</section>
- <section title="Password Quality and Minimum length">
+ <section title="Password Quality and length constraints">
<t>In order to prevent users from creating or updating passwords that
are easy to guess, a password quality policy may be employed. This
SINGLE-VALUE )
</artwork></figure>
</section>
+
+
+ <section title="pwdMaxRecordedFailure">
+
+ <t>This attribute specifies the number of failures kept on record
+ for each user and should be equal to or higher than pwdMaxFailure.
+ If not set or is 0, it is deemed equal to pwdMaxFailure.</t>
+
+ <figure><artwork>
+ ( 1.3.6.1.4.1.42.2.27.8.1.32
+ NAME 'pwdMaxRecordedFailure'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+ </artwork></figure>
+ </section>
</section>
insufficientPasswordQuality (5),
passwordTooShort (6),
passwordTooYoung (7),
- passwordInHistory (8) } OPTIONAL }
+ passwordInHistory (8),
+ passwordTooLong (9) } OPTIONAL }
</artwork></figure>
<t>The timeBeforeExpiration warning specifies the number of seconds
<t>The current time is greater than or equal to the value of the
pwdLastSuccess attribute added to the value of the pwdMaxIdle
- attribute.</t>
+ attribute. If pwdLastSuccess attribute is not present, pwdChangedTime
+ value is used instead.</t>
<t>The current time is less than the value of the
pwdAccountLockedTime attribute added to the value of the
resultCode: constraintViolation (19), and includes the
passwordPolicyResponse in the controls field of the response
message with the error: passwordTooShort (6).</t>
+
+ <t>checks the value of the pwdMaxLength attribute. If the value is
+ non-zero, it ensures that the new password is of at most the
+ maximum length.<vspace blankLines="1"/>
+ If the server is unable to check the length (due to a hashed
+ password or otherwise), the value of pwdCheckQuality is evaluated.
+ If the value is 1, operation continues. If the value is 2, the
+ server sends a response message to the client with the resultCode:
+ constraintViolation (19), and includes the passwordPolicyResponse
+ in the controls field of the response message with the error:
+ passwordTooLong (9).<vspace blankLines="1"/>
+ If the server is able to check the password length, and the check
+ fails, the server sends a response message to the client with the
+ resultCode: constraintViolation (19), and includes the
+ passwordPolicyResponse in the controls field of the response
+ message with the error: passwordTooLong (9).</t>
</list></t>
</section>
set to TRUE. Otherwise, the pwdReset is removed from the user's
entry if it exists.</t>
- <t>The pwdFailureTime and pwdGraceUseTime attributes is removed from the
- user's entry if they exist.</t>
+ <t>The pwdFailureTime, pwdGraceUseTime, pwdLastSuccess attributes are
+ removed from the user's entry if they exist.</t>
</section>
</section>
<t>pwdModResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = passwordInHistory (8): The password
has already been used; the user must choose a different one.</t>
+
+ <t>pwdModResponse.resultCode = constraintViolation (19),
+ passwordPolicyResponse.error = passwordTooLong (9): The length of
+ the password is too long.</t>
</list></t>
</section>
</section>
<t>addResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = passwordTooShort (6): The length of
the password is too short.</t>
+
+ <t>addResponse.resultCode = constraintViolation (19),
+ passwordPolicyResponse.error = passwordTooLong (9): The length of
+ the password is too long.</t>
</list></t>
</section>
doesn't have to be replicated to a read-only replica, since the
password will never be directly modified on this server.</t>
- <t>The pwdAccountLockedTime, pwdFailureTime and pwdGraceUseTime
- attributes SHOULD be replicated to writable replicas, making the
- password policy global for all servers. When the user entry is
- replicated to a read-only replica, these attributes SHOULD NOT be
+ <t>The pwdAccountLockedTime, pwdFailureTime, pwdGraceUseTime and
+ pwdLastSuccess attributes SHOULD be replicated to writable replicas,
+ making the password policy global for all servers. When the user entry
+ is replicated to a read-only replica, these attributes SHOULD NOT be
replicated. This means that the number of failures, of grace
authentications and the locking will take place on each replicated
server. For example, the effective number of failed attempts on a
projects / thirdparty / openldap.git / commitdiff
