MUST ( pwdAttribute )
MAY (
pwdMinAge $ pwdMaxAge $ pwdInHistory $
- pwdCheckQuality $ pwdMinLength $
+ pwdCheckQuality $ pwdMinLength $ pwdMaxLength $
pwdExpireWarning $ pwdGraceAuthnLimit $
- pwdLockout $ pwdLockoutDuration $
+ pwdGraceExpiry $ pwdLockout $ pwdLockoutDuration $
pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $
- pwdSafeModify $ pwdMaxRecordedFailure ) )
+ pwdSafeModify $ pwdMaxRecordedFailure $
+ pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
.RE
This implementation also provides an additional
NAME 'pwdPolicyChecker'
AUXILIARY
SUP top
- MAY ( pwdCheckModule ) )
+ MAY ( pwdCheckModule $ pwdCheckModuleArg ) )
.RE
.P
Every account that should be subject to password policy control should
SINGLE\-VALUE )
.RE
+.B pwdMaxLength
+.P
+When syntax checking is enabled
+(see also the
+.B pwdCheckQuality
+attribute), this attribute contains the maximum
+number of characters that will be accepted in a password. If this
+attribute is not present, maximum password length is not
+enforced. If the server is unable to check the length of the password,
+whether due to a client-side hashed password or some other reason,
+the server will, depending on the
+value of
+.BR pwdCheckQuality ,
+either accept the password
+without checking it (if
+.B pwdCheckQuality
+is zero (0) or one (1)) or refuse it (if
+.B pwdCheckQuality
+is two (2)).
+.LP
+.RS 4
+( 1.3.6.1.4.1.42.2.27.8.1.31
+ NAME 'pwdMaxLength'
+ EQUALITY integerMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE\-VALUE )
+.RE
+
.B pwdExpireWarning
.P
This attribute contains the maximum number of seconds before a
SINGLE\-VALUE )
.RE
+.B pwdGraceExpiry
+.P
+This attribute specifies the number of seconds the grace
+authentications are valid. If this attribute is not present or if
+the value is zero (0), there is no time limit on the grace
+authentications.
+.LP
+.RS 4
+( 1.3.6.1.4.1.42.2.27.8.1.30
+ NAME 'pwdGraceExpiry'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE\-VALUE )
+.RE
+
.B pwdLockout
.P
This attribute specifies the action that should be taken
If that value is also 0, the default is 5.
.LP
.RS 4
-( 1.3.6.1.4.1.42.2.27.8.1.16
+( 1.3.6.1.4.1.42.2.27.8.1.32
NAME 'pwdMaxRecordedFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE\-VALUE )
.RE
-.B pwdCheckModule
+.B pwdMinDelay
+.P
+This attribute specifies the number of seconds to delay responding to
+the first failed authentication attempt. If this attribute is not
+set or is zero (0), no delays will be used.
+.B pwdMaxDelay
+must also be specified if
+.B pwdMinDelay
+is set.
+
+Note that this implementation uses a variable lockout instead of
+delaying the bind response.
+.LP
+.RS 4
+( 1.3.6.1.4.1.42.2.27.8.1.24
+ NAME 'pwdMinDelay'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE\-VALUE )
+.RE
+
+.B pwdMaxDelay
+.P
+This attribute specifies the maximum number of seconds to delay when
+responding to a failed authentication attempt. The time specified in
+.B pwdMinDelay
+is used as the starting time and is then doubled on each failure until
+the delay time is greater than or equal to
+.B pwdMaxDelay
+(or a successful authentication occurs, which resets the failure
+counter).
+.B pwdMinDelay
+must also be specified if
+.B pwdMaxDelay
+is set.
+
+Note that this implementation uses a variable lockout instead of
+delaying the bind response.
+.LP
+.RS 4
+( 1.3.6.1.4.1.42.2.27.8.1.25
+ NAME 'pwdMaxDelay'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE\-VALUE )
+.RE
+
+.B pwdMaxIdle
+.P
+This attribute specifies the number of seconds an account may remain
+unused before it becomes locked. If this attribute is not set or is
+zero (0), no check is performed. For this to be enforced,
+.B lastbind
+functionality needs to be enabled on the database, that is
+.B olcLastBind
+is set to
+.BR TRUE .
+.LP
+.RS 4
+( 1.3.6.1.4.1.42.2.27.8.1.26
+ NAME 'pwdMaxIdle'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+ SINGLE\-VALUE )
+.RE
+
+.BR pwdCheckModule / pwdCheckModuleArg
.P
This attribute names a user-defined loadable module that must
instantiate the check_password() function. This function
.RS 4
int
.I check_password
-(char *pPasswd, char **ppErrStr, Entry *pEntry);
+(char *pPasswd, char **ppErrStr, Entry *pEntry, struct berval *pArg);
.RE
The
.B pPasswd
.B ppErrStr
parameter contains a double pointer that allows the function
to return human-readable details about any error it encounters.
-The optional
+
+The
.B pEntry
-parameter, if non-NULL, carries a pointer to the
+parameter is optional, if non-NULL, carries a pointer to the
entry whose password is being checked.
+
+The optional
+.B pArg
+parameter points to a
+.B struct berval
+containing the value of
+.B pwdCheckModuleArg
+in the effective password policy, if set, otherwise NULL.
+
If
.B ppErrStr
is NULL, then
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE\-VALUE )
+
+( 1.3.6.1.4.1.4754.1.99.2
+ NAME 'pwdCheckModuleArg'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
+ DESC 'Argument to pass to check_password() function'
+ SINGLE\-VALUE )
.RE
.P
Note:
.RE
.B pwdGraceUseTime
+
This attribute contains the list of timestamps of logins made after
the user password in the DN has expired. These post-expiration
logins are known as "\fIgrace logins\fP".
USAGE directoryOperation)
.RE
+.B pwdStartTime
+
+This attribute specifies the time the entry's password becomes valid
+for authentication. Authentication attempts made before this time
+will fail. If this attribute does not exist, then no restriction
+applies.
+.LP
+.RS 4
+( 1.3.6.1.4.1.42.2.27.8.1.27
+ NAME 'pwdStartTime'
+ DESC 'The time the password becomes enabled'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
+ USAGE directoryOperation )
+.RE
+
+.B pwdEndTime
+
+This attribute specifies the time the entry's password becomes
+invalid for authentication. Authentication attempts made after this
+time will fail, regardless of expiration or grace settings. If this
+attribute does not exist, then this restriction does not apply.
+.LP
+.RS 4
+( 1.3.6.1.4.1.42.2.27.8.1.28
+ NAME 'pwdEndTime'
+ DESC 'The time the password becomes disabled'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
+ USAGE directoryOperation )
+.RE
+
+Note that pwdStartTime may be set to a time greater than or equal to
+pwdEndTime; this simply disables the account.
+
+.B pwdAccountTmpLockoutEnd
+.P
+This attribute that the user's password has been locked out temporarily
+according to the
+.B pwdMinDelay
+policy option and when the lockout ends.
+.LP
+.RS 4
+( 1.3.6.1.4.1.42.2.27.8.1.33
+ NAME 'pwdAccountTmpLockoutEnd'
+ DESC 'Temporary lockout end'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE\-VALUE
+ NO\-USER\-MODIFICATION
+ USAGE directoryOperation )
+.RE
+
.SH EXAMPLES
.LP
.RS
.LP
IETF LDAP password policy proposal by P. Behera, L. Poitou and J.
Sermersheim: documented in IETF document
-"draft-behera-ldap-password-policy-09.txt".
+"draft-behera-ldap-password-policy-10.txt".
.SH BUGS
The LDAP Password Policy specification is not yet an approved standard,
Poitou and J. Sermersheim.
The proposal is fully documented in
the
-IETF document named draft-behera-ldap-password-policy-09.txt,
-written in July of 2005.
+IETF document named draft-behera-ldap-password-policy-10.txt,
+written in August of 2009.
.P
.so ../Project
projects / thirdparty / openldap.git / commitdiff
