+
Network Working Group J. Sermersheim
Internet-Draft Novell, Inc
Intended status: Standards Track L. Poitou
-Expires: January 19, 2015 Sun Microsystems
+Expires: 19 August 2022 Sun Microsystems
H. Chu, Ed.
+ O. Kuzník, Ed.
Symas Corp.
- July 18, 2014
+ February 2022
Password Policy for LDAP Directories
construction requirements, the re-use of old password is restricted,
and to deter password guessing attacks.
-Status of this Memo
+Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
- Drafts is at http://datatracker.ietf.org/drafts/current/.
+ Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on January 19, 2015.
+ This Internet-Draft will expire on 5 August 2022.
Copyright Notice
- Copyright (c) 2014 IETF Trust and the persons identified as the
+ Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
-
- This document is subject to BCP 78 and the IETF Trust's Legal
- Provisions Relating to IETF Documents
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 1]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
- (http://trustee.ietf.org/license-info) in effect on the date of
- publication of this document. Please review these documents
- carefully, as they describe your rights and restrictions with respect
- to this document. Code Components extracted from this document must
- include Simplified BSD License text as described in Section 4.e of
- the Trust Legal Provisions and are provided without warranty as
- described in the Simplified BSD License.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 2]
+Sermersheim, et al. Expires 19 August 2022 [Page 1]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents (https://trustee.ietf.org/
+ license-info) in effect on the date of publication of this document.
+ Please review these documents carefully, as they describe your rights
+ and restrictions with respect to this document. Code Components
+ extracted from this document must include Revised BSD License text as
+ described in Section 4.e of the Trust Legal Provisions and are
+ provided without warranty as described in the Revised BSD License.
+
Table of Contents
- 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
- 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . 5
- 3. Application of Password Policy . . . . . . . . . . . . . . . 6
- 4. Articles of Password Policy . . . . . . . . . . . . . . . . 7
- 4.1. Password Usage Policy . . . . . . . . . . . . . . . . . . . 7
- 4.2. Password Modification Policy . . . . . . . . . . . . . . . . 8
- 4.3. Restriction of the Password Policy . . . . . . . . . . . . . 10
- 5. Schema used for Password Policy . . . . . . . . . . . . . . 12
- 5.1. The pwdPolicy Object Class . . . . . . . . . . . . . . . . . 12
- 5.2. Attribute Types used in the pwdPolicy ObjectClass . . . . . 12
- 5.3. Attribute Types for Password Policy State Information . . . 19
- 6. Controls used for Password Policy . . . . . . . . . . . . . 24
- 6.1. Request Control . . . . . . . . . . . . . . . . . . . . . . 24
- 6.2. Response Control . . . . . . . . . . . . . . . . . . . . . . 24
- 7. Policy Decision Points . . . . . . . . . . . . . . . . . . . 26
- 7.1. Locked Account Check . . . . . . . . . . . . . . . . . . . . 26
- 7.2. Password Must be Changed Now Check . . . . . . . . . . . . . 26
- 7.3. Password Expiration Check . . . . . . . . . . . . . . . . . 27
- 7.4. Remaining Grace AuthN Check . . . . . . . . . . . . . . . . 27
- 7.5. Time Before Expiration Check . . . . . . . . . . . . . . . . 27
- 7.6. Intruder Lockout Check . . . . . . . . . . . . . . . . . . . 27
- 7.7. Intruder Delay Check . . . . . . . . . . . . . . . . . . . . 28
- 7.8. Password Too Young Check . . . . . . . . . . . . . . . . . . 28
- 8. Server Policy Enforcement Points . . . . . . . . . . . . . . 29
- 8.1. Password-based Authentication . . . . . . . . . . . . . . . 29
- 8.2. Password Update Operations . . . . . . . . . . . . . . . . . 31
- 8.3. Other Operations . . . . . . . . . . . . . . . . . . . . . . 34
- 9. Client Policy Enforcement Points . . . . . . . . . . . . . . 35
- 9.1. Bind Operation . . . . . . . . . . . . . . . . . . . . . . . 35
- 9.2. Modify Operations . . . . . . . . . . . . . . . . . . . . . 36
- 9.3. Add Operation . . . . . . . . . . . . . . . . . . . . . . . 37
- 9.4. Compare Operation . . . . . . . . . . . . . . . . . . . . . 37
- 9.5. Other Operations . . . . . . . . . . . . . . . . . . . . . . 38
- 10. Administration of the Password Policy . . . . . . . . . . . 39
- 11. Password Policy and Replication . . . . . . . . . . . . . . 40
- 12. Security Considerations . . . . . . . . . . . . . . . . . . 42
- 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . 43
- 13.1. Object Identifiers . . . . . . . . . . . . . . . . . . . . . 43
- 13.2. LDAP Protocol Mechanisms . . . . . . . . . . . . . . . . . . 43
- 13.3. LDAP Descriptors . . . . . . . . . . . . . . . . . . . . . . 43
- 13.4. LDAP AttributeDescription Options . . . . . . . . . . . . . 45
- 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 46
- 15. Normative References . . . . . . . . . . . . . . . . . . . . 47
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 48
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 3]
+ 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3. Application of Password Policy . . . . . . . . . . . . . . . 4
+ 4. Articles of Password Policy . . . . . . . . . . . . . . . . . 4
+ 4.1. Password Usage Policy . . . . . . . . . . . . . . . . . . 4
+ 4.2. Password Modification Policy . . . . . . . . . . . . . . 6
+ 4.3. Restriction of the Password Policy . . . . . . . . . . . 8
+ 5. Schema used for Password Policy . . . . . . . . . . . . . . . 8
+ 5.1. The pwdPolicy Object Class . . . . . . . . . . . . . . . 9
+ 5.2. Attribute Types used in the pwdPolicy ObjectClass . . . . 9
+ 5.3. Attribute Types for Password Policy State Information . . 16
+ 6. Controls used for Password Policy . . . . . . . . . . . . . . 21
+ 6.1. Request Control . . . . . . . . . . . . . . . . . . . . . 21
+ 6.2. Response Control . . . . . . . . . . . . . . . . . . . . 21
+ 7. Policy Decision Points . . . . . . . . . . . . . . . . . . . 22
+ 7.1. Locked Account Check . . . . . . . . . . . . . . . . . . 22
+ 7.2. Password Must be Changed Now Check . . . . . . . . . . . 23
+ 7.3. Password Expiration Check . . . . . . . . . . . . . . . . 23
+ 7.4. Remaining Grace AuthN Check . . . . . . . . . . . . . . . 23
+ 7.5. Time Before Expiration Check . . . . . . . . . . . . . . 23
+ 7.6. Intruder Lockout Check . . . . . . . . . . . . . . . . . 24
+ 7.7. Intruder Delay Check . . . . . . . . . . . . . . . . . . 24
+ 7.8. Password Too Young Check . . . . . . . . . . . . . . . . 24
+ 8. Server Policy Enforcement Points . . . . . . . . . . . . . . 24
+ 8.1. Password-based Authentication . . . . . . . . . . . . . . 25
+ 8.2. Password Update Operations . . . . . . . . . . . . . . . 27
+ 8.3. Other Operations . . . . . . . . . . . . . . . . . . . . 31
+ 9. Client Policy Enforcement Points . . . . . . . . . . . . . . 31
+ 9.1. Bind Operation . . . . . . . . . . . . . . . . . . . . . 31
+ 9.2. Modify Operations . . . . . . . . . . . . . . . . . . . . 32
+ 9.3. Add Operation . . . . . . . . . . . . . . . . . . . . . . 33
+ 9.4. Compare Operation . . . . . . . . . . . . . . . . . . . . 33
+ 9.5. Other Operations . . . . . . . . . . . . . . . . . . . . 34
+ 10. Administration of the Password Policy . . . . . . . . . . . . 34
+ 11. Password Policy and Replication . . . . . . . . . . . . . . . 35
+ 12. Security Considerations . . . . . . . . . . . . . . . . . . . 36
+ 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 2]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
+ 13.1. Object Identifiers . . . . . . . . . . . . . . . . . . . 37
+ 13.2. LDAP Protocol Mechanisms . . . . . . . . . . . . . . . . 37
+ 13.3. LDAP Descriptors . . . . . . . . . . . . . . . . . . . . 38
+ 13.4. LDAP AttributeDescription Options . . . . . . . . . . . 39
+ 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 40
+ 15. Normative References . . . . . . . . . . . . . . . . . . . . 40
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
+
1. Overview
LDAP-based directory services are currently accepted by many
kind of policy related to the password used to authenticate. Among
other things, this policy includes:
- o Whether and when passwords expire.
+ * Whether and when passwords expire.
- o Whether failed bind attempts cause the account to be locked.
+ * Whether failed bind attempts cause the account to be locked.
- o If and how users are able to change their passwords.
+ * If and how users are able to change their passwords.
In order to achieve greater security protection and ensure
interoperability in a heterogeneous environment, LDAP needs to
standardize on a common password policy model. This is critical to
the successful deployment of LDAP directories.
+2. Conventions
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+ All ASN.1 [X.680] Basic Encoding Rules (BER) [X.690] encodings follow
+ the conventions found in Section 5.1 of [RFC4511].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 4]
+Sermersheim, et al. Expires 19 August 2022 [Page 3]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
-2. Conventions
-
- Imperative keywords defined in [RFC2119] are used in this document,
- and carry the meanings described there.
+Internet-Draft Password Policy for LDAP Directories February 2022
- All ASN.1 [X.680] Basic Encoding Rules (BER) [X.690] encodings follow
- the conventions found in Section 5.1 of [RFC4511].
The term "password administrator" refers to a user that has
sufficient access control privileges to modify users' passwords. The
typically implies that the password administrator has 'write'
privileges to the password attribute.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 5]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
3. Application of Password Policy
The password policy defined in this document can be applied to any
This policy is typically applied to the userPassword attribute in the
case of the LDAP simple authentication method [RFC4511] or the case
- of password based SASL [RFC4422] authentication such as CRAM-MD5
- [RFC2195] and DIGEST-MD5 [RFC2831].
+ of password based SASL [RFC4422] authentication such as PLAIN
+ [RFC4616] and SCRAM-SHA-256 [RFC7677].
The policy described in this document assumes that the password
attribute holds a single value. No considerations are made for
directory administrator never expires; the account is never locked,
etc.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 6]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
4. Articles of Password Policy
The following sections explain in general terms each aspect of the
authenticate. The general focus of this policy is to minimize the
threat of intruders once a password is in use.
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 4]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
4.1.1. Password Validity Policy
These mechanisms allow account usage to be controlled independent of
authentication attempts, and take action when a limit is reached.
This policy consists of several parts:
- o A counter to track the number of failed authentication attempts.
+ * A counter to track the number of failed authentication attempts.
- o The amount of time to delay on the first authentication failure.
+ * The amount of time to delay on the first authentication failure.
- o The maximum amount of time to delay on subsequent failures.
+ * The maximum amount of time to delay on subsequent failures.
- o A timeframe in which the limit of consecutive failed
+ * A timeframe in which the limit of consecutive failed
authentication attempts must happen before action is taken.
- o A configurable limit on failed authentication attempts.
+ * A configurable limit on failed authentication attempts.
- o The action to be taken when the limit is reached. The action will
+ * The action to be taken when the limit is reached. The action will
either be nothing, or the account will be locked.
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 7]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
- o An amount of time the account is locked (if it is to be locked).
+ * An amount of time the account is locked (if it is to be locked).
This can be indefinite.
Note that using the account lock feature provides an easy avenue for
for constant multiplier, "^<int> for geometric. But it's probably
overkill to add a calculator language to the server.]
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 5]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
4.2. Password Modification Policy
This section describes policy enforced while users are modifying
locked out of their accounts. One or both of the following methods
handle this:
- o A warning may be returned to the user sometime before his password
+ * A warning may be returned to the user sometime before his password
is due to expire. If the user fails to heed this warning before
the expiration time, his account will be locked.
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 8]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
- o The user may bind to the directory a preset number of times after
+ * The user may bind to the directory a preset number of times after
her password has expired. If she fails to change her password
during one of her 'grace' authentications, her account will be
locked.
whenever the password is changed. Users aren't allowed to specify
any passwords that are in the history list while changing passwords.
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 6]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
4.2.3. Password Minimum Age
Users may circumvent the Password History mechanism by quickly
between password changes, they may be less likely to cycle through a
history of 10 passwords.
-4.2.4. Password Quality and Minimum length
+4.2.4. Password Quality and length constraints
In order to prevent users from creating or updating passwords that
are easy to guess, a password quality policy may be employed. This
Forcing a password to comply with the quality policy may imply a
variety of things including:
- o Disallowing trivial or well-known words make up the password.
+ * Disallowing trivial or well-known words make up the password.
- o Forcing a certain number of digits be used.
+ * Forcing a certain number of digits be used.
- o Disallowing anagrams of the user's name.
+ * Disallowing anagrams of the user's name.
The implementation of this policy meets with the following problems:
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 9]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
- o If the password to be added or updated is encrypted by the client
+ * If the password to be added or updated is encrypted by the client
before being sent, the server has no way of enforcing this policy.
Therefore, the onus of enforcing this policy falls upon client
implementations.
- o There are no specific definitions of what 'quality checking'
+ * There are no specific definitions of what 'quality checking'
means. This can lead to unexpected behavior in a heterogeneous
environment.
updating their own passwords. This policy makes this functionality
possible.
+
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 7]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
4.2.6. Password Change after Reset
This policy forces the user to update her password after it has been
is held in the user's entry, and applies to a password attribute, not
a particular password attribute value. Thus the server SHOULD
enforce that the password attribute subject to password policy,
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 10]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
contains one and only one password value.
+5. Schema used for Password Policy
+ The schema elements defined here fall into two general categories. A
+ password policy object class is defined which contains a set of
+ administrative password policy attributes, and a set of operational
+ attributes are defined that hold general password policy state
+ information for each user.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 11]
+Sermersheim, et al. Expires 19 August 2022 [Page 8]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
-5. Schema used for Password Policy
-
- The schema elements defined here fall into two general categories. A
- password policy object class is defined which contains a set of
- administrative password policy attributes, and a set of operational
- attributes are defined that hold general password policy state
- information for each user.
-
5.1. The pwdPolicy Object Class
This object class contains the attributes defining a password policy
modifications to the password. If this attribute is not present, 0
seconds is assumed.
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 12]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
( 1.3.6.1.4.1.42.2.27.8.1.2
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
-5.2.3. pwdMaxAge
- This attribute holds the number of seconds after which a modified
- password will expire.
- If this attribute is not present, or if the value is 0 the password
- does not expire. If not 0, the value must be greater than or equal
- to the value of the pwdMinAge.
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 9]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
+5.2.3. pwdMaxAge
+
+ This attribute holds the number of seconds after which a modified
+ password will expire.
+
+ If this attribute is not present, or if the value is 0 the password
+ does not expire. If not 0, the value must be greater than or equal
+ to the value of the pwdMinAge.
( 1.3.6.1.4.1.42.2.27.8.1.3
NAME 'pwdMaxAge'
{TODO: Note that even though this is meant to be a check that happens
during password modification, it may also be allowed to happen during
authN. This is useful for situations where the password is encrypted
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 13]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
when modified, but decrypted when used to authN.}
This attribute indicates how the password quality will be verified
if the value is '0', quality checking will not be enforced. A value
of '1' indicates that the server will check the quality, and if the
server is unable to check it (due to a hashed password or other
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 10]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
reasons) it will be accepted. A value of '2' indicates that the
server will check the quality, and if the server is unable to verify
it, it will return an error refusing the password.
value of the pwdCheckQuality attribute, either accept the password
without checking it ('0' or '1') or refuse it ('2').
+ ( 1.3.6.1.4.1.42.2.27.8.1.31
+ NAME 'pwdMaxLength'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
-Sermersheim, et al. Expires January 19, 2015 [Page 14]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Sermersheim, et al. Expires 19 August 2022 [Page 11]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
- ( 1.3.6.1.4.1.42.2.27.8.1.31
- NAME 'pwdMaxLength'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
- SINGLE-VALUE )
5.2.8. pwdExpireWarning
the value is 0, there is no time limit on the grace authentications.
( 1.3.6.1.4.1.42.2.27.8.1.30
- NAME 'pwdGraceExpiry'
+ NAME 'pwdGraceExpire'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
-Sermersheim, et al. Expires January 19, 2015 [Page 15]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
- SINGLE-VALUE )
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 12]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
5.2.11. pwdLockout
-Sermersheim, et al. Expires January 19, 2015 [Page 16]
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 13]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
5.2.14. pwdFailureCountInterval
-Sermersheim, et al. Expires January 19, 2015 [Page 17]
+Sermersheim, et al. Expires 19 August 2022 [Page 14]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
5.2.17. pwdSafeModify
pwdMinDelay is used as the starting time and is then doubled on each
failure until the delay time is greater than or equal to pwdMaxDelay
(or a successful authentication occurs, which resets the failure
- counter). pwdMinDelay must be specified if pwdMaxDelay is set.
+ counter). pwdMinDelay must be specified if pwdMaxDelay is set.
( 1.3.6.1.4.1.42.2.27.8.1.25
NAME 'pwdMaxDelay'
-Sermersheim, et al. Expires January 19, 2015 [Page 18]
+Sermersheim, et al. Expires 19 August 2022 [Page 15]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
( 1.3.6.1.4.1.42.2.27.8.1.26
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
+5.2.21. pwdMaxRecordedFailure
+
+ This attribute specifies the number of failures kept on record for
+ each user and should be equal to or higher than pwdMaxFailure. If
+ not set or is 0, it is deemed equal to pwdMaxFailure.
+
+ ( 1.3.6.1.4.1.42.2.27.8.1.32
+ NAME 'pwdMaxRecordedFailure'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE-VALUE )
+
5.3. Attribute Types for Password Policy State Information
Password policy state information must be maintained for each user.
pwdChangedTime;pwd-userPassword: 20000103121520Z
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 16]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
This attribute option follows sub-typing semantics. If a client
requests a password policy state attribute to be returned in a search
operation, and does not specify an option, all subtypes of that
changed. This is used by the password expiration policy. If this
attribute does not exist, the password will never expire.
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 19]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
( 1.3.6.1.4.1.42.2.27.8.1.16
NAME 'pwdChangedTime'
DESC 'The time the password was last changed'
This attribute holds the timestamps of the consecutive authentication
failures.
+
+
+
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 17]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
( 1.3.6.1.4.1.42.2.27.8.1.19
NAME 'pwdFailureTime'
DESC 'The timestamps of the last consecutive authentication
of this attribute are transmitted in string format as given by the
following ABNF:
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 20]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
pwdHistory = time "#" syntaxOID "#" length "#" data
time = GeneralizedTime
NO-USER-MODIFICATION
USAGE directoryOperation )
+
+
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 18]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
5.3.6. pwdGraceUseTime
This attribute holds the timestamps of grace authentications after a
has been updated by the password administrator and must be changed by
the user.
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 21]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
( 1.3.6.1.4.1.42.2.27.8.1.22
NAME 'pwdReset'
DESC 'The indication that the password has been reset'
will fail. If this attribute does not exist, then no restriction
applies.
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 19]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
( 1.3.6.1.4.1.42.2.27.8.1.27
NAME 'pwdStartTime'
DESC 'The time the password becomes enabled'
time will fail, regardless of expiration or grace settings. If this
attribute does not exist, then this restriction does not apply.
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 22]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
( 1.3.6.1.4.1.42.2.27.8.1.28
NAME 'pwdEndTime'
DESC 'The time the password becomes disabled'
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 23]
+Sermersheim, et al. Expires 19 August 2022 [Page 20]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
6. Controls used for Password Policy
insufficientPasswordQuality (5),
passwordTooShort (6),
passwordTooYoung (7),
- passwordInHistory (8) } OPTIONAL }
+ passwordInHistory (8),
+ passwordTooLong (9) } OPTIONAL }
- The timeBeforeExpiration warning specifies the number of seconds
-Sermersheim, et al. Expires January 19, 2015 [Page 24]
+Sermersheim, et al. Expires 19 August 2022 [Page 21]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
+ The timeBeforeExpiration warning specifies the number of seconds
before a password will expire. The graceAuthNsRemaining warning
specifies the remaining number of times a user will be allowed to
authenticate with an expired password. The passwordExpired error
include the timeBeforeExpiration warning and the changeAfterReset
error.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 25]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
7. Policy Decision Points
Following are a number of procedures used to make policy decisions.
A status of true is returned to indicate that the account is locked
if any of these conditions are met:
- o The value of the pwdAccountLockedTime attribute is 000001010000Z.
+ * The value of the pwdAccountLockedTime attribute is 000001010000Z.
- o The current time is less than the value of the pwdStartTime
+ * The current time is less than the value of the pwdStartTime
attribute.
- o The current time is greater than or equal to the value of the
+ * The current time is greater than or equal to the value of the
pwdEndTime attribute.
- o The current time is greater than or equal to the value of the
+ * The current time is greater than or equal to the value of the
pwdLastSuccess attribute added to the value of the pwdMaxIdle
- attribute.
+ attribute. If pwdLastSuccess attribute is not present,
+ pwdChangedTime value is used instead.
- o The current time is less than the value of the
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 22]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
+ * The current time is less than the value of the
pwdAccountLockedTime attribute added to the value of the
pwdLockoutDuration.
A status of true is returned to indicate that the password must be
changed if all of these conditions are met:
- o The pwdMustChange attribute is set to TRUE.
+ * The pwdMustChange attribute is set to TRUE.
- o The pwdReset attribute is set to TRUE.
+ * The pwdReset attribute is set to TRUE.
Otherwise a status of false is returned.
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 26]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
7.3. Password Expiration Check
A status of true is returned indicating that the password has expired
password's age is equal to or greater than the warning age, the value
of pwdMaxAge minus the password's age is returned.
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 23]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
7.6. Intruder Lockout Check
A status of true indicating that an intruder has been detected is
returned if the following conditions are met:
- o The pwdLockout attribute is TRUE.
+ * The pwdLockout attribute is TRUE.
- o The number of values in the pwdFailureTime attribute that are
+ * The number of values in the pwdFailureTime attribute that are
younger than pwdFailureCountInterval is greater or equal to the
pwdMaxFailure attribute.
While performing this check, values of pwdFailureTime that are old by
more than pwdFailureCountInterval are purged and not counted.
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 27]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
7.7. Intruder Delay Check
If the pwdMinDelay attribute is 0 or not set, zero is returned.
A status of true indicating that not enough time has passed since the
password was last updated is returned if:
- o The value of pwdMinAge is non-zero and pwdChangedTime is present.
+ * The value of pwdMinAge is non-zero and pwdChangedTime is present.
- o The value of pwdMinAge is greater than the current time minus the
+ * The value of pwdMinAge is greater than the current time minus the
value of pwdChangedTime.
Otherwise a false status is returned.
+8. Server Policy Enforcement Points
+ The server SHOULD enforce that the password attribute subject to a
+ password policy as defined in this document, contains one and only
+ one password value.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 28]
+Sermersheim, et al. Expires 19 August 2022 [Page 24]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
-8. Server Policy Enforcement Points
+Internet-Draft Password Policy for LDAP Directories February 2022
- The server SHOULD enforce that the password attribute subject to a
- password policy as defined in this document, contains one and only
- one password value.
Note: The case where a single password value is stored in multiple
formats simultaneously is still considered to be only one password
Delete the pwdFailureTime and pwdAccountLockedTime attributes.
+ Set the value of the pwdLastSuccess attribute to the current time.
+
+ Note: setting pwdLastSuccess is optional, but it is required if the
+ policy has pwdMaxIdle defined.
-Sermersheim, et al. Expires January 19, 2015 [Page 29]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
- Set the value of the pwdLastSuccess attribute to the current time.
+Sermersheim, et al. Expires 19 August 2022 [Page 25]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
- Note: setting pwdLastSuccess is optional, but it is required if the
- policy has pwdMaxIdle defined.
8.1.2.2. Password must be changed now
-Sermersheim, et al. Expires January 19, 2015 [Page 30]
+
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 26]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
8.1.2.4. Expiration Warning
-Sermersheim, et al. Expires January 19, 2015 [Page 31]
+Sermersheim, et al. Expires 19 August 2022 [Page 27]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
8.2.1. Safe Modification
-Sermersheim, et al. Expires January 19, 2015 [Page 32]
+Sermersheim, et al. Expires 19 August 2022 [Page 28]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+Internet-Draft Password Policy for LDAP Directories February 2022
8.2.5. Password Quality
Check the value of the pwdCheckQuality attribute. If the value is
non-zero, the server:
- o Ensure that the password meets the quality criteria enforced by
+ * Ensure that the password meets the quality criteria enforced by
the server. This enforcement is implementation specific. If the
server is unable to check the quality (due to a hashed password or
otherwise), the value of pwdCheckQuality is evaluated. If the
passwordPolicyResponse in the controls field of the response
message with the error: insufficientPasswordQuality (5).
- o checks the value of the pwdMinLength attribute. If the value is
+ * checks the value of the pwdMinLength attribute. If the value is
non-zero, it ensures that the new password is of at least the
minimum length.
passwordPolicyResponse in the controls field of the response
message with the error: passwordTooShort (6).
-8.2.6. Invalid Reuse
+ * checks the value of the pwdMaxLength attribute. If the value is
+ non-zero, it ensures that the new password is of at most the
+ maximum length.
- If pwdInHistory is present and its value is non-zero, the server
- checks whether this password exists in the entry's pwdHistory
- attribute or in the current password attribute. If the password does
- exist in the pwdHistory attribute or in the current password
- attribute, the server sends a response message to the client with the
- resultCode: constraintViolation (19), and includes the
- passwordPolicyResponse in the controls field of the response message
-Sermersheim, et al. Expires January 19, 2015 [Page 33]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
- with the error: passwordInHistory (8).
-8.2.7. Policy State Updates
- If the steps have completed without causing an error condition, the
- server performs the following steps in order to update the necessary
- password policy state attributes:
- If the value of either pwdMaxAge or pwdMinAge is non-zero and the
- change does not include a pwdChangedTime update already, the server
- updates the pwdChangedTime attribute on the entry to the current
- time.
+Sermersheim, et al. Expires 19 August 2022 [Page 29]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
+ If the server is unable to check the length (due to a hashed
+ password or otherwise), the value of pwdCheckQuality is evaluated.
+ If the value is 1, operation continues. If the value is 2, the
+ server sends a response message to the client with the resultCode:
+ constraintViolation (19), and includes the passwordPolicyResponse
+ in the controls field of the response message with the error:
+ passwordTooLong (9).
+
+ If the server is able to check the password length, and the check
+ fails, the server sends a response message to the client with the
+ resultCode: constraintViolation (19), and includes the
+ passwordPolicyResponse in the controls field of the response
+ message with the error: passwordTooLong (9).
+
+8.2.6. Invalid Reuse
+
+ If pwdInHistory is present and its value is non-zero, the server
+ checks whether this password exists in the entry's pwdHistory
+ attribute or in the current password attribute. If the password does
+ exist in the pwdHistory attribute or in the current password
+ attribute, the server sends a response message to the client with the
+ resultCode: constraintViolation (19), and includes the
+ passwordPolicyResponse in the controls field of the response message
+ with the error: passwordInHistory (8).
+
+8.2.7. Policy State Updates
+
+ If the steps have completed without causing an error condition, the
+ server performs the following steps in order to update the necessary
+ password policy state attributes:
+
+ If the value of either pwdMaxAge or pwdMinAge is non-zero and the
+ change does not include a pwdChangedTime update already, the server
+ updates the pwdChangedTime attribute on the entry to the current
+ time.
If the value of pwdInHistory is non-zero, the server adds the
previous password (if one existed) to the pwdHistory attribute. If
set to TRUE. Otherwise, the pwdReset is removed from the user's
entry if it exists.
- The pwdFailureTime and pwdGraceUseTime attributes is removed from the
- user's entry if they exist.
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 30]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
+ The pwdFailureTime, pwdGraceUseTime, pwdLastSuccess attributes are
+ removed from the user's entry if they exist.
8.3. Other Operations
passwordPolicyResponse in the controls field of the response message
with the error: changeAfterReset (2).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 34]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
9. Client Policy Enforcement Points
These sections illustrate possible scenarios for each LDAP operation
determine if any of the following conditions are true and MAY prompt
the user accordingly.
- o bindResponse.resultCode = insufficientAccessRights (50),
+ * bindResponse.resultCode = insufficientAccessRights (50),
passwordPolicyResponse.error = accountLocked (1): The password
failure limit has been reached and the account is locked. The
user needs to retry later or contact the password administrator to
reset the password.
- o bindResponse.resultCode = success (0),
+ * bindResponse.resultCode = success (0),
passwordPolicyResponse.error = changeAfterReset (2): The user is
binding for the first time after the password administrator set
the password. In this scenario, the client SHOULD prompt the user
to change his password immediately.
- o bindResponse.resultCode = success (0),
+ * bindResponse.resultCode = success (0),
passwordPolicyResponse.warning = graceAuthNsRemaining: The
password has expired but there are remaining grace
authentications. The user needs to change it.
- o bindResponse.resultCode = invalidCredentials (49),
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 31]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
+ * bindResponse.resultCode = invalidCredentials (49),
passwordPolicyResponse.error = passwordExpired (0): The password
has expired and there are no more grace authentications. The user
contacts the password administrator in order to have its password
reset.
- o bindResponse.resultCode = success (0),
+ * bindResponse.resultCode = success (0),
passwordPolicyResponse.warning = timeBeforeExpiration: The user's
password will expire in n number of seconds.
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 35]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
9.2. Modify Operations
9.2.1. Modify Request
determine if any of the following conditions are true and optionally
notify the user of the condition.
- o pwdModResponse.resultCode = insufficientAccessRights (50),
+ * pwdModResponse.resultCode = insufficientAccessRights (50),
passwordPolicyResponse.error = mustSupplyOldPassword (4): The user
attempted to change her password without specifying the old
password but the password policy requires this.
- o pwdModResponse.resultCode = insufficientAccessRights (50),
+ * pwdModResponse.resultCode = insufficientAccessRights (50),
passwordPolicyResponse.error = changeAfterReset (2): The user must
change her password before submitting any other LDAP requests.
- o pwdModResponse.resultCode = insufficientAccessRights (50),
+ * pwdModResponse.resultCode = insufficientAccessRights (50),
passwordPolicyResponse.error = passwordModNotAllowed (3): The user
doesn't have sufficient rights to change his password.
- o pwdModResponse.resultCode = constraintViolation (19),
+ * pwdModResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = passwordTooYoung (7): It is too
soon after the last password modification to change the password.
- o pwdModResponse.resultCode = constraintViolation (19),
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 32]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
+ * pwdModResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = insufficientPasswordQuality (5):
The password failed quality checking.
- o pwdModResponse.resultCode = constraintViolation (19),
+ * pwdModResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = passwordTooShort (6): The length of
the password is too short.
- o pwdModResponse.resultCode = constraintViolation (19),
+ * pwdModResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = passwordInHistory (8): The password
has already been used; the user must choose a different one.
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 36]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
+ * pwdModResponse.resultCode = constraintViolation (19),
+ passwordPolicyResponse.error = passwordTooLong (9): The length of
+ the password is too long.
9.3. Add Operation
control to determine if any of the following conditions are true and
may prompt the user accordingly.
- o addResponse.resultCode = insufficientAccessRights (50),
+ * addResponse.resultCode = insufficientAccessRights (50),
passwordPolicyResponse.error = passwordModNotAllowed (3): The user
doesn't have sufficient rights to add this password.
- o addResponse.resultCode = constraintViolation (19),
+ * addResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = insufficientPasswordQuality (5):
The password failed quality checking.
- o addResponse.resultCode = constraintViolation (19),
+ * addResponse.resultCode = constraintViolation (19),
passwordPolicyResponse.error = passwordTooShort (6): The length of
the password is too short.
+ * addResponse.resultCode = constraintViolation (19),
+ passwordPolicyResponse.error = passwordTooLong (9): The length of
+ the password is too long.
+
9.4. Compare Operation
When a compare operation is used to compare a password, the client
conditions are true and MAY prompt the user accordingly. These
conditions assume that the result of the comparison was true.
- o compareResponse.resultCode = compareFalse (5),
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 33]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
+ * compareResponse.resultCode = compareFalse (5),
passwordPolicyResponse.error = accountLocked (1): The password
failure limit has been reached and the account is locked. The
user needs to retry later or contact the password administrator to
reset the password.
- o compareResponse.resultCode = compareTrue (6),
+ * compareResponse.resultCode = compareTrue (6),
passwordPolicyResponse.warning = graceAuthNsRemaining: The
password has expired but there are remaining grace
authentications. The user needs to change it.
- o compareResponse.resultCode = compareFalse (5),
+ * compareResponse.resultCode = compareFalse (5),
passwordPolicyResponse.error = passwordExpired (0): The password
has expired and there are no more grace authentications. The user
must contact the password administrator to reset the password.
- o compareResponse.resultCode = compareTrue (6),
+ * compareResponse.resultCode = compareTrue (6),
passwordPolicyResponse.warning = timeBeforeExpiration: The user's
password will expire in n number of seconds.
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 37]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
9.5. Other Operations
For operations other than bind, unbind, abandon or StartTLS, the
client checks the result code and control to determine if the user
needs to change the password immediately.
- o <Response>.resultCode = insufficientAccessRights (50),
+ * <Response>.resultCode = insufficientAccessRights (50),
passwordPolicyResponse.error = changeAfterReset (2) : The user
needs to change the password immediately.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 38]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
10. Administration of the Password Policy
{TODO: Need to define an administrativeRole (need OID). Need to
separate sub entries as long as they are contained under the same
LDAP subentry.
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 34]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
Only one policy may be in effect for a given password attribute in
any entry. If multiple policies exist which overlap in the range of
entries affected, the resulting behavior is undefined.
password policy for an object may interrogate the pwdPolicySubentry
for that object in order to arrive at the proper pwdPolicy subentry.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 39]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
11. Password Policy and Replication
{TODO: This section needs to be changed to highlight the pitfalls of
doesn't have to be replicated to a read-only replica, since the
password will never be directly modified on this server.
- The pwdAccountLockedTime, pwdFailureTime and pwdGraceUseTime
- attributes SHOULD be replicated to writable replicas, making the
- password policy global for all servers. When the user entry is
- replicated to a read-only replica, these attributes SHOULD NOT be
- replicated. This means that the number of failures, of grace
+ The pwdAccountLockedTime, pwdFailureTime, pwdGraceUseTime and
+ pwdLastSuccess attributes SHOULD be replicated to writable replicas,
+ making the password policy global for all servers. When the user
+ entry is replicated to a read-only replica, these attributes SHOULD
+ NOT be replicated. This means that the number of failures, of grace
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 35]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
authentications and the locking will take place on each replicated
server. For example, the effective number of failed attempts on a
user password will be N x M (where N is the number of servers and M
the other. Servers SHOULD allow administrators to control which
attributes are replicated on a case-by-case basis.
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 40]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
Servers participating in a loosely consistent multi-master
replication agreement SHOULD employ a mechanism which ensures
uniqueness of values when populating the attributes pwdFailureTime
generation of unique time values, or may consist of the use of the
fractional seconds part to hold a replica identifier.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 41]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
12. Security Considerations
This document defines a set of rules to implement in an LDAP server,
Controls SHOULD be used to restrict the use of the pwdPolicy object
class or the LDAP subentry object class.
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 36]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
When the intruder detection password policy is enforced, the LDAP
directory is subject to a denial of service attack. A malicious user
could deliberately lock out one specific user's account (or all of
implementors are encouraged to invent other checks similar to this in
order to thwart this type of DoS attack.
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 42]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
13. IANA Considerations
In accordance with [RFC4520] the following registrations are
Person & email address to contact for further information:
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 37]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
Howard Chu <hyc@symas.com>
Usage: Control
Object Identifier: see table
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 43]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
Description: see table
Person & email address to contact for further information:
Comments:
- Name Type OID
- ----------------------- ---- ------------------------------
- pwdPolicy O 1.3.6.1.4.1.42.2.27.8.2.1
- pwdAttribute A 1.3.6.1.4.1.42.2.27.8.1.1
- pwdMinAge A 1.3.6.1.4.1.42.2.27.8.1.2
- pwdMaxAge A 1.3.6.1.4.1.42.2.27.8.1.3
- pwdInHistory A 1.3.6.1.4.1.42.2.27.8.1.4
- pwdCheckQuality A 1.3.6.1.4.1.42.2.27.8.1.5
- pwdMinLength A 1.3.6.1.4.1.42.2.27.8.1.6
- pwdMaxLength A 1.3.6.1.4.1.42.2.27.8.1.31
- pwdExpireWarning A 1.3.6.1.4.1.42.2.27.8.1.7
- pwdGraceAuthNLimit A 1.3.6.1.4.1.42.2.27.8.1.8
- pwdGraceExpiry A 1.3.6.1.4.1.42.2.27.8.1.30
- pwdLockout A 1.3.6.1.4.1.42.2.27.8.1.9
- pwdLockoutDuration A 1.3.6.1.4.1.42.2.27.8.1.10
- pwdMaxFailure A 1.3.6.1.4.1.42.2.27.8.1.11
- pwdFailureCountInterval A 1.3.6.1.4.1.42.2.27.8.1.12
- pwdMustChange A 1.3.6.1.4.1.42.2.27.8.1.13
- pwdAllowUserChange A 1.3.6.1.4.1.42.2.27.8.1.14
- pwdSafeModify A 1.3.6.1.4.1.42.2.27.8.1.15
- pwdMinDelay A 1.3.6.1.4.1.42.2.27.8.1.24
- pwdMaxDelay A 1.3.6.1.4.1.42.2.27.8.1.25
- pwdMaxIdle A 1.3.6.1.4.1.42.2.27.8.1.26
- pwdChangedTime A 1.3.6.1.4.1.42.2.27.8.1.16
- pwdAccountLockedTime A 1.3.6.1.4.1.42.2.27.8.1.17
- pwdFailureTime A 1.3.6.1.4.1.42.2.27.8.1.19
- pwdHistory A 1.3.6.1.4.1.42.2.27.8.1.20
- pwdGraceUseTime A 1.3.6.1.4.1.42.2.27.8.1.21
- pwdReset A 1.3.6.1.4.1.42.2.27.8.1.22
- pwdPolicySubEntry A 1.3.6.1.4.1.42.2.27.8.1.23
- pwdStartTime A 1.3.6.1.4.1.42.2.27.8.1.27
- pwdEndTime A 1.3.6.1.4.1.42.2.27.8.1.28
- pwdLastSuccess A 1.3.6.1.4.1.42.2.27.8.1.29
-
-
-
-
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 44]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
- Legend
- --------------------
- A => Attribute Type
- O => Object Class
-
-13.4. LDAP AttributeDescription Options
- Registration of the AttributeDescription option specified in this
- document is requested.
- Subject: Request for LDAP Attribute Description Option
- Registration
- Option Name: pwd-
- Family of Options: YES
- Person & email address to contact for further information:
- Howard Chu <hyc@symas.com>
- Specification: (I-D) draft-behera-ldap-password-policy
- Author/Change Controller: IESG
- Comments:
- Used with policy state attributes to specify to which password
- attribute the state belongs.
+Sermersheim, et al. Expires 19 August 2022 [Page 38]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
+
+ Name Type OID
+ ----------------------- ---- ------------------------------
+ pwdPolicy O 1.3.6.1.4.1.42.2.27.8.2.1
+ pwdAttribute A 1.3.6.1.4.1.42.2.27.8.1.1
+ pwdMinAge A 1.3.6.1.4.1.42.2.27.8.1.2
+ pwdMaxAge A 1.3.6.1.4.1.42.2.27.8.1.3
+ pwdInHistory A 1.3.6.1.4.1.42.2.27.8.1.4
+ pwdCheckQuality A 1.3.6.1.4.1.42.2.27.8.1.5
+ pwdMinLength A 1.3.6.1.4.1.42.2.27.8.1.6
+ pwdMaxLength A 1.3.6.1.4.1.42.2.27.8.1.31
+ pwdExpireWarning A 1.3.6.1.4.1.42.2.27.8.1.7
+ pwdGraceAuthNLimit A 1.3.6.1.4.1.42.2.27.8.1.8
+ pwdGraceExpiry A 1.3.6.1.4.1.42.2.27.8.1.30
+ pwdLockout A 1.3.6.1.4.1.42.2.27.8.1.9
+ pwdLockoutDuration A 1.3.6.1.4.1.42.2.27.8.1.10
+ pwdMaxFailure A 1.3.6.1.4.1.42.2.27.8.1.11
+ pwdFailureCountInterval A 1.3.6.1.4.1.42.2.27.8.1.12
+ pwdMustChange A 1.3.6.1.4.1.42.2.27.8.1.13
+ pwdAllowUserChange A 1.3.6.1.4.1.42.2.27.8.1.14
+ pwdSafeModify A 1.3.6.1.4.1.42.2.27.8.1.15
+ pwdMinDelay A 1.3.6.1.4.1.42.2.27.8.1.24
+ pwdMaxDelay A 1.3.6.1.4.1.42.2.27.8.1.25
+ pwdMaxIdle A 1.3.6.1.4.1.42.2.27.8.1.26
+ pwdChangedTime A 1.3.6.1.4.1.42.2.27.8.1.16
+ pwdAccountLockedTime A 1.3.6.1.4.1.42.2.27.8.1.17
+ pwdFailureTime A 1.3.6.1.4.1.42.2.27.8.1.19
+ pwdHistory A 1.3.6.1.4.1.42.2.27.8.1.20
+ pwdGraceUseTime A 1.3.6.1.4.1.42.2.27.8.1.21
+ pwdReset A 1.3.6.1.4.1.42.2.27.8.1.22
+ pwdPolicySubEntry A 1.3.6.1.4.1.42.2.27.8.1.23
+ pwdStartTime A 1.3.6.1.4.1.42.2.27.8.1.27
+ pwdEndTime A 1.3.6.1.4.1.42.2.27.8.1.28
+ pwdLastSuccess A 1.3.6.1.4.1.42.2.27.8.1.29
+
+ Legend
+ --------------------
+ A => Attribute Type
+ O => Object Class
+13.4. LDAP AttributeDescription Options
+ Registration of the AttributeDescription option specified in this
+ document is requested.
+ Subject: Request for LDAP Attribute Description Option
+ Registration
+ Option Name: pwd-
+Sermersheim, et al. Expires 19 August 2022 [Page 39]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+ Family of Options: YES
+ Person & email address to contact for further information:
+ Howard Chu <hyc@symas.com>
+ Specification: (I-D) draft-behera-ldap-password-policy
+ Author/Change Controller: IESG
-Sermersheim, et al. Expires January 19, 2015 [Page 45]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
+ Comments:
+ Used with policy state attributes to specify to which password
+ attribute the state belongs.
14. Acknowledgement
This document is based in part on prior work done by Valerie Chu from
- Netscape Communications Corp, published as
- draft-vchu-ldap-pwd-policy-00.txt (December 1998). Prasanta Behera
- participated in early revisions of this document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ Netscape Communications Corp, published as draft-vchu-ldap-pwd-
+ policy-00.txt (December 1998). Prasanta Behera participated in early
+ revisions of this document.
+15. Normative References
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+ [RFC3062] Zeilenga, K., "LDAP Password Modify Extended Operation",
+ RFC 3062, DOI 10.17487/RFC3062, February 2001,
+ <https://www.rfc-editor.org/info/rfc3062>.
+ [RFC3672] Zeilenga, K., "Subentries in the Lightweight Directory
+ Access Protocol (LDAP)", RFC 3672, DOI 10.17487/RFC3672,
+ December 2003, <https://www.rfc-editor.org/info/rfc3672>.
+ [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
+ Authentication and Security Layer (SASL)", RFC 4422,
+ DOI 10.17487/RFC4422, June 2006,
+ <https://www.rfc-editor.org/info/rfc4422>.
+ [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access
+ Protocol (LDAP): The Protocol", RFC 4511,
+ DOI 10.17487/RFC4511, June 2006,
+ <https://www.rfc-editor.org/info/rfc4511>.
-Sermersheim, et al. Expires January 19, 2015 [Page 46]
+Sermersheim, et al. Expires 19 August 2022 [Page 40]
\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
-15. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
+Internet-Draft Password Policy for LDAP Directories February 2022
- [RFC2195] Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP
- AUTHorize Extension for Simple Challenge/Response",
- RFC 2195, September 1997.
-
- [RFC2831] Leach, P. and C. Newman, "Using Digest Authentication as a
- SASL Mechanism", RFC 2831, May 2000.
-
- [RFC3062] Zeilenga, K., "LDAP Password Modify Extended Operation",
- RFC 3062, February 2001.
-
- [RFC3672] Zeilenga, K., "Subentries in the Lightweight Directory
- Access Protocol (LDAP)", RFC 3672, December 2003.
- [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
- Security Layer (SASL)", RFC 4422, June 2006.
-
- [RFC4511] Sermersheim, J., "Lightweight Directory Access Protocol
- (LDAP): The Protocol", RFC 4511, June 2006.
-
- [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
+ [RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
(LDAP): Directory Information Models", RFC 4512,
- June 2006.
+ DOI 10.17487/RFC4512, June 2006,
+ <https://www.rfc-editor.org/info/rfc4512>.
- [RFC4513] Harrison, R., "Lightweight Directory Access Protocol
+ [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol
(LDAP): Authentication Methods and Security Mechanisms",
- RFC 4513, June 2006.
+ RFC 4513, DOI 10.17487/RFC4513, June 2006,
+ <https://www.rfc-editor.org/info/rfc4513>.
- [RFC4517] Legg, S., "Lightweight Directory Access Protocol (LDAP):
- Syntaxes and Matching Rules", RFC 4517, June 2006.
+ [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol
+ (LDAP): Syntaxes and Matching Rules", RFC 4517,
+ DOI 10.17487/RFC4517, June 2006,
+ <https://www.rfc-editor.org/info/rfc4517>.
[RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
Considerations for the Lightweight Directory Access
- Protocol (LDAP)", BCP 64, RFC 4520, June 2006.
+ Protocol (LDAP)", BCP 64, RFC 4520, DOI 10.17487/RFC4520,
+ June 2006, <https://www.rfc-editor.org/info/rfc4520>.
+
+ [RFC4616] Zeilenga, K., Ed., "The PLAIN Simple Authentication and
+ Security Layer (SASL) Mechanism", RFC 4616,
+ DOI 10.17487/RFC4616, August 2006,
+ <https://www.rfc-editor.org/info/rfc4616>.
+
+ [RFC7677] Hansen, T., "SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple
+ Authentication and Security Layer (SASL) Mechanisms",
+ RFC 7677, DOI 10.17487/RFC7677, November 2015,
+ <https://www.rfc-editor.org/info/rfc7677>.
[X.680] International Telecommunications Union, "Abstract Syntax
Notation One (ASN.1): Specification of basic notation",
[X.690] International Telecommunications Union, "Information
Technology - ASN.1 encoding rules: Specification of Basic
- Encoding Rules (BER), Canonical Encoding Rules (CER) and
+ Encoding Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER)", ITU-T
Recommendation X.690, July 2002.
-
-
-Sermersheim, et al. Expires January 19, 2015 [Page 47]
-\f
-Internet-Draft Password Policy for LDAP Directories July 2014
-
-
Authors' Addresses
Jim Sermersheim
Novell, Inc
1800 South Novell Place
- Provo, Utah 84606
- US
+ Provo, Utah 84606
+ United States of America
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 41]
+\f
+Internet-Draft Password Policy for LDAP Directories February 2022
+
Phone: +1 801 861-3088
Email: jimse@novell.com
Ludovic Poitou
Sun Microsystems
180, Avenue de l'Europe
- Zirst de Montbonnot, Saint Ismier cedex 38334
- FR
+ 38334 Zirst de Montbonnot
+ France
Phone: +33 476 188 212
Email: ludovic.poitou@sun.com
Howard Chu (editor)
Symas Corp.
18740 Oxnard Street, Suite 313A
- Tarzana, California 91356
- US
+ Tarzana, California 91356
+ United States of America
Phone: +1 818 757-7087
Email: hyc@symas.com
+ Ondřej Kuzník (editor)
+ Symas Corp.
+ Email: okuznik@symas.com
-Sermersheim, et al. Expires January 19, 2015 [Page 48]
-\f
+
+
+
+
+
+Sermersheim, et al. Expires 19 August 2022 [Page 42]
projects / thirdparty / openldap.git / commitdiff
