*ad_pwdFailureTime, *ad_pwdHistory, *ad_pwdGraceUseTime, *ad_pwdReset,
*ad_pwdPolicySubentry;
+/* Policy attributes */
+static AttributeDescription *ad_pwdMinAge, *ad_pwdMaxAge, *ad_pwdMaxIdle,
+ *ad_pwdInHistory, *ad_pwdCheckQuality, *ad_pwdMinLength,
+ *ad_pwdMaxFailure, *ad_pwdGraceExpiry, *ad_pwdGraceAuthNLimit,
+ *ad_pwdExpireWarning, *ad_pwdLockoutDuration, *ad_pwdFailureCountInterval,
+ *ad_pwdCheckModule, *ad_pwdLockout, *ad_pwdMustChange,
+ *ad_pwdAllowUserChange, *ad_pwdSafeModify, *ad_pwdAttribute,
+ *ad_pwdMaxRecordedFailure;
+
static struct schema_info {
char *def;
AttributeDescription **ad;
#endif
"USAGE directoryOperation )",
&ad_pwdPolicySubentry },
+
+ { "( 1.3.6.1.4.1.42.2.27.8.1.1 "
+ "NAME ( 'pwdAttribute' ) "
+ "EQUALITY objectIdentifierMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )",
+ &ad_pwdAttribute },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.2 "
+ "NAME ( 'pwdMinAge' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdMinAge },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.3 "
+ "NAME ( 'pwdMaxAge' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdMaxAge },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.4 "
+ "NAME ( 'pwdInHistory' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdInHistory },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.5 "
+ "NAME ( 'pwdCheckQuality' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdCheckQuality },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.6 "
+ "NAME ( 'pwdMinLength' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdMinLength },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.7 "
+ "NAME ( 'pwdExpireWarning' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdExpireWarning },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.8 "
+ "NAME ( 'pwdGraceAuthNLimit' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdGraceAuthNLimit },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.9 "
+ "NAME ( 'pwdLockout' ) "
+ "EQUALITY booleanMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 "
+ "SINGLE-VALUE )",
+ &ad_pwdLockout },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.10 "
+ "NAME ( 'pwdLockoutDuration' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdLockoutDuration },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.11 "
+ "NAME ( 'pwdMaxFailure' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdMaxFailure },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.12 "
+ "NAME ( 'pwdFailureCountInterval' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdFailureCountInterval },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.13 "
+ "NAME ( 'pwdMustChange' ) "
+ "EQUALITY booleanMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 "
+ "SINGLE-VALUE )",
+ &ad_pwdMustChange },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.14 "
+ "NAME ( 'pwdAllowUserChange' ) "
+ "EQUALITY booleanMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 "
+ "SINGLE-VALUE )",
+ &ad_pwdAllowUserChange },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.15 "
+ "NAME ( 'pwdSafeModify' ) "
+ "EQUALITY booleanMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 "
+ "SINGLE-VALUE )",
+ &ad_pwdSafeModify },
+ { "( 1.3.6.1.4.1.42.2.27.8.1.32 "
+ "NAME ( 'pwdMaxRecordedFailure' ) "
+ "EQUALITY integerMatch "
+ "ORDERING integerOrderingMatch "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 "
+ "SINGLE-VALUE )",
+ &ad_pwdMaxRecordedFailure },
+ { "( 1.3.6.1.4.1.4754.1.99.1 "
+ "NAME ( 'pwdCheckModule' ) "
+ "EQUALITY caseExactIA5Match "
+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 "
+ "DESC 'Loadable module that instantiates check_password() function' "
+ "SINGLE-VALUE )",
+ &ad_pwdCheckModule },
+
{ NULL, NULL }
};
-/* User attributes */
-static AttributeDescription *ad_pwdMinAge, *ad_pwdMaxAge, *ad_pwdInHistory,
- *ad_pwdCheckQuality, *ad_pwdMinLength, *ad_pwdMaxFailure,
- *ad_pwdGraceAuthNLimit, *ad_pwdExpireWarning, *ad_pwdLockoutDuration,
- *ad_pwdFailureCountInterval, *ad_pwdCheckModule, *ad_pwdLockout,
- *ad_pwdMustChange, *ad_pwdAllowUserChange, *ad_pwdSafeModify,
- *ad_pwdAttribute, *ad_pwdMaxRecordedFailure;
-
-#define TAB(name) { #name, &ad_##name }
-
-static struct schema_info pwd_UsSchema[] = {
- TAB(pwdAttribute),
- TAB(pwdMinAge),
- TAB(pwdMaxAge),
- TAB(pwdInHistory),
- TAB(pwdCheckQuality),
- TAB(pwdMinLength),
- TAB(pwdMaxFailure),
- TAB(pwdMaxRecordedFailure),
- TAB(pwdGraceAuthNLimit),
- TAB(pwdExpireWarning),
- TAB(pwdLockout),
- TAB(pwdLockoutDuration),
- TAB(pwdFailureCountInterval),
- TAB(pwdCheckModule),
- TAB(pwdMustChange),
- TAB(pwdAllowUserChange),
- TAB(pwdSafeModify),
- { NULL, NULL }
+static char *pwd_ocs[] = {
+ "( 1.3.6.1.4.1.4754.2.99.1 "
+ "NAME 'pwdPolicyChecker' "
+ "SUP top "
+ "AUXILIARY "
+ "MAY ( pwdCheckModule )" ,
+ "( 1.3.6.1.4.1.42.2.27.8.2.1 "
+ "NAME 'pwdPolicy' "
+ "SUP top "
+ "AUXILIARY "
+ "MUST ( pwdAttribute ) "
+ "MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ "
+ "pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ "
+ "pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ "
+ "pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ "
+ "pwdMaxRecordedFailure ) )",
+ NULL
};
static ldap_pvt_thread_mutex_t chk_syntax_mutex;
return 1;
}
- /* Has User Schema been initialized yet? */
- if ( !pwd_UsSchema[0].ad[0] ) {
- const char *err;
- int i, code;
-
- for (i=0; pwd_UsSchema[i].def; i++) {
- code = slap_str2ad( pwd_UsSchema[i].def, pwd_UsSchema[i].ad, &err );
- if ( code ) {
- if ( cr ){
- snprintf( cr->msg, sizeof(cr->msg),
- "User Schema load failed for attribute \"%s\". Error code %d: %s",
- pwd_UsSchema[i].def, code, err );
- Debug( LDAP_DEBUG_ANY, "%s\n", cr->msg );
- }
- return code;
- }
- }
- {
- Syntax *syn;
- MatchingRule *mr;
-
- syn = ch_malloc( sizeof( Syntax ));
- *syn = *ad_pwdAttribute->ad_type->sat_syntax;
- syn->ssyn_pretty = attrPretty;
- ad_pwdAttribute->ad_type->sat_syntax = syn;
-
- mr = ch_malloc( sizeof( MatchingRule ));
- *mr = *ad_pwdAttribute->ad_type->sat_equality;
- mr->smr_normalize = attrNormalize;
- ad_pwdAttribute->ad_type->sat_equality = mr;
- }
- }
-
on->on_bi.bi_private = ch_calloc( sizeof(pp_info), 1 );
if ( !pwcons ) {
SLAP_AT_MANAGEABLE;
}
}
+ {
+ Syntax *syn;
+ MatchingRule *mr;
+
+ syn = ch_malloc( sizeof( Syntax ));
+ *syn = *ad_pwdAttribute->ad_type->sat_syntax;
+ syn->ssyn_pretty = attrPretty;
+ ad_pwdAttribute->ad_type->sat_syntax = syn;
+
+ mr = ch_malloc( sizeof( MatchingRule ));
+ *mr = *ad_pwdAttribute->ad_type->sat_equality;
+ mr->smr_normalize = attrNormalize;
+ ad_pwdAttribute->ad_type->sat_equality = mr;
+ }
+
+ for (i=0; pwd_ocs[i]; i++) {
+ code = register_oc( pwd_ocs[i], NULL, 0 );
+ if ( code ) {
+ Debug( LDAP_DEBUG_ANY, "ppolicy_initialize: "
+ "register_oc failed\n" );
+ return code;
+ }
+ }
code = register_supported_control( LDAP_CONTROL_PASSWORDPOLICYREQUEST,
SLAP_CTRL_ADD|SLAP_CTRL_BIND|SLAP_CTRL_MODIFY|SLAP_CTRL_HIDE, extops,
+++ /dev/null
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 2004-2020 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-#
-## Portions Copyright (C) The Internet Society (2004).
-## Please see full copyright statement below.
-#
-# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
-# Password Policy for LDAP Directories
-# With extensions from Hewlett-Packard:
-# pwdCheckModule etc.
-#
-# Contents of this file are subject to change (including deletion)
-# without notice.
-#
-# Not recommended for production use!
-# Use with extreme caution!
-#
-# This file was automatically generated from ppolicy.schema; see that file
-# for complete references.
-#
-dn: cn=ppolicy,cn=schema,cn=config
-objectClass: olcSchemaConfig
-cn: ppolicy
-olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY
- objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in
- tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in
- tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY
- integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
- .27 SINGLE-VALUE )
-olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL
- ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
- 1.1.27 SINGLE-VALUE )
-olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY
- integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
- 1.27 SINGLE-VALUE )
-olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA
- LITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.
- 121.1.27 SINGLE-VALUE )
-olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ
- UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11
- 5.121.1.27 SINGLE-VALUE )
-olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b
- ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
-olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E
- QUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.1
- 15.121.1.27 SINGLE-VALUE )
-olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL
- ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1
- 21.1.27 SINGLE-VALUE )
-olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter
- val' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.
- 1466.115.121.1.27 SINGLE-VALUE )
-olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL
- ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
-olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange'
- EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
-olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL
- ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
-olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L
- oadable module that instantiates "check_password() function' EQUALITY caseExa
- ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
-olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur
- e' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.
- 1466.115.121.1.27 SINGLE-VALUE )
-olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top
- AUXILIARY MAY pwdCheckModule )
-olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI
- LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck
- Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
- pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange
- $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) )
+++ /dev/null
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 2004-2020 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-#
-## Portions Copyright (C) The Internet Society (2004).
-## Please see full copyright statement below.
-
-# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
-# Password Policy for LDAP Directories
-# With extensions from Hewlett-Packard:
-# pwdCheckModule etc.
-
-# Contents of this file are subject to change (including deletion)
-# without notice.
-#
-# Not recommended for production use!
-# Use with extreme caution!
-
-#Network Working Group J. Sermersheim
-#Internet-Draft Novell, Inc
-#Expires: April 24, 2005 L. Poitou
-# Sun Microsystems
-# October 24, 2004
-#
-#
-# Password Policy for LDAP Directories
-# draft-behera-ldap-password-policy-08.txt
-#
-#Status of this Memo
-#
-# This document is an Internet-Draft and is subject to all provisions
-# of section 3 of RFC 3667. By submitting this Internet-Draft, each
-# author represents that any applicable patent or other IPR claims of
-# which he or she is aware have been or will be disclosed, and any of
-# which he or she become aware will be disclosed, in accordance with
-# RFC 3668.
-#
-# Internet-Drafts are working documents of the Internet Engineering
-# Task Force (IETF), its areas, and its working groups. Note that
-# other groups may also distribute working documents as
-# Internet-Drafts.
-#
-# Internet-Drafts are draft documents valid for a maximum of six months
-# and may be updated, replaced, or obsoleted by other documents at any
-# time. It is inappropriate to use Internet-Drafts as reference
-# material or to cite them other than as "work in progress."
-#
-# The list of current Internet-Drafts can be accessed at
-# http://www.ietf.org/ietf/1id-abstracts.txt.
-#
-# The list of Internet-Draft Shadow Directories can be accessed at
-# http://www.ietf.org/shadow.html.
-#
-# This Internet-Draft will expire on April 24, 2005.
-#
-#Copyright Notice
-#
-# Copyright (C) The Internet Society (2004).
-#
-#Abstract
-#
-# Password policy as described in this document is a set of rules that
-# controls how passwords are used and administered in Lightweight
-# Directory Access Protocol (LDAP) based directories. In order to
-# improve the security of LDAP directories and make it difficult for
-# password cracking programs to break into directories, it is desirable
-# to enforce a set of rules on password usage. These rules are made to
-#
-# [trimmed]
-#
-#5. Schema used for Password Policy
-#
-# The schema elements defined here fall into two general categories. A
-# password policy object class is defined which contains a set of
-# administrative password policy attributes, and a set of operational
-# attributes are defined that hold general password policy state
-# information for each user.
-#
-#5.2 Attribute Types used in the pwdPolicy ObjectClass
-#
-# Following are the attribute types used by the pwdPolicy object class.
-#
-#5.2.1 pwdAttribute
-#
-# This holds the name of the attribute to which the password policy is
-# applied. For example, the password policy may be applied to the
-# userPassword attribute.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
- NAME 'pwdAttribute'
- EQUALITY objectIdentifierMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
-
-#5.2.2 pwdMinAge
-#
-# This attribute holds the number of seconds that must elapse between
-# modifications to the password. If this attribute is not present, 0
-# seconds is assumed.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
- NAME 'pwdMinAge'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-#5.2.3 pwdMaxAge
-#
-# This attribute holds the number of seconds after which a modified
-# password will expire.
-#
-# If this attribute is not present, or if the value is 0 the password
-# does not expire. If not 0, the value must be greater than or equal
-# to the value of the pwdMinAge.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
- NAME 'pwdMaxAge'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-#5.2.4 pwdInHistory
-#
-# This attribute specifies the maximum number of used passwords stored
-# in the pwdHistory attribute.
-#
-# If this attribute is not present, or if the value is 0, used
-# passwords are not stored in the pwdHistory attribute and thus may be
-# reused.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
- NAME 'pwdInHistory'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-#5.2.5 pwdCheckQuality
-#
-# {TODO: Consider changing the syntax to OID. Each OID will list a
-# quality rule (like min len, # of special characters, etc). These
-# rules can be specified outsid ethis document.}
-#
-# {TODO: Note that even though this is meant to be a check that happens
-# during password modification, it may also be allowed to happen during
-# authN. This is useful for situations where the password is encrypted
-# when modified, but decrypted when used to authN.}
-#
-# This attribute indicates how the password quality will be verified
-# while being modified or added. If this attribute is not present, or
-# if the value is '0', quality checking will not be enforced. A value
-# of '1' indicates that the server will check the quality, and if the
-# server is unable to check it (due to a hashed password or other
-# reasons) it will be accepted. A value of '2' indicates that the
-# server will check the quality, and if the server is unable to verify
-# it, it will return an error refusing the password.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
- NAME 'pwdCheckQuality'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-#5.2.6 pwdMinLength
-#
-# When quality checking is enabled, this attribute holds the minimum
-# number of characters that must be used in a password. If this
-# attribute is not present, no minimum password length will be
-# enforced. If the server is unable to check the length (due to a
-# hashed password or otherwise), the server will, depending on the
-# value of the pwdCheckQuality attribute, either accept the password
-# without checking it ('0' or '1') or refuse it ('2').
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
- NAME 'pwdMinLength'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-#5.2.7 pwdExpireWarning
-#
-# This attribute specifies the maximum number of seconds before a
-# password is due to expire that expiration warning messages will be
-# returned to an authenticating user.
-#
-# If this attribute is not present, or if the value is 0 no warnings
-# will be returned. If not 0, the value must be smaller than the value
-# of the pwdMaxAge attribute.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
- NAME 'pwdExpireWarning'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-#5.2.8 pwdGraceAuthNLimit
-#
-# This attribute specifies the number of times an expired password can
-# be used to authenticate. If this attribute is not present or if the
-# value is 0, authentication will fail.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
- NAME 'pwdGraceAuthNLimit'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-#5.2.9 pwdLockout
-#
-# This attribute indicates, when its value is "TRUE", that the password
-# may not be used to authenticate after a specified number of
-# consecutive failed bind attempts. The maximum number of consecutive
-# failed bind attempts is specified in pwdMaxFailure.
-#
-# If this attribute is not present, or if the value is "FALSE", the
-# password may be used to authenticate when the number of failed bind
-# attempts has been reached.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
- NAME 'pwdLockout'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
-
-#5.2.10 pwdLockoutDuration
-#
-# This attribute holds the number of seconds that the password cannot
-# be used to authenticate due to too many failed bind attempts. If
-# this attribute is not present, or if the value is 0 the password
-# cannot be used to authenticate until reset by a password
-# administrator.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
- NAME 'pwdLockoutDuration'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-#5.2.11 pwdMaxFailure
-#
-# This attribute specifies the number of consecutive failed bind
-# attempts after which the password may not be used to authenticate.
-# If this attribute is not present, or if the value is 0, this policy
-# is not checked, and the value of pwdLockout will be ignored.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
- NAME 'pwdMaxFailure'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-#5.2.12 pwdFailureCountInterval
-#
-# This attribute holds the number of seconds after which the password
-# failures are purged from the failure counter, even though no
-# successful authentication occurred.
-#
-# If this attribute is not present, or if its value is 0, the failure
-# counter is only reset by a successful authentication.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
- NAME 'pwdFailureCountInterval'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-#5.2.13 pwdMustChange
-#
-# This attribute specifies with a value of "TRUE" that users must
-# change their passwords when they first bind to the directory after a
-# password is set or reset by a password administrator. If this
-# attribute is not present, or if the value is "FALSE", users are not
-# required to change their password upon binding after the password
-# administrator sets or resets the password. This attribute is not set
-# due to any actions specified by this document, it is typically set by
-# a password administrator after resetting a user's password.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
- NAME 'pwdMustChange'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
-
-#5.2.14 pwdAllowUserChange
-#
-# This attribute indicates whether users can change their own
-# passwords, although the change operation is still subject to access
-# control. If this attribute is not present, a value of "TRUE" is
-# assumed. This attribute is intended to be used in the absence of an
-# access control mechanism.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
- NAME 'pwdAllowUserChange'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
-
-#5.2.15 pwdSafeModify
-#
-# This attribute specifies whether or not the existing password must be
-# sent along with the new password when being changed. If this
-# attribute is not present, a "FALSE" value is assumed.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
- NAME 'pwdSafeModify'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
- SINGLE-VALUE )
-
-#ITS#8185 pwdMaxRecordedFailure
-#
-# This attribute specifies the maximum number of consecutive failed bind
-# attempts to record. If this attribute is not present, or if the value
-# is 0, it defaults to the value of pwdMaxFailure. If that value is also
-# 0, this value defaults to 5.
-
-attributetype ( 1.3.6.1.4.1.42.2.27.8.1.30
- NAME 'pwdMaxRecordedFailure'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
-
-# HP extensions
-#
-# pwdCheckModule
-#
-# This attribute names a user-defined loadable module that provides
-# a check_password() function. If pwdCheckQuality is set to '1' or '2'
-# this function will be called after all of the internal password
-# quality checks have been passed. The function has this prototype:
-#
-# int check_password( char *password, char **errormessage, void *arg )
-#
-# The function should return LDAP_SUCCESS for a valid password.
-
-attributetype ( 1.3.6.1.4.1.4754.1.99.1
- NAME 'pwdCheckModule'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
- DESC 'Loadable module that instantiates check_password() function'
- SINGLE-VALUE )
-
-objectclass ( 1.3.6.1.4.1.4754.2.99.1
- NAME 'pwdPolicyChecker'
- SUP top
- AUXILIARY
- MAY ( pwdCheckModule ) )
-
-#5.1 The pwdPolicy Object Class
-#
-# This object class contains the attributes defining a password policy
-# in effect for a set of users. Section 10 describes the
-# administration of this object, and the relationship between it and
-# particular objects.
-#
-objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
- NAME 'pwdPolicy'
- SUP top
- AUXILIARY
- MUST ( pwdAttribute )
- MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
- pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
- $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
- pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $
- pwdMaxRecordedFailure ) )
-
-#5.3 Attribute Types for Password Policy State Information
-#
-# Password policy state information must be maintained for each user.
-# The information is located in each user entry as a set of operational
-# attributes. These operational attributes are: pwdChangedTime,
-# pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
-# pwdReset, pwdPolicySubEntry.
-#
-#5.3.1 Password Policy State Attribute Option
-#
-# Since the password policy could apply to several attributes used to
-# store passwords, each of the above operational attributes must have
-# an option to specify which pwdAttribute it applies to. The password
-# policy option is defined as the following:
-#
-# pwd-<passwordAttribute>
-#
-# where passwordAttribute a string following the OID syntax
-# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
-# (short name) MUST be used.
-#
-# For example, if the pwdPolicy object has for pwdAttribute
-# "userPassword" then the pwdChangedTime operational attribute, in a
-# user entry, will be:
-#
-# pwdChangedTime;pwd-userPassword: 20000103121520Z
-#
-# This attribute option follows sub-typing semantics. If a client
-# requests a password policy state attribute to be returned in a search
-# operation, and does not specify an option, all subtypes of that
-# policy state attribute are returned.
-#
-#5.3.2 pwdChangedTime
-#
-# This attribute specifies the last time the entry's password was
-# changed. This is used by the password expiration policy. If this
-# attribute does not exist, the password will never expire.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.16
-# NAME 'pwdChangedTime'
-# DESC 'The time the password was last changed'
-# EQUALITY generalizedTimeMatch
-# ORDERING generalizedTimeOrderingMatch
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
-# SINGLE-VALUE
-# USAGE directoryOperation )
-#
-#5.3.3 pwdAccountLockedTime
-#
-# This attribute holds the time that the user's account was locked. A
-# locked account means that the password may no longer be used to
-# authenticate. A 000001010000Z value means that the account has been
-# locked permanently, and that only a password administrator can unlock
-# the account.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.17
-# NAME 'pwdAccountLockedTime'
-# DESC 'The time an user account was locked'
-# EQUALITY generalizedTimeMatch
-# ORDERING generalizedTimeOrderingMatch
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
-# SINGLE-VALUE
-# USAGE directoryOperation )
-#
-#5.3.4 pwdFailureTime
-#
-# This attribute holds the timestamps of the consecutive authentication
-# failures.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.19
-# NAME 'pwdFailureTime'
-# DESC 'The timestamps of the last consecutive authentication
-# failures'
-# EQUALITY generalizedTimeMatch
-# ORDERING generalizedTimeOrderingMatch
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
-# USAGE directoryOperation )
-#
-#5.3.5 pwdHistory
-#
-# This attribute holds a history of previously used passwords. Values
-# of this attribute are transmitted in string format as given by the
-# following ABNF:
-#
-# pwdHistory = time "#" syntaxOID "#" length "#" data
-#
-# time = <generalizedTimeString as specified in 6.14
-# of [RFC2252]>
-#
-# syntaxOID = numericoid ; the string representation of the
-# ; dotted-decimal OID that defines the
-# ; syntax used to store the password.
-# ; numericoid is described in 4.1
-# ; of [RFC2252].
-#
-# length = numericstring ; the number of octets in data.
-# ; numericstring is described in 4.1
-# ; of [RFC2252].
-#
-# data = <octets representing the password in the format
-# specified by syntaxOID>.
-#
-# This format allows the server to store, and transmit a history of
-# passwords that have been used. In order for equality matching to
-# function properly, the time field needs to adhere to a consistent
-# format. For this purpose, the time field MUST be in GMT format.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.20
-# NAME 'pwdHistory'
-# DESC 'The history of user s passwords'
-# EQUALITY octetStringMatch
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
-# USAGE directoryOperation )
-#
-#5.3.6 pwdGraceUseTime
-#
-# This attribute holds the timestamps of grace authentications after a
-# password has expired.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.21
-# NAME 'pwdGraceUseTime'
-# DESC 'The timestamps of the grace authentication after the
-# password has expired'
-# EQUALITY generalizedTimeMatch
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
-#
-#5.3.7 pwdReset
-#
-# This attribute holds a flag to indicate (when TRUE) that the password
-# has been updated by the password administrator and must be changed by
-# the user on first authentication.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.22
-# NAME 'pwdReset'
-# DESC 'The indication that the password has been reset'
-# EQUALITY booleanMatch
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
-# SINGLE-VALUE
-# USAGE directoryOperation )
-#
-#5.3.8 pwdPolicySubentry
-#
-# This attribute points to the pwdPolicy subentry in effect for this
-# object.
-#
-# ( 1.3.6.1.4.1.42.2.27.8.1.23
-# NAME 'pwdPolicySubentry'
-# DESC 'The pwdPolicy subentry in effect for this object'
-# EQUALITY distinguishedNameMatch
-# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
-# SINGLE-VALUE
-# USAGE directoryOperation )
-#
-#
-#Disclaimer of Validity
-#
-# This document and the information contained herein are provided on an
-# "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-# OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-# ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-# INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-# INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-# WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-#
-#
-#Copyright Statement
-#
-# Copyright (C) The Internet Society (2004). This document is subject
-# to the rights, licenses and restrictions contained in BCP 78, and
-# except as set forth therein, the authors retain all their rights.
-
projects / thirdparty / openldap.git / commitdiff
