From 0c17e0ec89d989bb4a36550bc4f055bf9e67b095 Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Fri, 7 Aug 2020 21:39:19 +0000 Subject: [PATCH] ITS#9279 - Add draft for vchu-ldap-pwd-policy --- doc/drafts/draft-vchu-ldap-pwd-policy-xx.txt | 1020 ++++++++++++++++++ 1 file changed, 1020 insertions(+) create mode 100644 doc/drafts/draft-vchu-ldap-pwd-policy-xx.txt diff --git a/doc/drafts/draft-vchu-ldap-pwd-policy-xx.txt b/doc/drafts/draft-vchu-ldap-pwd-policy-xx.txt new file mode 100644 index 0000000000..d20bd403ab --- /dev/null +++ b/doc/drafts/draft-vchu-ldap-pwd-policy-xx.txt @@ -0,0 +1,1020 @@ + + + + + + +LDAP-EXT Working Group Valerie Chu +INTERNET-DRAFT Netscape Communications Corp. +Expires in six months +Intended Category: Informational + December 1998 + + + Password Policy for LDAP Directories + + + + +1. Status of this Memo + +This document is an Internet-Draft. Internet-Drafts are working docu- +ments of the Internet Engineering Task Force (IETF), its areas, and its +working groups. Note that other groups may also distribute working docu- +ments as Internet-Drafts. + +Internet-Drafts are draft documents valid for a maximum of six months +and may be updated, replaced, or obsoleted by other documents at any +time. It is inappropriate to use Internet- Drafts as reference material +or to cite them other than as ``work in progress.'' + +To view the entire list of current Internet-Drafts, please check the +"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow +Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), +ftp.nic.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org +(US East Coast), or ftp.isi.edu (US West Coast). + +The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", +"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this +document are to be interpreted as described in RFC 2119. + +2. Abstract + +This document describes the implementation of password policy in +Netscape LDAP directories, and introduces two new object classes, +twenty-three new attribute types, and two new controls in support of +password policy. + +Password policy is a set of rules that control how passwords are used in +LDAP directories. In order to improve the security of LDAP directories +and make it difficult for password cracking programs to break into +directories, it is desirable to enforce a set of rules on password +usage. These rules are made to ensure that the users change their pass- +words periodically, the new password meets construction requirements, +the re-use of the old password is restricted, and lock out the users + + + +Chu [Page 1] + + + + + +Expires June 1999 INTERNET DRAFT + + +after a certain number of bad password attempts. + +3. Overview + +LDAP-based directory services currently are accepted by many organiza- +tions as the access protocol for directories. The ability to ensure the +secure read, update access to directory information throughout the net- +work is essential to the successful deployment. There are several secu- +rity mechanisms which are used in Netscape LDAP implementation to pro- +tect the directory data. For example, the access control is used to +prevent unauthorized access to information stored in directories; SASL +is used to negotiate for integrity and privacy services.[RFC-2251] The +most fundamental security mechanism in Netscape Directory is the simple +authentication using password. In many systems, in order to improve the +security of the system, the simple password-based authentication often +is used in conjunction with a set of password restrictions to control +how passwords are used in the system. For example, the passwd program +in UNIX systems, or the user account policy in WindowsNT, has a set of +rules that users need to follow to use password authentication. At the +moment, LDAP does not define a password policy model, but it is needed +to achieve greater security protection and it is critical to the suc- +cessful deployment of LDAP directories. + +Specifically, the password policy defines: + + + - The maximum length of time that a given password is valid. + + - The minimum length of time required between password changes. + + - The maximum length of time before a user's password is due to + expire that the user will be sent a warning message. + + - Whether users can reuse passwords. + + - The minimum number of characters a password must contain. + + - Whether the password syntax is checked before a new password is + saved. + + - Whether users are allowed to change their own passwords. + + - Whether passwords must be changed after they are reset by the + administrator. + + - Whether users will be locked out of the directory after a given + number of failed bind attempts. + + + + +Chu [Page 2] + + + + + +Expires June 1999 INTERNET DRAFT + + + - How long users will be locked out of the directory after a given + number of failed bind attempts. + + - The length of time before the password failure counter which + keeps track of the number of failed password attempts is reset. + +The password policy defined in this document is applied to the LDAP sim- +ple authentication method [RFC-2251] and userPassword attribute values +only. + +In this document, the term "user" represents any application which is an +LDAP client using the directory to retrieve or store information. + +Directory administrators are not forced to comply with any of password +policies. + +4. New Attribute Types and Object Classes + +4.1. The passwordPolicy Object Class + +The passwordPolicy object class holds the password policy settings for a +set of user accounts. In the Netscape Directory implementation, they +are located in the "cn=config" entry. + +The description of passwordPolicy object class: + + ( 2.16.840.1.113730.3.2.13 + NAME 'passwordPolicy' + AUXILIARY + SUP top + DESC 'Password Policy object class to hold password policy information' + MAY ( + passwordMaxAge $ passwordExp $ passwordMinLength $ + passwordKeepHistory $ passwordInHistory $ passwordChange $ + passwordCheckSyntax $ passwordWarning $ passwordLockout $ + passwordMaxFailure $ passwordUnlock $ passwordLockoutDuration $ + passwordMustChange $ passwordStorageScheme $ passwordMinAge $ + passwordResetFailureCount + ) + ) + +4.2. The new attribute types used in the passwordPolicy Object Class: + + ( 2.16.840.1.113730.3.1.97 + NAME 'passwordMaxAge' + DESC 'the number of seconds after which user passwords will expire' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + + + +Chu [Page 3] + + + + + +Expires June 1999 INTERNET DRAFT + + + ) + ( 2.16.840.1.113730.3.1.98 + NAME 'passwordExp' + DESC 'a flag which indicates whether passwords will expire after a + given number of seconds' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.99 + NAME 'passwordMinLength' + DESC 'the minimum number of characters that must be used in a password' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.100 + NAME 'passwordKeepHistory' + DESC 'a flag which indicates whether passwords can be reused" + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.101 + NAME 'passwordInHistory' + DESC 'the number of passwords the directory server stores in history' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.102 + NAME 'passwordChange' + DESC 'a flag which indicates whether users can change their passwords' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.103 + NAME 'passwordCheckSyntax' + DESC 'a flag which indicates whether the password syntax will be checked + before the password is saved' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.104 + NAME 'passwordWarning' + DESC 'the number of seconds before a user's password is due to expire that + the user will be sent a warning message' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.105 + NAME 'passwordLockout' + + + +Chu [Page 4] + + + + + +Expires June 1999 INTERNET DRAFT + + + DESC 'a flag which indicates whether users will be locked out of the + directory after a given number of consecutive failed bind attempts' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.106 + NAME 'passwordMaxFailure' + DESC 'the number of consecutive failed bind attempts after which a user + will be locked out of the directory' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.108 + NAME 'passwordUnlock' + DESC 'a flag which indicates whether a user will be locked out of the + directory for a given number of seconds or until the administrator + resets the password after an account lockout' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.109 + NAME 'passwordLockoutDuration' + DESC 'the number of seconds that users will be locked out of the directory + after an account lockout + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.220 + NAME 'passwordMustChange' + DESC 'a flag which indicates whether users must change their passwords when + they first bind to the directory server' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + ( 2.16.840.1.113730.3.1.221 + NAME 'passwordStorageScheme' + DESC 'the type of hash algorithm used to store directory server passwords' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + The description of password storage scheme can be found in [RFC-2307]. + ( 2.16.840.1.113730.3.1.222 + NAME 'passwordMinAge' + DESC 'the number of seconds that must elapse before a user can change their + password again' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + + + +Chu [Page 5] + + + + + +Expires June 1999 INTERNET DRAFT + + + ( 2.16.840.1.113730.3.1.223 + NAME 'passwordResetFailureCount' + DESC 'the number of seconds after which the password failure counter will + be reset' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + ) + + Currently in Netscape Directory password policy implementation, + passwordMaxAge, passwordMinLength, passwordInHistory, passwordWarn- + ing, passwordMaxFailure, passwordLockoutDuration, passwordMinAge, and + passwordResetFailureCount attributes are defined as + 1.3.6.1.4.1.1466.115.121.1.15 ('Directory String'). It is recom- + mented to change them to 1.3.6.1.4.1.1466.115.121.1.27 ('Integer') in + the future implementation. + + The attributes which are used as a flag have the syntax + '1.3.6.1.4.1.1466.115.121.1.15' ('Directory String'). A value of '1' + represents 'true', while '0' represents 'false'. It is recommented + to change them to 1.3.6.1.4.1.1466.115.121.1.7 ('Boolean') in the + future implementation. + +4.3. The passwordObject Object Class + +The passwordObject object class holds the password policy state informa- +tion for each user. For example, how many consecutive bad password +attempts an user made. The information is located in each user entries. +The description of passwordObject object class: + + ( 2.16.840.1.113730.3.2.12 + NAME 'passwordObject' + AUXILIARY + SUP top + DESC 'Password object class to hold password policy information for each + entry' + MAY ( + passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $ + retryCountResetTime $ accountUnlockTime $ passwordHistory $ + passwordAllowChangeTime + ) + ) + +4.4. The new attribute types used in the passwordObject Object Class: + ( 2.16.840.1.113730.3.1.91 + NAME 'passwordExpirationTime' + DESC 'the time the entry's password expires' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + EQUALITY generalizedTimeMatch + + + +Chu [Page 6] + + + + + +Expires June 1999 INTERNET DRAFT + + + ORDERING generalizedTimeOrderingMatch + SINGLE-VALUE + USAGE directoryOperation + ) + ( 2.16.840.1.113730.3.1.92 + NAME 'passwordExpWarned' + DESC 'a flag which indicates whether a password expiration warning is sent + to the client' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + SINGLE-VALUE + USAGE directoryOperation + ) + ( 2.16.840.1.113730.3.1.93 + NAME 'passwordRetryCount' + DESC 'the count of consecutive failed password attempts' + EQUALITY 'caseIgnoreMatch' + SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' + SINGLE-VALUE + USAGE directoryOperation + ) + ( 2.16.840.1.113730.3.1.94 + NAME 'retryCountResetTime' + DESC 'the time to reset the passwordRetryCount' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SINGLE-VALUE + USAGE directoryOperation + ) + ( 2.16.840.1.113730.3.1.95 + NAME 'accountUnlockTime' + DESC 'the time that the user can bind again after an account lockout' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SINGLE-VALUE + USAGE directoryOperation + ) + ( 2.16.840.1.113730.3.1.96 + NAME 'passwordHistory' + DESC 'the history of user's passwords' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 + EQUALITY bitStringMatch + USAGE directoryOperation + ) + ( 2.16.840.1.113730.3.1.214 + NAME 'passwordAllowChangeTime' + + + +Chu [Page 7] + + + + + +Expires June 1999 INTERNET DRAFT + + + DESC 'the time that the user is allowed change the password' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SINGLE-VALUE + USAGE directoryOperation + ) + +5. Password Expiration and Expiration Warning + +New attributes, passwordExp, passwordMaxAge, and passwordWarning are +defined to specify whether the password will expire, when the password +expires and when a warning message will be sent to the client respec- +tively. The actual expiration time for a password will be stored in a +new attribute, passwordExpirationTime attribute in the user entry. + +After bind operation succeed with authentication, the server should +check for password expiration. If the password expiration policy is on +and the account's password is expired, the server should send bin- +dResponse with the resultCode: LDAP_INVALID_CREDENTIALS along with an +error message to inform the client that the password has expired. If +the password is going to expire sooner than the password warning dura- +tion, the server should send bindResponse with the resultCode: +LDAP_SUCCESS, and should include the password expiring control in the +controls field of the bindResponse message: + + controlType: 2.16.840.1.113730.3.4.5, + + controlValue: an octet string to indicate the time in seconds until + the password expires. + + criticality: false + + +The server should send at least one warning message to the client before +expiring the client's password. + +6. Password Minimum Age + +This policy defines the number of seconds that must pass before a user +can change the password again. This policy can be used in conjunction +with the password history policy to prevent users from quickly cycling +through passwords in history so that they can reuse the old password. A +value of zero indicates that the user can change the password immedi- +ately. + +During the modify password operation, the server should check if the +user is allowed to change password at this time. If not, the server + + + +Chu [Page 8] + + + + + +Expires June 1999 INTERNET DRAFT + + +should send the LDAP_CONSTRAINT_VIOLATION result code back to the client +and an error message to indicate that the password cannot be changed +within password minimum age. + +7. Password History + +passwordHistory and passwordInHistory attributes control whether the +user can reuse passwords and how many passwords the directory server +stores in history. + +During the modify password operation, the server should check for pass- +word history. If password history is on and the new password matches +one of the old passwords in history, the server should send +modifyResponse back to the client with resultCode: +LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the new +password is in history, choose another password. + +8. Password Syntax and Minimum length + +The passwordCheckSyntax attribute indicates whether the password syntax +will be checked before a new password is saved. If this policy is on, +the directory server should check that the new password meets the pass- +word minimum length requirement and that the string does not contain any +trivial words such as the user's name, user id and so on. + +The passwordMinLength attribute defines the minimum number of characters +that must be used in a password. + +During the modify or add password operation, the server should check for +password syntax. If password check syntax is on and the new password +fail the syntax checking, the server should send modifyResponse or +addResponse back to the client with resultCode: +LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the new +password failed the syntax checking, the user should choose another +password. + +9. User Defined Passwords + +This policy defines whether the users can change their own passwords. +During the modify password operation, the server should check if the +user is allowed to change password. If not, the server should send to +the client the LDAP_UNWILLING_TO_PERFORM result code and an error mes- +sage to indicate that the user is not allowed to change password. + +10. Password Change After Reset + +This policy forces the user to select a new password on first bind or +after password reset. After bind operation succeed with authentication, + + + +Chu [Page 9] + + + + + +Expires June 1999 INTERNET DRAFT + + +the server should check if the password change after reset policy is on +and this is the first time logon. If so, the server should send bin- +dResponse with the resultCode: LDAP_SUCCESS, and should include the +password expired control in the controls field of the bindResponse mes- +sage: + + controlType: 2.16.840.1.113730.3.4.4, + + controlValue: an octet string: "0", + + criticality: false + +After that, for any operation issued by the user other than modify pass- +word, bind, unbind, abandon, or search, the server should send the +response message with the resultCode: LDAP_UNWILLING_TO_PERFORM, and +should include the password expired control in the controls field of the +response message: + + controlType: 2.16.840.1.113730.3.4.4, + + controlValue: an octet string: "0", + + criticality: false + +11. Password Guessing limit + +This policy enforces the limit of number of tries the client has to get +the password right. The user will be locked out of the directory after +a given number of consecutive failed attempts to bind to the directory. +This policy protects the directory from automated guessing attacks. + +The server should keep a failure counter in the passwordRetryCount +attribute for each entry. The server should increment the failure +counter when a bind operation fails with the LDAP_INVALID_CREDENTIALS +error code. The server should clear the failure counter when a bind +operation succeeds with authentication, the account password is reset by +administrator, or when the failure counter reset time is reached. + +During the bind operation, the server should check for password guessing +limit. If password guessing limit policy is on and the password guess- +ing limit is reached, the server should send bindResponse back to the +client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error message +to indicate the password failure limit is reached. + +12. Server Implementation + + + + + + +Chu [Page 10] + + + + + +Expires June 1999 INTERNET DRAFT + + +12.1. Password policy initialization + +The passwordPolicy object class holds the password policy settings for a +set of user accounts. During the server initial startup, password pol- +icy should be assigned a set of initial values. The settings should be +modified only by the directory administrators and should be readable by +anyone. The server should preserve the settings over server restart. +Currently in the Netscape Directory implementation, the password policy +settings are stored in "cn=config" entry and an identical copy is kept +in a configuration file which is used as bootstrap. The Netscape Direc- +tory password default settings are listed below as an example. + + - User may change password + + - Do not need to change password first time logon + + - Use SHA as the password hash algorithm + + - No password syntax check + + - Password minimum length: 6 + + - No password expiration + + - Expires in 100 days + + - No password minimum age + + - Send warning one day before password expires + + - Do not keep password history + + - Six passwords in history + + - No account lockout + + - Lockout after 3 bind failures + + - Do not lockout forever + + - Lock account for 60 minutes + + - Reset retry count after 10 minutes + + In ldif format: + + passwordchange: on + + + + +Chu [Page 11] + + + + + +Expires June 1999 INTERNET DRAFT + + + passwordmustchange: off + + passwordstoragescheme: SHA + + passwordchecksyntax: off + + passwordminlength: 6 + + passwordexp: off + + passwordmaxage: 8640000 + + passwordminage: 0 + + passwordwarning: 86400 + + passwordkeephistory: off + + passwordinhistory: 6 + + passwordlockout: off + + passwordmaxfailure: 3 + + passwordunlock: on + + passwordlockoutduration: 3600 + + passwordresetfailurecount: 600 + +12.2. Bind Operations + +12.2.1. During bind operations, the server should check for password +guessing limit. If password guessing limit policy is on and the pass- +word guessing limit is reached, the server should send bindResponse back +to the client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error +message to indicate the password failure limit is reached. Otherwise +the server should continue the bind operation. + +12.2.2. After Bind Operations succeed with authentication, the server +should + + 1. Clear the password failure counter. + + 2. Check if the password change after reset policy is on and this is + the first time logon. If so, the server should disallow all + operations issued by this user except modify password, bind , + unbind, abandon, or search. The server should send bindResponse + + + +Chu [Page 12] + + + + + +Expires June 1999 INTERNET DRAFT + + + with the resultCode: LDAP_SUCCESS, and should include the pass- + word expired control in the controls field of the bindResponse + message. + + controlType: 2.16.840.1.113730.3.4.4, + + controlValue: an octet string: "0", + + criticality: false + + 3. Check for password expiration. If the password expiration policy + is on and the account's password is expired, the server should + send bindResponse with the resultCode: LDAP_INVALID_CREDENTIALS + along with an error message to inform the client that the pass- + word has expired. + + 4. Check if the password is going to expire sooner than the password + warning duration, the server should send bindResponse with the + resultCode: LDAP_SUCCESS, and should include the password expir- + ing control in the controls field of the bindResponse message: + + controlType: 2.16.840.1.113730.3.4.5, + + controlValue: an octet string to indicate the time in seconds + until the password expires. + + criticality: false + + +12.2.3. After Bind Operations fail with LDAP_INVALID_CREDENTIALS, the +server should + + 1. Check if it is time to reset the password failure counter. If + so, set the failure counter to 1 and re-calculate the next + failure counter reset time. Otherwise, increment the failure + counter. + + 2. Check if failure counter exceeds the allowed maximum value. If + so, the server should lock the user account. + +12.3. Add Password Operations + +12.3.1. During the add password operation, the server should + + 1. Check for password syntax. If password check syntax is on and + the new password fail the syntax checking, the server should send + addResponse back to the client with resultCode: + LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the + + + +Chu [Page 13] + + + + + +Expires June 1999 INTERNET DRAFT + + + new password failed the syntax checking, the user should choose + another password. + + 2. Calculate and add passwordexpirationtime and passwordallowchange- + time attributes to the entry if password expiration policy and + password minimum age policy are on respectively. + +12.4. Modify Password Operations + +12.4.1. During the modify password operation, the server should + + 1. Check if the user is allowed to change password. If not, the + server should send to the client the LDAP_UNWILLING_TO_PERFORM + result code and an error message to indicate that the user is not + allowed to change password. + + 2. Check for password minimum age, password minimum length, password + history, and password syntax. If the checking fails, the server + should send modifyResponse back to the client with resultCode: + LDAP_CONSTRAINT_VIOLATION, and an appropriate error message. + + 3. If it is the first time logon and the user needs to change pass- + word the first time logon, the server should check if the user- + password attribute is in this modify request. If so, the server + should continue the modify operation. Otherwise, the server + should send the response message with the resultCode: + LDAP_UNWILLING_TO_PERFORM, and should include the password + expired control in the controls field of the response message: + + controlType: 2.16.840.1.113730.3.4.4, + + controlValue: an octet string: "0", + + criticality: false + +12.4.2. After modify password operations succeed, the server should + + 1. Update password history in the user's entry, if the password his- + tory policy is on. + + 2. Update passwordExpirationTime in the user's entry, if the pass- + word expiration policy is on. + + 3. Update passwordAllowChangeTime in the user's entry, if the pass- + word minimum age policy is on. + + 4. Clear the password failure counter, if the password is reset by a + directory administrator. + + + +Chu [Page 14] + + + + + +Expires June 1999 INTERNET DRAFT + + + 5. Set a flag to indicate the user is the first time logon, if the + password change after reset policy is on and the password is + reset by a directory administrator. + +13. Client Implementation + +13.1. Bind Response + +For every bind response received, the client needs to parse the bind +result code, error message, and controls to determine if any of the fol- +lowing conditions is true and prompt the user accordingly. + +1. The user needs to change password first time logon. The user + should be prompted to change the password immediately. + + resultCode: LDAP_SUCCESS, with the control + controlType: 2.16.840.1.113730.3.4.4, + controlValue: "0", + criticality: false + + +2. This is a warning message that the server sends to a user to indi- + cate the time in seconds until the user's password expires. + + resultCode: LDAP_SUCCESS, with the control + controlType: 2.16.840.1.113730.3.4.5, + controlValue: an octet string to indicate the time in seconds until + the password expires. + criticality: false + + +3. The password failure limit is reached. The user needs to retry + later or contact the directory administrator to reset the password. + + resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message. + For example: + errorMessage: "exceed password retry limit" + + +4. The password is expired. The user needs to contact the directory + administrator to reset the password. + + resultCode: LDAP_INVALID_CREDENTIALS, with an appropriate error message. + For example: + errorMessage: "password expired" + + + + + + +Chu [Page 15] + + + + + +Expires June 1999 INTERNET DRAFT + + +13.2. Modify Responses + +For the modify response received for the change password request, the +client needs to check the result code and error message to determine if +it failed the password checking, and either let the user retry or quit. + +1. The user defined password policy is disabled. The user is not + allowed to change password. + + resultCode: LDAP_UNWILLING_TO_PERFORM, with an appropriate error message. + For example: + errorMessage: "user is not allowed to change password" + + +2. The new password failed the password syntax checking, or the + current password has not reached the minimum password age, or the + new password is in history. + + resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message. + For example: + errorMessage: "invalid password syntax" + errorMessage: "password in history" + errorMessage: "trivial password" + errorMessage: "within minimum password age" + +13.3. Add Responses + +For the add response received for the add entry request, the client +needs to check the result code and error message to determine if it +failed the password checking, and either let the user retry or quit. + +1. The new password failed the password syntax checking. + + resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message. + For example: + errorMessage: "invalid password syntax" + errorMessage: "trivial password" + +13.4. Other Responses + +For operations other than bind, unbind, abandon, or search, the client +needs to check the following result code and control to determine if the +user needs to change the password immediately. + +1. The user needs to change password first time logon. The user + should be prompted to change the password immediately. + + resultCode: LDAP_UNWILLING_TO_PERFORM, with the control + + + +Chu [Page 16] + + + + + +Expires June 1999 INTERNET DRAFT + + + controlType: 2.16.840.1.113730.3.4.4, + controlValue: "0", + criticality: false + +14. Security Considerations + +The password policy defined in this document is applied to the LDAP sim- +ple authentication method [RFC-2251] and userPassword attribute values +only. The simple authentication method provides minimal authentication +facilities, with the contents of the authentication field consisting +only of a cleartext password. Note that the simple authentication +method and password policy are designed for authentication where the +underlying transport service cannot guarantee confidentiality. Use of +simple authentication method and password policy may result in disclo- +sure of the password to unauthorized parties. SASL and TLS mechanisms +may be used with LDAP to provide integrity or confidentiality services. + + +15. Bibliography + + +[RFC-2251]Wahl, M., Howes, T., Kille, S., "Lightweight Directory Access + Protocol (v3)", RFC 2251, August 1997. + +[RFC-2307]L. Howard, "An Approach for Using LDAP as a Network Informa- + tion Service", RFC 2307, March 1998. + +[RFC-2119]S. Bradner, "Key Words for use in RFCs to Indicate Requirement + Levels", RFC 2119, March 1997. + +16. Author's Addresses + + Valerie Chu + Netscape Communications Corp. + 501 E. Middlefield Rd. + Mountain View, CA 94043 + USA + +1 650 937-3443 + vchu@netscape.com + + + + + + + + + + + + +Chu [Page 17] + + -- 2.47.2