From: Ondřej Kuzník Date: Thu, 24 Oct 2019 10:13:02 +0000 (+0100) Subject: ITS#9156 Move ppolicy schema into the module X-Git-Tag: OPENLDAP_REL_ENG_2_5_0ALPHA~63^2~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44191183be6a1e323eec6708fc8acfb9160d8188;p=thirdparty%2Fopenldap.git ITS#9156 Move ppolicy schema into the module --- diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index 8653e9ce1e..549914e7f5 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -109,6 +109,15 @@ static AttributeDescription *ad_pwdChangedTime, *ad_pwdAccountLockedTime, *ad_pwdFailureTime, *ad_pwdHistory, *ad_pwdGraceUseTime, *ad_pwdReset, *ad_pwdPolicySubentry; +/* Policy attributes */ +static AttributeDescription *ad_pwdMinAge, *ad_pwdMaxAge, *ad_pwdMaxIdle, + *ad_pwdInHistory, *ad_pwdCheckQuality, *ad_pwdMinLength, + *ad_pwdMaxFailure, *ad_pwdGraceExpiry, *ad_pwdGraceAuthNLimit, + *ad_pwdExpireWarning, *ad_pwdLockoutDuration, *ad_pwdFailureCountInterval, + *ad_pwdCheckModule, *ad_pwdLockout, *ad_pwdMustChange, + *ad_pwdAllowUserChange, *ad_pwdSafeModify, *ad_pwdAttribute, + *ad_pwdMaxRecordedFailure; + static struct schema_info { char *def; AttributeDescription **ad; @@ -175,38 +184,141 @@ static struct schema_info { #endif "USAGE directoryOperation )", &ad_pwdPolicySubentry }, + + { "( 1.3.6.1.4.1.42.2.27.8.1.1 " + "NAME ( 'pwdAttribute' ) " + "EQUALITY objectIdentifierMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )", + &ad_pwdAttribute }, + { "( 1.3.6.1.4.1.42.2.27.8.1.2 " + "NAME ( 'pwdMinAge' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdMinAge }, + { "( 1.3.6.1.4.1.42.2.27.8.1.3 " + "NAME ( 'pwdMaxAge' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdMaxAge }, + { "( 1.3.6.1.4.1.42.2.27.8.1.4 " + "NAME ( 'pwdInHistory' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdInHistory }, + { "( 1.3.6.1.4.1.42.2.27.8.1.5 " + "NAME ( 'pwdCheckQuality' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdCheckQuality }, + { "( 1.3.6.1.4.1.42.2.27.8.1.6 " + "NAME ( 'pwdMinLength' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdMinLength }, + { "( 1.3.6.1.4.1.42.2.27.8.1.7 " + "NAME ( 'pwdExpireWarning' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdExpireWarning }, + { "( 1.3.6.1.4.1.42.2.27.8.1.8 " + "NAME ( 'pwdGraceAuthNLimit' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdGraceAuthNLimit }, + { "( 1.3.6.1.4.1.42.2.27.8.1.9 " + "NAME ( 'pwdLockout' ) " + "EQUALITY booleanMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 " + "SINGLE-VALUE )", + &ad_pwdLockout }, + { "( 1.3.6.1.4.1.42.2.27.8.1.10 " + "NAME ( 'pwdLockoutDuration' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdLockoutDuration }, + { "( 1.3.6.1.4.1.42.2.27.8.1.11 " + "NAME ( 'pwdMaxFailure' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdMaxFailure }, + { "( 1.3.6.1.4.1.42.2.27.8.1.12 " + "NAME ( 'pwdFailureCountInterval' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdFailureCountInterval }, + { "( 1.3.6.1.4.1.42.2.27.8.1.13 " + "NAME ( 'pwdMustChange' ) " + "EQUALITY booleanMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 " + "SINGLE-VALUE )", + &ad_pwdMustChange }, + { "( 1.3.6.1.4.1.42.2.27.8.1.14 " + "NAME ( 'pwdAllowUserChange' ) " + "EQUALITY booleanMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 " + "SINGLE-VALUE )", + &ad_pwdAllowUserChange }, + { "( 1.3.6.1.4.1.42.2.27.8.1.15 " + "NAME ( 'pwdSafeModify' ) " + "EQUALITY booleanMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 " + "SINGLE-VALUE )", + &ad_pwdSafeModify }, + { "( 1.3.6.1.4.1.42.2.27.8.1.32 " + "NAME ( 'pwdMaxRecordedFailure' ) " + "EQUALITY integerMatch " + "ORDERING integerOrderingMatch " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 " + "SINGLE-VALUE )", + &ad_pwdMaxRecordedFailure }, + { "( 1.3.6.1.4.1.4754.1.99.1 " + "NAME ( 'pwdCheckModule' ) " + "EQUALITY caseExactIA5Match " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 " + "DESC 'Loadable module that instantiates check_password() function' " + "SINGLE-VALUE )", + &ad_pwdCheckModule }, + { NULL, NULL } }; -/* User attributes */ -static AttributeDescription *ad_pwdMinAge, *ad_pwdMaxAge, *ad_pwdInHistory, - *ad_pwdCheckQuality, *ad_pwdMinLength, *ad_pwdMaxFailure, - *ad_pwdGraceAuthNLimit, *ad_pwdExpireWarning, *ad_pwdLockoutDuration, - *ad_pwdFailureCountInterval, *ad_pwdCheckModule, *ad_pwdLockout, - *ad_pwdMustChange, *ad_pwdAllowUserChange, *ad_pwdSafeModify, - *ad_pwdAttribute, *ad_pwdMaxRecordedFailure; - -#define TAB(name) { #name, &ad_##name } - -static struct schema_info pwd_UsSchema[] = { - TAB(pwdAttribute), - TAB(pwdMinAge), - TAB(pwdMaxAge), - TAB(pwdInHistory), - TAB(pwdCheckQuality), - TAB(pwdMinLength), - TAB(pwdMaxFailure), - TAB(pwdMaxRecordedFailure), - TAB(pwdGraceAuthNLimit), - TAB(pwdExpireWarning), - TAB(pwdLockout), - TAB(pwdLockoutDuration), - TAB(pwdFailureCountInterval), - TAB(pwdCheckModule), - TAB(pwdMustChange), - TAB(pwdAllowUserChange), - TAB(pwdSafeModify), - { NULL, NULL } +static char *pwd_ocs[] = { + "( 1.3.6.1.4.1.4754.2.99.1 " + "NAME 'pwdPolicyChecker' " + "SUP top " + "AUXILIARY " + "MAY ( pwdCheckModule )" , + "( 1.3.6.1.4.1.42.2.27.8.2.1 " + "NAME 'pwdPolicy' " + "SUP top " + "AUXILIARY " + "MUST ( pwdAttribute ) " + "MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ " + "pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ " + "pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ " + "pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ " + "pwdMaxRecordedFailure ) )", + NULL }; static ldap_pvt_thread_mutex_t chk_syntax_mutex; @@ -2397,39 +2509,6 @@ ppolicy_db_init( return 1; } - /* Has User Schema been initialized yet? */ - if ( !pwd_UsSchema[0].ad[0] ) { - const char *err; - int i, code; - - for (i=0; pwd_UsSchema[i].def; i++) { - code = slap_str2ad( pwd_UsSchema[i].def, pwd_UsSchema[i].ad, &err ); - if ( code ) { - if ( cr ){ - snprintf( cr->msg, sizeof(cr->msg), - "User Schema load failed for attribute \"%s\". Error code %d: %s", - pwd_UsSchema[i].def, code, err ); - Debug( LDAP_DEBUG_ANY, "%s\n", cr->msg ); - } - return code; - } - } - { - Syntax *syn; - MatchingRule *mr; - - syn = ch_malloc( sizeof( Syntax )); - *syn = *ad_pwdAttribute->ad_type->sat_syntax; - syn->ssyn_pretty = attrPretty; - ad_pwdAttribute->ad_type->sat_syntax = syn; - - mr = ch_malloc( sizeof( MatchingRule )); - *mr = *ad_pwdAttribute->ad_type->sat_equality; - mr->smr_normalize = attrNormalize; - ad_pwdAttribute->ad_type->sat_equality = mr; - } - } - on->on_bi.bi_private = ch_calloc( sizeof(pp_info), 1 ); if ( !pwcons ) { @@ -2512,6 +2591,29 @@ int ppolicy_initialize() SLAP_AT_MANAGEABLE; } } + { + Syntax *syn; + MatchingRule *mr; + + syn = ch_malloc( sizeof( Syntax )); + *syn = *ad_pwdAttribute->ad_type->sat_syntax; + syn->ssyn_pretty = attrPretty; + ad_pwdAttribute->ad_type->sat_syntax = syn; + + mr = ch_malloc( sizeof( MatchingRule )); + *mr = *ad_pwdAttribute->ad_type->sat_equality; + mr->smr_normalize = attrNormalize; + ad_pwdAttribute->ad_type->sat_equality = mr; + } + + for (i=0; pwd_ocs[i]; i++) { + code = register_oc( pwd_ocs[i], NULL, 0 ); + if ( code ) { + Debug( LDAP_DEBUG_ANY, "ppolicy_initialize: " + "register_oc failed\n" ); + return code; + } + } code = register_supported_control( LDAP_CONTROL_PASSWORDPOLICYREQUEST, SLAP_CTRL_ADD|SLAP_CTRL_BIND|SLAP_CTRL_MODIFY|SLAP_CTRL_HIDE, extops, diff --git a/servers/slapd/schema/ppolicy.ldif b/servers/slapd/schema/ppolicy.ldif deleted file mode 100644 index 891f7cf334..0000000000 --- a/servers/slapd/schema/ppolicy.ldif +++ /dev/null @@ -1,87 +0,0 @@ -# $OpenLDAP$ -## This work is part of OpenLDAP Software . -## -## Copyright 2004-2020 The OpenLDAP Foundation. -## All rights reserved. -## -## Redistribution and use in source and binary forms, with or without -## modification, are permitted only as authorized by the OpenLDAP -## Public License. -## -## A copy of this license is available in the file LICENSE in the -## top-level directory of the distribution or, alternatively, at -## . -# -## Portions Copyright (C) The Internet Society (2004). -## Please see full copyright statement below. -# -# Definitions from Draft behera-ldap-password-policy-07 (a work in progress) -# Password Policy for LDAP Directories -# With extensions from Hewlett-Packard: -# pwdCheckModule etc. -# -# Contents of this file are subject to change (including deletion) -# without notice. -# -# Not recommended for production use! -# Use with extreme caution! -# -# This file was automatically generated from ppolicy.schema; see that file -# for complete references. -# -dn: cn=ppolicy,cn=schema,cn=config -objectClass: olcSchemaConfig -cn: ppolicy -olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY - objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) -olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in - tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) -olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in - tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) -olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY - integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 - .27 SINGLE-VALUE ) -olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL - ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12 - 1.1.27 SINGLE-VALUE ) -olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY - integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121. - 1.27 SINGLE-VALUE ) -olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA - LITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115. - 121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ - UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11 - 5.121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b - ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) -olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E - QUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.1 - 15.121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL - ITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1 - 21.1.27 SINGLE-VALUE ) -olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter - val' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1. - 1466.115.121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL - ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) -olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' - EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) -olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL - ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) -olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L - oadable module that instantiates "check_password() function' EQUALITY caseExa - ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) -olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur - e' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1. - 1466.115.121.1.27 SINGLE-VALUE ) -olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top - AUXILIARY MAY pwdCheckModule ) -olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI - LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck - Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ - pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange - $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) ) diff --git a/servers/slapd/schema/ppolicy.schema b/servers/slapd/schema/ppolicy.schema deleted file mode 100644 index 8f6b0221cf..0000000000 --- a/servers/slapd/schema/ppolicy.schema +++ /dev/null @@ -1,556 +0,0 @@ -# $OpenLDAP$ -## This work is part of OpenLDAP Software . -## -## Copyright 2004-2020 The OpenLDAP Foundation. -## All rights reserved. -## -## Redistribution and use in source and binary forms, with or without -## modification, are permitted only as authorized by the OpenLDAP -## Public License. -## -## A copy of this license is available in the file LICENSE in the -## top-level directory of the distribution or, alternatively, at -## . -# -## Portions Copyright (C) The Internet Society (2004). -## Please see full copyright statement below. - -# Definitions from Draft behera-ldap-password-policy-07 (a work in progress) -# Password Policy for LDAP Directories -# With extensions from Hewlett-Packard: -# pwdCheckModule etc. - -# Contents of this file are subject to change (including deletion) -# without notice. -# -# Not recommended for production use! -# Use with extreme caution! - -#Network Working Group J. Sermersheim -#Internet-Draft Novell, Inc -#Expires: April 24, 2005 L. Poitou -# Sun Microsystems -# October 24, 2004 -# -# -# Password Policy for LDAP Directories -# draft-behera-ldap-password-policy-08.txt -# -#Status of this Memo -# -# This document is an Internet-Draft and is subject to all provisions -# of section 3 of RFC 3667. By submitting this Internet-Draft, each -# author represents that any applicable patent or other IPR claims of -# which he or she is aware have been or will be disclosed, and any of -# which he or she become aware will be disclosed, in accordance with -# RFC 3668. -# -# Internet-Drafts are working documents of the Internet Engineering -# Task Force (IETF), its areas, and its working groups. Note that -# other groups may also distribute working documents as -# Internet-Drafts. -# -# Internet-Drafts are draft documents valid for a maximum of six months -# and may be updated, replaced, or obsoleted by other documents at any -# time. It is inappropriate to use Internet-Drafts as reference -# material or to cite them other than as "work in progress." -# -# The list of current Internet-Drafts can be accessed at -# http://www.ietf.org/ietf/1id-abstracts.txt. -# -# The list of Internet-Draft Shadow Directories can be accessed at -# http://www.ietf.org/shadow.html. -# -# This Internet-Draft will expire on April 24, 2005. -# -#Copyright Notice -# -# Copyright (C) The Internet Society (2004). -# -#Abstract -# -# Password policy as described in this document is a set of rules that -# controls how passwords are used and administered in Lightweight -# Directory Access Protocol (LDAP) based directories. In order to -# improve the security of LDAP directories and make it difficult for -# password cracking programs to break into directories, it is desirable -# to enforce a set of rules on password usage. These rules are made to -# -# [trimmed] -# -#5. Schema used for Password Policy -# -# The schema elements defined here fall into two general categories. A -# password policy object class is defined which contains a set of -# administrative password policy attributes, and a set of operational -# attributes are defined that hold general password policy state -# information for each user. -# -#5.2 Attribute Types used in the pwdPolicy ObjectClass -# -# Following are the attribute types used by the pwdPolicy object class. -# -#5.2.1 pwdAttribute -# -# This holds the name of the attribute to which the password policy is -# applied. For example, the password policy may be applied to the -# userPassword attribute. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 - NAME 'pwdAttribute' - EQUALITY objectIdentifierMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) - -#5.2.2 pwdMinAge -# -# This attribute holds the number of seconds that must elapse between -# modifications to the password. If this attribute is not present, 0 -# seconds is assumed. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 - NAME 'pwdMinAge' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -#5.2.3 pwdMaxAge -# -# This attribute holds the number of seconds after which a modified -# password will expire. -# -# If this attribute is not present, or if the value is 0 the password -# does not expire. If not 0, the value must be greater than or equal -# to the value of the pwdMinAge. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 - NAME 'pwdMaxAge' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -#5.2.4 pwdInHistory -# -# This attribute specifies the maximum number of used passwords stored -# in the pwdHistory attribute. -# -# If this attribute is not present, or if the value is 0, used -# passwords are not stored in the pwdHistory attribute and thus may be -# reused. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 - NAME 'pwdInHistory' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -#5.2.5 pwdCheckQuality -# -# {TODO: Consider changing the syntax to OID. Each OID will list a -# quality rule (like min len, # of special characters, etc). These -# rules can be specified outsid ethis document.} -# -# {TODO: Note that even though this is meant to be a check that happens -# during password modification, it may also be allowed to happen during -# authN. This is useful for situations where the password is encrypted -# when modified, but decrypted when used to authN.} -# -# This attribute indicates how the password quality will be verified -# while being modified or added. If this attribute is not present, or -# if the value is '0', quality checking will not be enforced. A value -# of '1' indicates that the server will check the quality, and if the -# server is unable to check it (due to a hashed password or other -# reasons) it will be accepted. A value of '2' indicates that the -# server will check the quality, and if the server is unable to verify -# it, it will return an error refusing the password. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 - NAME 'pwdCheckQuality' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -#5.2.6 pwdMinLength -# -# When quality checking is enabled, this attribute holds the minimum -# number of characters that must be used in a password. If this -# attribute is not present, no minimum password length will be -# enforced. If the server is unable to check the length (due to a -# hashed password or otherwise), the server will, depending on the -# value of the pwdCheckQuality attribute, either accept the password -# without checking it ('0' or '1') or refuse it ('2'). - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 - NAME 'pwdMinLength' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -#5.2.7 pwdExpireWarning -# -# This attribute specifies the maximum number of seconds before a -# password is due to expire that expiration warning messages will be -# returned to an authenticating user. -# -# If this attribute is not present, or if the value is 0 no warnings -# will be returned. If not 0, the value must be smaller than the value -# of the pwdMaxAge attribute. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 - NAME 'pwdExpireWarning' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -#5.2.8 pwdGraceAuthNLimit -# -# This attribute specifies the number of times an expired password can -# be used to authenticate. If this attribute is not present or if the -# value is 0, authentication will fail. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 - NAME 'pwdGraceAuthNLimit' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -#5.2.9 pwdLockout -# -# This attribute indicates, when its value is "TRUE", that the password -# may not be used to authenticate after a specified number of -# consecutive failed bind attempts. The maximum number of consecutive -# failed bind attempts is specified in pwdMaxFailure. -# -# If this attribute is not present, or if the value is "FALSE", the -# password may be used to authenticate when the number of failed bind -# attempts has been reached. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9 - NAME 'pwdLockout' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) - -#5.2.10 pwdLockoutDuration -# -# This attribute holds the number of seconds that the password cannot -# be used to authenticate due to too many failed bind attempts. If -# this attribute is not present, or if the value is 0 the password -# cannot be used to authenticate until reset by a password -# administrator. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10 - NAME 'pwdLockoutDuration' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -#5.2.11 pwdMaxFailure -# -# This attribute specifies the number of consecutive failed bind -# attempts after which the password may not be used to authenticate. -# If this attribute is not present, or if the value is 0, this policy -# is not checked, and the value of pwdLockout will be ignored. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11 - NAME 'pwdMaxFailure' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -#5.2.12 pwdFailureCountInterval -# -# This attribute holds the number of seconds after which the password -# failures are purged from the failure counter, even though no -# successful authentication occurred. -# -# If this attribute is not present, or if its value is 0, the failure -# counter is only reset by a successful authentication. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12 - NAME 'pwdFailureCountInterval' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -#5.2.13 pwdMustChange -# -# This attribute specifies with a value of "TRUE" that users must -# change their passwords when they first bind to the directory after a -# password is set or reset by a password administrator. If this -# attribute is not present, or if the value is "FALSE", users are not -# required to change their password upon binding after the password -# administrator sets or resets the password. This attribute is not set -# due to any actions specified by this document, it is typically set by -# a password administrator after resetting a user's password. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13 - NAME 'pwdMustChange' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) - -#5.2.14 pwdAllowUserChange -# -# This attribute indicates whether users can change their own -# passwords, although the change operation is still subject to access -# control. If this attribute is not present, a value of "TRUE" is -# assumed. This attribute is intended to be used in the absence of an -# access control mechanism. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14 - NAME 'pwdAllowUserChange' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) - -#5.2.15 pwdSafeModify -# -# This attribute specifies whether or not the existing password must be -# sent along with the new password when being changed. If this -# attribute is not present, a "FALSE" value is assumed. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15 - NAME 'pwdSafeModify' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 - SINGLE-VALUE ) - -#ITS#8185 pwdMaxRecordedFailure -# -# This attribute specifies the maximum number of consecutive failed bind -# attempts to record. If this attribute is not present, or if the value -# is 0, it defaults to the value of pwdMaxFailure. If that value is also -# 0, this value defaults to 5. - -attributetype ( 1.3.6.1.4.1.42.2.27.8.1.30 - NAME 'pwdMaxRecordedFailure' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 - SINGLE-VALUE ) - -# HP extensions -# -# pwdCheckModule -# -# This attribute names a user-defined loadable module that provides -# a check_password() function. If pwdCheckQuality is set to '1' or '2' -# this function will be called after all of the internal password -# quality checks have been passed. The function has this prototype: -# -# int check_password( char *password, char **errormessage, void *arg ) -# -# The function should return LDAP_SUCCESS for a valid password. - -attributetype ( 1.3.6.1.4.1.4754.1.99.1 - NAME 'pwdCheckModule' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 - DESC 'Loadable module that instantiates check_password() function' - SINGLE-VALUE ) - -objectclass ( 1.3.6.1.4.1.4754.2.99.1 - NAME 'pwdPolicyChecker' - SUP top - AUXILIARY - MAY ( pwdCheckModule ) ) - -#5.1 The pwdPolicy Object Class -# -# This object class contains the attributes defining a password policy -# in effect for a set of users. Section 10 describes the -# administration of this object, and the relationship between it and -# particular objects. -# -objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1 - NAME 'pwdPolicy' - SUP top - AUXILIARY - MUST ( pwdAttribute ) - MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ - pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout - $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ - pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ - pwdMaxRecordedFailure ) ) - -#5.3 Attribute Types for Password Policy State Information -# -# Password policy state information must be maintained for each user. -# The information is located in each user entry as a set of operational -# attributes. These operational attributes are: pwdChangedTime, -# pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime, -# pwdReset, pwdPolicySubEntry. -# -#5.3.1 Password Policy State Attribute Option -# -# Since the password policy could apply to several attributes used to -# store passwords, each of the above operational attributes must have -# an option to specify which pwdAttribute it applies to. The password -# policy option is defined as the following: -# -# pwd- -# -# where passwordAttribute a string following the OID syntax -# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor -# (short name) MUST be used. -# -# For example, if the pwdPolicy object has for pwdAttribute -# "userPassword" then the pwdChangedTime operational attribute, in a -# user entry, will be: -# -# pwdChangedTime;pwd-userPassword: 20000103121520Z -# -# This attribute option follows sub-typing semantics. If a client -# requests a password policy state attribute to be returned in a search -# operation, and does not specify an option, all subtypes of that -# policy state attribute are returned. -# -#5.3.2 pwdChangedTime -# -# This attribute specifies the last time the entry's password was -# changed. This is used by the password expiration policy. If this -# attribute does not exist, the password will never expire. -# -# ( 1.3.6.1.4.1.42.2.27.8.1.16 -# NAME 'pwdChangedTime' -# DESC 'The time the password was last changed' -# EQUALITY generalizedTimeMatch -# ORDERING generalizedTimeOrderingMatch -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 -# SINGLE-VALUE -# USAGE directoryOperation ) -# -#5.3.3 pwdAccountLockedTime -# -# This attribute holds the time that the user's account was locked. A -# locked account means that the password may no longer be used to -# authenticate. A 000001010000Z value means that the account has been -# locked permanently, and that only a password administrator can unlock -# the account. -# -# ( 1.3.6.1.4.1.42.2.27.8.1.17 -# NAME 'pwdAccountLockedTime' -# DESC 'The time an user account was locked' -# EQUALITY generalizedTimeMatch -# ORDERING generalizedTimeOrderingMatch -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 -# SINGLE-VALUE -# USAGE directoryOperation ) -# -#5.3.4 pwdFailureTime -# -# This attribute holds the timestamps of the consecutive authentication -# failures. -# -# ( 1.3.6.1.4.1.42.2.27.8.1.19 -# NAME 'pwdFailureTime' -# DESC 'The timestamps of the last consecutive authentication -# failures' -# EQUALITY generalizedTimeMatch -# ORDERING generalizedTimeOrderingMatch -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 -# USAGE directoryOperation ) -# -#5.3.5 pwdHistory -# -# This attribute holds a history of previously used passwords. Values -# of this attribute are transmitted in string format as given by the -# following ABNF: -# -# pwdHistory = time "#" syntaxOID "#" length "#" data -# -# time = -# -# syntaxOID = numericoid ; the string representation of the -# ; dotted-decimal OID that defines the -# ; syntax used to store the password. -# ; numericoid is described in 4.1 -# ; of [RFC2252]. -# -# length = numericstring ; the number of octets in data. -# ; numericstring is described in 4.1 -# ; of [RFC2252]. -# -# data = . -# -# This format allows the server to store, and transmit a history of -# passwords that have been used. In order for equality matching to -# function properly, the time field needs to adhere to a consistent -# format. For this purpose, the time field MUST be in GMT format. -# -# ( 1.3.6.1.4.1.42.2.27.8.1.20 -# NAME 'pwdHistory' -# DESC 'The history of user s passwords' -# EQUALITY octetStringMatch -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 -# USAGE directoryOperation ) -# -#5.3.6 pwdGraceUseTime -# -# This attribute holds the timestamps of grace authentications after a -# password has expired. -# -# ( 1.3.6.1.4.1.42.2.27.8.1.21 -# NAME 'pwdGraceUseTime' -# DESC 'The timestamps of the grace authentication after the -# password has expired' -# EQUALITY generalizedTimeMatch -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 -# -#5.3.7 pwdReset -# -# This attribute holds a flag to indicate (when TRUE) that the password -# has been updated by the password administrator and must be changed by -# the user on first authentication. -# -# ( 1.3.6.1.4.1.42.2.27.8.1.22 -# NAME 'pwdReset' -# DESC 'The indication that the password has been reset' -# EQUALITY booleanMatch -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 -# SINGLE-VALUE -# USAGE directoryOperation ) -# -#5.3.8 pwdPolicySubentry -# -# This attribute points to the pwdPolicy subentry in effect for this -# object. -# -# ( 1.3.6.1.4.1.42.2.27.8.1.23 -# NAME 'pwdPolicySubentry' -# DESC 'The pwdPolicy subentry in effect for this object' -# EQUALITY distinguishedNameMatch -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 -# SINGLE-VALUE -# USAGE directoryOperation ) -# -# -#Disclaimer of Validity -# -# This document and the information contained herein are provided on an -# "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS -# OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET -# ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, -# INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE -# INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED -# WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. -# -# -#Copyright Statement -# -# Copyright (C) The Internet Society (2004). This document is subject -# to the rights, licenses and restrictions contained in BCP 78, and -# except as set forth therein, the authors retain all their rights. - diff --git a/tests/data/regressions/its4448/slapd-meta.conf b/tests/data/regressions/its4448/slapd-meta.conf index ac86f68ecb..68ee6ffb82 100644 --- a/tests/data/regressions/its4448/slapd-meta.conf +++ b/tests/data/regressions/its4448/slapd-meta.conf @@ -18,7 +18,6 @@ include @SCHEMADIR@/cosine.schema include @SCHEMADIR@/inetorgperson.schema include @SCHEMADIR@/openldap.schema include @SCHEMADIR@/nis.schema -include @SCHEMADIR@/ppolicy.schema pidfile @TESTDIR@/slapd.m.pid argsfile @TESTDIR@/slapd.m.args diff --git a/tests/data/regressions/its8800/slapd-provider1.ldif b/tests/data/regressions/its8800/slapd-provider1.ldif index 6bf0b843e7..3a6cd6c8a4 100644 --- a/tests/data/regressions/its8800/slapd-provider1.ldif +++ b/tests/data/regressions/its8800/slapd-provider1.ldif @@ -16,7 +16,6 @@ include: file://@TESTWD@/@SCHEMADIR@/cosine.ldif include: file://@TESTWD@/@SCHEMADIR@/inetorgperson.ldif include: file://@TESTWD@/@SCHEMADIR@/misc.ldif include: file://@TESTWD@/@SCHEMADIR@/nis.ldif -include: file://@TESTWD@/@SCHEMADIR@/ppolicy.ldif #mod#dn: cn=module{0},cn=config #mod#objectClass: olcModuleList diff --git a/tests/data/regressions/its8800/slapd-provider2.ldif b/tests/data/regressions/its8800/slapd-provider2.ldif index 3de1333763..c453cd4454 100644 --- a/tests/data/regressions/its8800/slapd-provider2.ldif +++ b/tests/data/regressions/its8800/slapd-provider2.ldif @@ -16,7 +16,6 @@ include: file://@TESTWD@/@SCHEMADIR@/cosine.ldif include: file://@TESTWD@/@SCHEMADIR@/inetorgperson.ldif include: file://@TESTWD@/@SCHEMADIR@/misc.ldif include: file://@TESTWD@/@SCHEMADIR@/nis.ldif -include: file://@TESTWD@/@SCHEMADIR@/ppolicy.ldif #mod#dn: cn=module{0},cn=config #mod#objectClass: olcModuleList diff --git a/tests/data/regressions/its8800/slapd-provider3.ldif b/tests/data/regressions/its8800/slapd-provider3.ldif index ceb90794f7..c29363a18e 100644 --- a/tests/data/regressions/its8800/slapd-provider3.ldif +++ b/tests/data/regressions/its8800/slapd-provider3.ldif @@ -16,7 +16,6 @@ include: file://@TESTWD@/@SCHEMADIR@/cosine.ldif include: file://@TESTWD@/@SCHEMADIR@/inetorgperson.ldif include: file://@TESTWD@/@SCHEMADIR@/misc.ldif include: file://@TESTWD@/@SCHEMADIR@/nis.ldif -include: file://@TESTWD@/@SCHEMADIR@/ppolicy.ldif #mod#dn: cn=module{0},cn=config #mod#objectClass: olcModuleList diff --git a/tests/data/regressions/its8800/slapd-provider4.ldif b/tests/data/regressions/its8800/slapd-provider4.ldif index 21baccdef9..c13d3c03ca 100644 --- a/tests/data/regressions/its8800/slapd-provider4.ldif +++ b/tests/data/regressions/its8800/slapd-provider4.ldif @@ -16,7 +16,6 @@ include: file://@TESTWD@/@SCHEMADIR@/cosine.ldif include: file://@TESTWD@/@SCHEMADIR@/inetorgperson.ldif include: file://@TESTWD@/@SCHEMADIR@/misc.ldif include: file://@TESTWD@/@SCHEMADIR@/nis.ldif -include: file://@TESTWD@/@SCHEMADIR@/ppolicy.ldif #mod#dn: cn=module{0},cn=config #mod#objectClass: olcModuleList diff --git a/tests/data/slapd-asyncmeta.conf b/tests/data/slapd-asyncmeta.conf index dbe03db2c2..802287295f 100644 --- a/tests/data/slapd-asyncmeta.conf +++ b/tests/data/slapd-asyncmeta.conf @@ -18,7 +18,6 @@ include @SCHEMADIR@/cosine.schema include @SCHEMADIR@/inetorgperson.schema include @SCHEMADIR@/openldap.schema include @SCHEMADIR@/nis.schema -include @SCHEMADIR@/ppolicy.schema pidfile @TESTDIR@/slapd.m.pid argsfile @TESTDIR@/slapd.m.args diff --git a/tests/data/slapd-glue-ldap.conf b/tests/data/slapd-glue-ldap.conf index 57f29c6803..613307690e 100644 --- a/tests/data/slapd-glue-ldap.conf +++ b/tests/data/slapd-glue-ldap.conf @@ -18,7 +18,6 @@ include @SCHEMADIR@/cosine.schema include @SCHEMADIR@/inetorgperson.schema include @SCHEMADIR@/openldap.schema include @SCHEMADIR@/nis.schema -include @SCHEMADIR@/ppolicy.schema pidfile @TESTDIR@/slapd.m.pid argsfile @TESTDIR@/slapd.m.args diff --git a/tests/data/slapd-meta-target2.conf b/tests/data/slapd-meta-target2.conf index d59f50455e..6a4aee4540 100644 --- a/tests/data/slapd-meta-target2.conf +++ b/tests/data/slapd-meta-target2.conf @@ -18,7 +18,6 @@ include @SCHEMADIR@/cosine.schema include @SCHEMADIR@/inetorgperson.schema include @SCHEMADIR@/openldap.schema include @SCHEMADIR@/nis.schema -include @SCHEMADIR@/ppolicy.schema pidfile @TESTDIR@/slapd.2.pid argsfile @TESTDIR@/slapd.2.args diff --git a/tests/data/slapd-meta.conf b/tests/data/slapd-meta.conf index 877136cf87..2348dc4456 100644 --- a/tests/data/slapd-meta.conf +++ b/tests/data/slapd-meta.conf @@ -18,7 +18,6 @@ include @SCHEMADIR@/cosine.schema include @SCHEMADIR@/inetorgperson.schema include @SCHEMADIR@/openldap.schema include @SCHEMADIR@/nis.schema -include @SCHEMADIR@/ppolicy.schema pidfile @TESTDIR@/slapd.m.pid argsfile @TESTDIR@/slapd.m.args diff --git a/tests/data/slapd-ppolicy.conf b/tests/data/slapd-ppolicy.conf index 163d2a2fc7..5895120b95 100644 --- a/tests/data/slapd-ppolicy.conf +++ b/tests/data/slapd-ppolicy.conf @@ -18,7 +18,6 @@ include @SCHEMADIR@/cosine.schema include @SCHEMADIR@/inetorgperson.schema include @SCHEMADIR@/openldap.schema include @SCHEMADIR@/nis.schema -include @SCHEMADIR@/ppolicy.schema #mod#modulepath ../servers/slapd/back-@BACKEND@/ #mod#moduleload back_@BACKEND@.la diff --git a/tests/data/slapd-relay.conf b/tests/data/slapd-relay.conf index 6c0504203b..213eab46b1 100644 --- a/tests/data/slapd-relay.conf +++ b/tests/data/slapd-relay.conf @@ -18,7 +18,6 @@ include @SCHEMADIR@/cosine.schema include @SCHEMADIR@/inetorgperson.schema include @SCHEMADIR@/openldap.schema include @SCHEMADIR@/nis.schema -include @SCHEMADIR@/ppolicy.schema pidfile @TESTDIR@/slapd.pid argsfile @TESTDIR@/slapd.args diff --git a/tests/data/slapd-schema.conf b/tests/data/slapd-schema.conf index eb0829b019..ccdd94dd1a 100644 --- a/tests/data/slapd-schema.conf +++ b/tests/data/slapd-schema.conf @@ -26,7 +26,6 @@ include @SCHEMADIR@/openldap.schema # include @SCHEMADIR@/duaconf.schema include @SCHEMADIR@/dyngroup.schema -include @SCHEMADIR@/ppolicy.schema # pidfile @TESTDIR@/slapd.1.pid diff --git a/tests/data/slapd-tls-sasl.conf b/tests/data/slapd-tls-sasl.conf index d3b5f416ee..92c72e7595 100644 --- a/tests/data/slapd-tls-sasl.conf +++ b/tests/data/slapd-tls-sasl.conf @@ -26,7 +26,6 @@ include @SCHEMADIR@/openldap.schema # include @SCHEMADIR@/duaconf.schema include @SCHEMADIR@/dyngroup.schema -include @SCHEMADIR@/ppolicy.schema # pidfile @TESTDIR@/slapd.1.pid diff --git a/tests/data/slapd-tls.conf b/tests/data/slapd-tls.conf index d4bb90b336..29658abca9 100644 --- a/tests/data/slapd-tls.conf +++ b/tests/data/slapd-tls.conf @@ -26,7 +26,6 @@ include @SCHEMADIR@/openldap.schema # include @SCHEMADIR@/duaconf.schema include @SCHEMADIR@/dyngroup.schema -include @SCHEMADIR@/ppolicy.schema # pidfile @TESTDIR@/slapd.1.pid