwordExp $ passwordMinLength $
+ passwordKeepHistory $ passwordInHistory $ passwordChange $
+ passwordCheckSyntax $ passwordWarning $ passwordLockout $
+ passwordMaxFailure $ passwordUnlock $ passwordLockoutDuration $
+ passwordMustChange $ passwordStorageScheme $ passwordMinAge $
+ passwordResetFailureCount
+ )
+ )
+
+4.2. The new attribute types used in the passwordPolicy Object Class:
+
+ ( 2.16.840.1.113730.3.1.97
+ NAME 'passwordMaxAge'
+ DESC 'the number of seconds after which user passwords will expire'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+
+
+
+Chu [Page 3]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ )
+ ( 2.16.840.1.113730.3.1.98
+ NAME 'passwordExp'
+ DESC 'a flag which indicates whether passwords will expire after a
+ given number of seconds'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.99
+ NAME 'passwordMinLength'
+ DESC 'the minimum number of characters that must be used in a password'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.100
+ NAME 'passwordKeepHistory'
+ DESC 'a flag which indicates whether passwords can be reused"
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.101
+ NAME 'passwordInHistory'
+ DESC 'the number of passwords the directory server stores in history'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.102
+ NAME 'passwordChange'
+ DESC 'a flag which indicates whether users can change their passwords'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.103
+ NAME 'passwordCheckSyntax'
+ DESC 'a flag which indicates whether the password syntax will be checked
+ before the password is saved'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.104
+ NAME 'passwordWarning'
+ DESC 'the number of seconds before a user's password is due to expire that
+ the user will be sent a warning message'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.105
+ NAME 'passwordLockout'
+
+
+
+Chu [Page 4]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ DESC 'a flag which indicates whether users will be locked out of the
+ directory after a given number of consecutive failed bind attempts'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.106
+ NAME 'passwordMaxFailure'
+ DESC 'the number of consecutive failed bind attempts after which a user
+ will be locked out of the directory'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.108
+ NAME 'passwordUnlock'
+ DESC 'a flag which indicates whether a user will be locked out of the
+ directory for a given number of seconds or until the administrator
+ resets the password after an account lockout'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.109
+ NAME 'passwordLockoutDuration'
+ DESC 'the number of seconds that users will be locked out of the directory
+ after an account lockout
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.220
+ NAME 'passwordMustChange'
+ DESC 'a flag which indicates whether users must change their passwords when
+ they first bind to the directory server'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ ( 2.16.840.1.113730.3.1.221
+ NAME 'passwordStorageScheme'
+ DESC 'the type of hash algorithm used to store directory server passwords'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+ The description of password storage scheme can be found in [RFC-2307].
+ ( 2.16.840.1.113730.3.1.222
+ NAME 'passwordMinAge'
+ DESC 'the number of seconds that must elapse before a user can change their
+ password again'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+
+
+
+Chu [Page 5]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ ( 2.16.840.1.113730.3.1.223
+ NAME 'passwordResetFailureCount'
+ DESC 'the number of seconds after which the password failure counter will
+ be reset'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ )
+
+ Currently in Netscape Directory password policy implementation,
+ passwordMaxAge, passwordMinLength, passwordInHistory, passwordWarn-
+ ing, passwordMaxFailure, passwordLockoutDuration, passwordMinAge, and
+ passwordResetFailureCount attributes are defined as
+ 1.3.6.1.4.1.1466.115.121.1.15 ('Directory String'). It is recom-
+ mented to change them to 1.3.6.1.4.1.1466.115.121.1.27 ('Integer') in
+ the future implementation.
+
+ The attributes which are used as a flag have the syntax
+ '1.3.6.1.4.1.1466.115.121.1.15' ('Directory String'). A value of '1'
+ represents 'true', while '0' represents 'false'. It is recommented
+ to change them to 1.3.6.1.4.1.1466.115.121.1.7 ('Boolean') in the
+ future implementation.
+
+4.3. The passwordObject Object Class
+
+The passwordObject object class holds the password policy state informa-
+tion for each user. For example, how many consecutive bad password
+attempts an user made. The information is located in each user entries.
+The description of passwordObject object class:
+
+ ( 2.16.840.1.113730.3.2.12
+ NAME 'passwordObject'
+ AUXILIARY
+ SUP top
+ DESC 'Password object class to hold password policy information for each
+ entry'
+ MAY (
+ passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $
+ retryCountResetTime $ accountUnlockTime $ passwordHistory $
+ passwordAllowChangeTime
+ )
+ )
+
+4.4. The new attribute types used in the passwordObject Object Class:
+ ( 2.16.840.1.113730.3.1.91
+ NAME 'passwordExpirationTime'
+ DESC 'the time the entry's password expires'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ EQUALITY generalizedTimeMatch
+
+
+
+Chu [Page 6]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ ORDERING generalizedTimeOrderingMatch
+ SINGLE-VALUE
+ USAGE directoryOperation
+ )
+ ( 2.16.840.1.113730.3.1.92
+ NAME 'passwordExpWarned'
+ DESC 'a flag which indicates whether a password expiration warning is sent
+ to the client'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ SINGLE-VALUE
+ USAGE directoryOperation
+ )
+ ( 2.16.840.1.113730.3.1.93
+ NAME 'passwordRetryCount'
+ DESC 'the count of consecutive failed password attempts'
+ EQUALITY 'caseIgnoreMatch'
+ SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
+ SINGLE-VALUE
+ USAGE directoryOperation
+ )
+ ( 2.16.840.1.113730.3.1.94
+ NAME 'retryCountResetTime'
+ DESC 'the time to reset the passwordRetryCount'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SINGLE-VALUE
+ USAGE directoryOperation
+ )
+ ( 2.16.840.1.113730.3.1.95
+ NAME 'accountUnlockTime'
+ DESC 'the time that the user can bind again after an account lockout'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SINGLE-VALUE
+ USAGE directoryOperation
+ )
+ ( 2.16.840.1.113730.3.1.96
+ NAME 'passwordHistory'
+ DESC 'the history of user's passwords'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
+ EQUALITY bitStringMatch
+ USAGE directoryOperation
+ )
+ ( 2.16.840.1.113730.3.1.214
+ NAME 'passwordAllowChangeTime'
+
+
+
+Chu [Page 7]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ DESC 'the time that the user is allowed change the password'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SINGLE-VALUE
+ USAGE directoryOperation
+ )
+
+5. Password Expiration and Expiration Warning
+
+New attributes, passwordExp, passwordMaxAge, and passwordWarning are
+defined to specify whether the password will expire, when the password
+expires and when a warning message will be sent to the client respec-
+tively. The actual expiration time for a password will be stored in a
+new attribute, passwordExpirationTime attribute in the user entry.
+
+After bind operation succeed with authentication, the server should
+check for password expiration. If the password expiration policy is on
+and the account's password is expired, the server should send bin-
+dResponse with the resultCode: LDAP_INVALID_CREDENTIALS along with an
+error message to inform the client that the password has expired. If
+the password is going to expire sooner than the password warning dura-
+tion, the server should send bindResponse with the resultCode:
+LDAP_SUCCESS, and should include the password expiring control in the
+controls field of the bindResponse message:
+
+ controlType: 2.16.840.1.113730.3.4.5,
+
+ controlValue: an octet string to indicate the time in seconds until
+ the password expires.
+
+ criticality: false
+
+
+The server should send at least one warning message to the client before
+expiring the client's password.
+
+6. Password Minimum Age
+
+This policy defines the number of seconds that must pass before a user
+can change the password again. This policy can be used in conjunction
+with the password history policy to prevent users from quickly cycling
+through passwords in history so that they can reuse the old password. A
+value of zero indicates that the user can change the password immedi-
+ately.
+
+During the modify password operation, the server should check if the
+user is allowed to change password at this time. If not, the server
+
+
+
+Chu [Page 8]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+should send the LDAP_CONSTRAINT_VIOLATION result code back to the client
+and an error message to indicate that the password cannot be changed
+within password minimum age.
+
+7. Password History
+
+passwordHistory and passwordInHistory attributes control whether the
+user can reuse passwords and how many passwords the directory server
+stores in history.
+
+During the modify password operation, the server should check for pass-
+word history. If password history is on and the new password matches
+one of the old passwords in history, the server should send
+modifyResponse back to the client with resultCode:
+LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the new
+password is in history, choose another password.
+
+8. Password Syntax and Minimum length
+
+The passwordCheckSyntax attribute indicates whether the password syntax
+will be checked before a new password is saved. If this policy is on,
+the directory server should check that the new password meets the pass-
+word minimum length requirement and that the string does not contain any
+trivial words such as the user's name, user id and so on.
+
+The passwordMinLength attribute defines the minimum number of characters
+that must be used in a password.
+
+During the modify or add password operation, the server should check for
+password syntax. If password check syntax is on and the new password
+fail the syntax checking, the server should send modifyResponse or
+addResponse back to the client with resultCode:
+LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the new
+password failed the syntax checking, the user should choose another
+password.
+
+9. User Defined Passwords
+
+This policy defines whether the users can change their own passwords.
+During the modify password operation, the server should check if the
+user is allowed to change password. If not, the server should send to
+the client the LDAP_UNWILLING_TO_PERFORM result code and an error mes-
+sage to indicate that the user is not allowed to change password.
+
+10. Password Change After Reset
+
+This policy forces the user to select a new password on first bind or
+after password reset. After bind operation succeed with authentication,
+
+
+
+Chu [Page 9]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+the server should check if the password change after reset policy is on
+and this is the first time logon. If so, the server should send bin-
+dResponse with the resultCode: LDAP_SUCCESS, and should include the
+password expired control in the controls field of the bindResponse mes-
+sage:
+
+ controlType: 2.16.840.1.113730.3.4.4,
+
+ controlValue: an octet string: "0",
+
+ criticality: false
+
+After that, for any operation issued by the user other than modify pass-
+word, bind, unbind, abandon, or search, the server should send the
+response message with the resultCode: LDAP_UNWILLING_TO_PERFORM, and
+should include the password expired control in the controls field of the
+response message:
+
+ controlType: 2.16.840.1.113730.3.4.4,
+
+ controlValue: an octet string: "0",
+
+ criticality: false
+
+11. Password Guessing limit
+
+This policy enforces the limit of number of tries the client has to get
+the password right. The user will be locked out of the directory after
+a given number of consecutive failed attempts to bind to the directory.
+This policy protects the directory from automated guessing attacks.
+
+The server should keep a failure counter in the passwordRetryCount
+attribute for each entry. The server should increment the failure
+counter when a bind operation fails with the LDAP_INVALID_CREDENTIALS
+error code. The server should clear the failure counter when a bind
+operation succeeds with authentication, the account password is reset by
+administrator, or when the failure counter reset time is reached.
+
+During the bind operation, the server should check for password guessing
+limit. If password guessing limit policy is on and the password guess-
+ing limit is reached, the server should send bindResponse back to the
+client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error message
+to indicate the password failure limit is reached.
+
+12. Server Implementation
+
+
+
+
+
+
+Chu [Page 10]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+12.1. Password policy initialization
+
+The passwordPolicy object class holds the password policy settings for a
+set of user accounts. During the server initial startup, password pol-
+icy should be assigned a set of initial values. The settings should be
+modified only by the directory administrators and should be readable by
+anyone. The server should preserve the settings over server restart.
+Currently in the Netscape Directory implementation, the password policy
+settings are stored in "cn=config" entry and an identical copy is kept
+in a configuration file which is used as bootstrap. The Netscape Direc-
+tory password default settings are listed below as an example.
+
+ - User may change password
+
+ - Do not need to change password first time logon
+
+ - Use SHA as the password hash algorithm
+
+ - No password syntax check
+
+ - Password minimum length: 6
+
+ - No password expiration
+
+ - Expires in 100 days
+
+ - No password minimum age
+
+ - Send warning one day before password expires
+
+ - Do not keep password history
+
+ - Six passwords in history
+
+ - No account lockout
+
+ - Lockout after 3 bind failures
+
+ - Do not lockout forever
+
+ - Lock account for 60 minutes
+
+ - Reset retry count after 10 minutes
+
+ In ldif format:
+
+ passwordchange: on
+
+
+
+
+Chu [Page 11]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ passwordmustchange: off
+
+ passwordstoragescheme: SHA
+
+ passwordchecksyntax: off
+
+ passwordminlength: 6
+
+ passwordexp: off
+
+ passwordmaxage: 8640000
+
+ passwordminage: 0
+
+ passwordwarning: 86400
+
+ passwordkeephistory: off
+
+ passwordinhistory: 6
+
+ passwordlockout: off
+
+ passwordmaxfailure: 3
+
+ passwordunlock: on
+
+ passwordlockoutduration: 3600
+
+ passwordresetfailurecount: 600
+
+12.2. Bind Operations
+
+12.2.1. During bind operations, the server should check for password
+guessing limit. If password guessing limit policy is on and the pass-
+word guessing limit is reached, the server should send bindResponse back
+to the client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error
+message to indicate the password failure limit is reached. Otherwise
+the server should continue the bind operation.
+
+12.2.2. After Bind Operations succeed with authentication, the server
+should
+
+ 1. Clear the password failure counter.
+
+ 2. Check if the password change after reset policy is on and this is
+ the first time logon. If so, the server should disallow all
+ operations issued by this user except modify password, bind ,
+ unbind, abandon, or search. The server should send bindResponse
+
+
+
+Chu [Page 12]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ with the resultCode: LDAP_SUCCESS, and should include the pass-
+ word expired control in the controls field of the bindResponse
+ message.
+
+ controlType: 2.16.840.1.113730.3.4.4,
+
+ controlValue: an octet string: "0",
+
+ criticality: false
+
+ 3. Check for password expiration. If the password expiration policy
+ is on and the account's password is expired, the server should
+ send bindResponse with the resultCode: LDAP_INVALID_CREDENTIALS
+ along with an error message to inform the client that the pass-
+ word has expired.
+
+ 4. Check if the password is going to expire sooner than the password
+ warning duration, the server should send bindResponse with the
+ resultCode: LDAP_SUCCESS, and should include the password expir-
+ ing control in the controls field of the bindResponse message:
+
+ controlType: 2.16.840.1.113730.3.4.5,
+
+ controlValue: an octet string to indicate the time in seconds
+ until the password expires.
+
+ criticality: false
+
+
+12.2.3. After Bind Operations fail with LDAP_INVALID_CREDENTIALS, the
+server should
+
+ 1. Check if it is time to reset the password failure counter. If
+ so, set the failure counter to 1 and re-calculate the next
+ failure counter reset time. Otherwise, increment the failure
+ counter.
+
+ 2. Check if failure counter exceeds the allowed maximum value. If
+ so, the server should lock the user account.
+
+12.3. Add Password Operations
+
+12.3.1. During the add password operation, the server should
+
+ 1. Check for password syntax. If password check syntax is on and
+ the new password fail the syntax checking, the server should send
+ addResponse back to the client with resultCode:
+ LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the
+
+
+
+Chu [Page 13]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ new password failed the syntax checking, the user should choose
+ another password.
+
+ 2. Calculate and add passwordexpirationtime and passwordallowchange-
+ time attributes to the entry if password expiration policy and
+ password minimum age policy are on respectively.
+
+12.4. Modify Password Operations
+
+12.4.1. During the modify password operation, the server should
+
+ 1. Check if the user is allowed to change password. If not, the
+ server should send to the client the LDAP_UNWILLING_TO_PERFORM
+ result code and an error message to indicate that the user is not
+ allowed to change password.
+
+ 2. Check for password minimum age, password minimum length, password
+ history, and password syntax. If the checking fails, the server
+ should send modifyResponse back to the client with resultCode:
+ LDAP_CONSTRAINT_VIOLATION, and an appropriate error message.
+
+ 3. If it is the first time logon and the user needs to change pass-
+ word the first time logon, the server should check if the user-
+ password attribute is in this modify request. If so, the server
+ should continue the modify operation. Otherwise, the server
+ should send the response message with the resultCode:
+ LDAP_UNWILLING_TO_PERFORM, and should include the password
+ expired control in the controls field of the response message:
+
+ controlType: 2.16.840.1.113730.3.4.4,
+
+ controlValue: an octet string: "0",
+
+ criticality: false
+
+12.4.2. After modify password operations succeed, the server should
+
+ 1. Update password history in the user's entry, if the password his-
+ tory policy is on.
+
+ 2. Update passwordExpirationTime in the user's entry, if the pass-
+ word expiration policy is on.
+
+ 3. Update passwordAllowChangeTime in the user's entry, if the pass-
+ word minimum age policy is on.
+
+ 4. Clear the password failure counter, if the password is reset by a
+ directory administrator.
+
+
+
+Chu [Page 14]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ 5. Set a flag to indicate the user is the first time logon, if the
+ password change after reset policy is on and the password is
+ reset by a directory administrator.
+
+13. Client Implementation
+
+13.1. Bind Response
+
+For every bind response received, the client needs to parse the bind
+result code, error message, and controls to determine if any of the fol-
+lowing conditions is true and prompt the user accordingly.
+
+1. The user needs to change password first time logon. The user
+ should be prompted to change the password immediately.
+
+ resultCode: LDAP_SUCCESS, with the control
+ controlType: 2.16.840.1.113730.3.4.4,
+ controlValue: "0",
+ criticality: false
+
+
+2. This is a warning message that the server sends to a user to indi-
+ cate the time in seconds until the user's password expires.
+
+ resultCode: LDAP_SUCCESS, with the control
+ controlType: 2.16.840.1.113730.3.4.5,
+ controlValue: an octet string to indicate the time in seconds until
+ the password expires.
+ criticality: false
+
+
+3. The password failure limit is reached. The user needs to retry
+ later or contact the directory administrator to reset the password.
+
+ resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message.
+ For example:
+ errorMessage: "exceed password retry limit"
+
+
+4. The password is expired. The user needs to contact the directory
+ administrator to reset the password.
+
+ resultCode: LDAP_INVALID_CREDENTIALS, with an appropriate error message.
+ For example:
+ errorMessage: "password expired"
+
+
+
+
+
+
+Chu [Page 15]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+13.2. Modify Responses
+
+For the modify response received for the change password request, the
+client needs to check the result code and error message to determine if
+it failed the password checking, and either let the user retry or quit.
+
+1. The user defined password policy is disabled. The user is not
+ allowed to change password.
+
+ resultCode: LDAP_UNWILLING_TO_PERFORM, with an appropriate error message.
+ For example:
+ errorMessage: "user is not allowed to change password"
+
+
+2. The new password failed the password syntax checking, or the
+ current password has not reached the minimum password age, or the
+ new password is in history.
+
+ resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message.
+ For example:
+ errorMessage: "invalid password syntax"
+ errorMessage: "password in history"
+ errorMessage: "trivial password"
+ errorMessage: "within minimum password age"
+
+13.3. Add Responses
+
+For the add response received for the add entry request, the client
+needs to check the result code and error message to determine if it
+failed the password checking, and either let the user retry or quit.
+
+1. The new password failed the password syntax checking.
+
+ resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message.
+ For example:
+ errorMessage: "invalid password syntax"
+ errorMessage: "trivial password"
+
+13.4. Other Responses
+
+For operations other than bind, unbind, abandon, or search, the client
+needs to check the following result code and control to determine if the
+user needs to change the password immediately.
+
+1. The user needs to change password first time logon. The user
+ should be prompted to change the password immediately.
+
+ resultCode: LDAP_UNWILLING_TO_PERFORM, with the control
+
+
+
+Chu [Page 16]
+
+
+
+
+
+Expires June 1999 INTERNET DRAFT
+
+
+ controlType: 2.16.840.1.113730.3.4.4,
+ controlValue: "0",
+ criticality: false
+
+14. Security Considerations
+
+The password policy defined in this document is applied to the LDAP sim-
+ple authentication method [RFC-2251] and userPassword attribute values
+only. The simple authentication method provides minimal authentication
+facilities, with the contents of the authentication field consisting
+only of a cleartext password. Note that the simple authentication
+method and password policy are designed for authentication where the
+underlying transport service cannot guarantee confidentiality. Use of
+simple authentication method and password policy may result in disclo-
+sure of the password to unauthorized parties. SASL and TLS mechanisms
+may be used with LDAP to provide integrity or confidentiality services.
+
+
+15. Bibliography
+
+
+[RFC-2251]Wahl, M., Howes, T., Kille, S., "Lightweight Directory Access
+ Protocol (v3)", RFC 2251, August 1997.
+
+[RFC-2307]L. Howard, "An Approach for Using LDAP as a Network Informa-
+ tion Service", RFC 2307, March 1998.
+
+[RFC-2119]S. Bradner, "Key Words for use in RFCs to Indicate Requirement
+ Levels", RFC 2119, March 1997.
+
+16. Author's Addresses
+
+ Valerie Chu
+ Netscape Communications Corp.
+ 501 E. Middlefield Rd.
+ Mountain View, CA 94043
+ USA
+ +1 650 937-3443
+ vchu@netscape.com
+
+
+
+
+
+
+
+
+
+
+
+
+Chu [Page 17]
+
+
projects / thirdparty / openldap.git / commitdiff
