SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 

MAN page from StartCom 5 openldap-servers-overlays-2.3.43-12.SEL5_5.i386.rpm

SLAPO_PPOLICY

Section: File Formats (5)
Updated: 2008/07/16
Index 

NAME

slapo-ppolicy - Password Policy overlay 

SYNOPSIS

/etc/openldap/slapd.conf 

DESCRIPTION

The ppolicyoverlayis an implementation of the most recent IETF PasswordPolicy proposal for LDAP. When instantiated, it intercepts,decodes and applies specific password policy controls to overalluse of a backend database, changes to user password fields, etc.The overlay provides a variety of password control mechanisms. Theyinclude password aging--both minimum and maximum ages, passwordreuse and duplication control, account time-outs, mandatory passwordresets, acceptable password content, and even grace logins.Different groups of users may be associated with different passwordpolicies, and there is no limit to the number of password policiesthat may be created.Note that some of the policies do not take effect when the operationis performed with therootdnidentity; all the operations, when performed with any other identity,may be subjected to constraints, like access control.

 

CONFIGURATION

These slapd.confconfiguration options apply to the ppolicy overlay. They should appearafter theoverlaydirective.
ppolicy_default <policyDN>
Specify the DN of the pwdPolicy object to use when no specific policy isset on a given user's entry. If there is no specific policy for an entryand no default is given, then no policies will be enforced.
ppolicy_hash_cleartext
Specify that cleartext passwords present in Add and Modify requests shouldbe hashed before being stored in the database. This violates the X.500/LDAPinformation model, but may be needed to compensate for LDAP clients thatdon't use the Password Modify extended operation to manage passwords. Itis recommended that when this option is used that compare, search, andread access be denied to all directory users.
ppolicy_use_lockout
A client will always receive an LDAPInvalidCredentialsresponse whenBinding to a locked account. By default, when a Password Policy controlwas provided on the Bind request, a Password Policy response will beincluded with no special error code set. This option changes thePassword Policy response to include theAccountLockederror code. Notethat sending theAccountLockederror code provides useful informationto an attacker; sites that are sensitive to security issues should notenable this option.

 

OBJECT CLASS

The ppolicyoverlay depends on thepwdPolicyobject class. The definition of that class is as follows:

( 1.3.6.1.4.1.42.2.27.8.2.1
    NAME 'pwdPolicy'
    AUXILIARY
    SUP top
    MUST ( pwdAttribute )
    MAY (
        pwdMinAge $ pwdMaxAge $ pwdInHistory $
        pwdCheckQuality $ pwdMinLength $
        pwdExpireWarning $ pwdGraceAuthnLimit $
        pwdLockout $ pwdLockoutDuration $
        pwdMaxFailure $ pwdFailureCountInterval $
        pwdMustChange $ pwdAllowUserChange $
        pwdSafeModify ) )

This implementation also provides an additionalpwdPolicyCheckerobjectclass, used for password quality checking (see below).

( 1.3.6.1.4.1.4754.2.99.1
    NAME 'pwdPolicyChecker'
    AUXILIARY
    SUP top
    MAY ( pwdCheckModule ) )
Every account that should be subject to password policy control shouldhave apwdPolicySubentryattribute containing the DN of a validpwdPolicyentry, or they can simply use the configured default.In this way different users may be managed according todifferent policies.

 

OBJECT CLASS ATTRIBUTES

Each one of the sections below details the meaning and use of a particularattribute of thispwdPolicyobject class.

pwdAttributeThis attribute contains the name of the attribute to which the passwordpolicy is applied. For example, the password policy may be appliedto theuserPasswordattribute.Note: in this implementation, the onlyvalue accepted forpwdAttributeis userPassword .

( 1.3.6.1.4.1.42.2.27.8.1.1
   NAME 'pwdAttribute'
   EQUALITY objectIdentifierMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

pwdMinAgeThis attribute contains the number of seconds that must elapsebetween modifications allowed to the password. If this attributeis not present, zero seconds is assumed (i.e. the password may bemodified whenever and however often is desired).

( 1.3.6.1.4.1.42.2.27.8.1.2
   NAME 'pwdMinAge'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )

pwdMaxAgeThis attribute contains the number of seconds after which a modifiedpassword will expire. If this attribute is not present, or if itsvalue is zero (0), then passwords will not expire.

( 1.3.6.1.4.1.42.2.27.8.1.3
   NAME 'pwdMaxAge'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )

pwdInHistoryThis attribute is used to specify the maximum number of usedpasswords that will be stored in thepwdHistoryattribute. If thepwdInHistoryattribute is not present, or if its value iszero (0), used passwords will not be stored inpwdHistoryand thus any previously-used password may be reused.No history checking occurs if the password is being modified by therootdn,although the password is saved in the history.

( 1.3.6.1.4.1.42.2.27.8.1.4
   NAME 'pwdInHistory'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )

pwdCheckQualityThis attribute indicates if and how password syntax will be checkedwhile a password is being modified or added. If this attribute isnot present, or its value is zero (0), no syntax checking will bedone. If its value is one (1), the server will check the syntax,and if the server is unable to check the syntax,whether due to a client-side hashed password or some other reason,it will beaccepted. If its value is two (2), the server will check the syntax,and if the server is unable to check the syntax it will return anerror refusing the password.

( 1.3.6.1.4.1.42.2.27.8.1.5
   NAME 'pwdCheckQuality'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )

pwdMinLengthWhen syntax checking is enabled(see also thepwdCheckQualityattribute), this attribute contains the minimumnumber of characters that will be accepted in a password. If thisattribute is not present, minimum password length is notenforced. If the server is unable to check the length of the password,whether due to a client-side hashed password or some other reason,the server will, depending on thevalue ofpwdCheckQuality,either accept the passwordwithout checking it (ifpwdCheckQualityis zero (0) or one (1)) or refuse it (ifpwdCheckQualityis two (2)).

( 1.3.6.1.4.1.42.2.27.8.1.6
   NAME 'pwdMinLength'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )

pwdExpireWarningThis attribute contains the maximum number of seconds before apassword is due to expire that expiration warning messages will bereturned to a user who is authenticating to the directory.If this attribute is notpresent, or if the value is zero (0), no warnings will be sent.

( 1.3.6.1.4.1.42.2.27.8.1.7
   NAME 'pwdExpireWarning'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )

pwdGraceAuthnLimitThis attribute contains the number of times that an expired passwordmay be used to authenticate a user to the directory. If thisattribute is not present or if its value is zero (0), users withexpired passwords will not be allowed to authenticate to thedirectory.

( 1.3.6.1.4.1.42.2.27.8.1.8
   NAME 'pwdGraceAuthnLimit'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )

pwdLockoutThis attribute specifies the action that should be takenby the directory when a user has made a number of failed attemptsto authenticate to the directory. IfpwdLockoutis set (its value is "TRUE"), the user will not be allowed toattempt to authenticate to the directory after there have been aspecified number of consecutive failed bind attempts. The maximumnumber of consecutive failed bind attempts allowed is specified bythepwdMaxFailureattribute. IfpwdLockoutis not present, or if its value is "FALSE", the password may beused to authenticate no matter how many consecutive failed bindattempts have been made.

( 1.3.6.1.4.1.42.2.27.8.1.9
   NAME 'pwdLockout'
   EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
   SINGLE-VALUE )

pwdLockoutDurationThis attribute contains the number of seconds duringwhich the password cannot be used to authenticate theuser to the directory due to too many consecutive failedbind attempts.(See alsopwdLockoutandpwdMaxFailure.)IfpwdLockoutDurationis not present, or if its value is zero (0), the passwordcannot be used to authenticate the user to the directoryagain until it is reset by an administrator.

( 1.3.6.1.4.1.42.2.27.8.1.10
   NAME 'pwdLockoutDuration'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )

pwdMaxFailureThis attribute contains the number of consecutive failed bindattempts after which the password may not be used to authenticatea user to the directory.IfpwdMaxFailureis not present, or its value is zero (0), then a user willbe allowed to continue to attempt to authenticate tothe directory, no matter how many consecutive failed bind attempts have occurred with that user's DN.(See alsopwdLockoutandpwdLockoutDuration.)

( 1.3.6.1.4.1.42.2.27.8.1.11
   NAME 'pwdMaxFailure'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )

pwdFailureCountIntervalThis attribute contains the number of seconds after which oldconsecutive failed bind attempts are purged from the failure counter,even though no successful authentication has occurred.IfpwdFailureCountIntervalis not present, or its value is zero (0), the failurecounter will only be reset by a successful authentication.

( 1.3.6.1.4.1.42.2.27.8.1.12
   NAME 'pwdFailureCountInterval'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )

pwdMustChangeThis attribute specifies whether users must change their passwordswhen they first bind to the directory after a password is set orreset by the administrator, or not. IfpwdMustChangehas a value of "TRUE", users must change their passwords when theyfirst bind to the directory after a password is set or reset bythe administrator. IfpwdMustChangeis not present, or its value is "FALSE",users are not required to change their password upon binding afterthe administrator sets or resets the password.

( 1.3.6.1.4.1.42.2.27.8.1.13
  NAME 'pwdMustChange'
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  SINGLE-VALUE )

pwdAllowUserChangeThis attribute specifies whether users are allowed to change their ownpasswords or not. IfpwdAllowUserChangeis set to "TRUE", or if the attribute is not present, users will beallowed to change their own passwords. If its value is "FALSE",users will not be allowed to change their own passwords.

( 1.3.6.1.4.1.42.2.27.8.1.14
   NAME 'pwdAllowUserChange'
   EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
   SINGLE-VALUE )

pwdSafeModifyThis attribute denotes whether the user's existing password must be sentalong with their new password when changing a password. IfpwdSafeModifyis set to "TRUE", the existing password must be sentalong with the new password. If the attribute is not present, orits value is "FALSE", the existing password need not be sentalong with the new password.

( 1.3.6.1.4.1.42.2.27.8.1.15
   NAME 'pwdSafeModify'
   EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
   SINGLE-VALUE )

pwdCheckModuleThis attribute names a user-defined loadable module that mustinstantiate the check_password() function. This functionwill be called to further check a new password ifpwdCheckQualityis set to one (1) or two (2),after all of the built-in password compliance checks havebeen passed. This function will be called according to thisfunction prototype:

intcheck_password(char *pPasswd, char **ppErrStr, Entry *pEntry);
ThepPasswdparameter contains the clear-text user password, theppErrStrparameter contains a double pointer that allows the functionto return human-readable details about any error it encounters.The optionalpEntryparameter, if non-NULL, carries a pointer to theentry whose password is being checked.IfppErrStris NULL, then funcNamemust NOT attempt to use it/them.A return value of LDAP_SUCCESS from the calledfunction indicates that the password is ok, any other valueindicates that the password is unacceptable. If the password isunacceptable, the server will return an error to the client, andppErrStrmay be used to return a human-readable textual explanation of theerror. The error string must be dynamically allocated as it willbe free()'d by slapd.

( 1.3.6.1.4.1.4754.1.99.1
   NAME 'pwdCheckModule'
   EQUALITY caseExactIA5Match
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
   SINGLE-VALUE )
Note: The user-defined loadable module named bypwdCheckModule must be inslapd'sstandard executable search PATH.Note:pwdCheckModuleis a non-standard extension to the LDAP passwordpolicy proposal.

 

OPERATIONAL ATTRIBUTES

The operational attributes used by thepasswd_policymodule are stored in the user's entry. Most of these attributesare not intended to be changed directly by users; they are thereto track user activity. They have been detailed here so thatadministrators and users can both understand the workings oftheppolicymodule.

userPasswordTheattribute is not strictly part of theppolicymodule. It is, however, the attribute that is tracked and controlledby the module. Please refer to the standard OpenLDAP schema forits definition.

pwdPolicySubentryThis attribute refers directly to thepwdPolicysubentry that is to be used for this particular directory user.IfpwdPolicySubentryexists, it must contain the DN of a validpwdPolicyobject. If it does not exist, theppolicymodule will enforce the default password policy rules on theuser associated with this authenticating DN. If there is nodefault, or the referenced subentry does not exist, then nopolicy rules will be enforced.

( 1.3.6.1.4.1.42.2.27.8.1.23
   NAME 'pwdPolicySubentry'
   DESC 'The pwdPolicy subentry in effect for
       this object'
   EQUALITY distinguishedNameMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   SINGLE-VALUE
   NO-USER-MODIFICATION
   USAGE directoryOperation)

pwdChangedTimeThis attribute denotes the last time that the entry's password waschanged. This value is used by the password expiration policy todetermine whether the password is too old to be allowed to be usedfor user authentication. IfpwdChangedTimedoes not exist, the user's password will not expire.

( 1.3.6.1.4.1.42.2.27.8.1.16
   NAME 'pwdChangedTime'
   DESC 'The time the password was last changed'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   SINGLE-VALUE
   NO-USER-MODIFICATION
   USAGE directoryOperation)

pwdAccountLockedTimeThis attribute contains the time that the user's account was locked.If the account has been locked, the password may no longer be used toauthenticate the user to the directory. IfpwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently lockedand may only be unlocked by an administrator.

( 1.3.6.1.4.1.42.2.27.8.1.17
   NAME 'pwdAccountLockedTime'
   DESC 'The time an user account was locked'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   SINGLE-VALUE
   NO-USER-MODIFICATION
   USAGE directoryOperation)

pwdFailureTimeThis attribute contains the timestamps of each of the consecutiveauthentication failures made upon attempted authentication to thisDN (i.e. account). If too many timestamps accumulate here (refer tothepwdMaxFailurepassword policy attribute for details),and thepwdLockoutpassword policy attribute is set to "TRUE", theaccount may be locked.(Please also refer to thepwdLockoutpassword policy attribute.)Excess timestamps beyond those allowed bypwdMaxFailuremay also be purged. If a successful authentication is made to thisDN (i.e. to this user account), thenpwdFailureTime will be cleansed of entries.

( 1.3.6.1.4.1.42.2.27.8.1.19
   NAME 'pwdFailureTime'
   DESC 'The timestamps of the last consecutive
       authentication failures'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   NO-USER-MODIFICATION
   USAGE directoryOperation )

pwdHistoryThis attribute contains the history of previously used passwordsfor this DN (i.e. for this user account).The values of this attribute are stored in string format as follows:

pwdHistory=

time "#" syntaxOID "#" length "#" data

time=

generalizedTimeString as specified in section 6.14 of [RFC2252]

syntaxOID = numericoid

This is the string representation of the dotted-decimal OID thatdefines the syntax used to store the password. numericoid isdescribed in section 4.1 of [RFC2252].

length = numericstring

The number of octets in the data. numericstring is described insection 4.1 of [RFC2252].

data =

Octets representing the password in the format specified by syntaxOID.

This format allows the server to store and transmit a history ofpasswords that have been used. In order for equality matchingon the values in this attribute to function properly, the timefield is in GMT format.

( 1.3.6.1.4.1.42.2.27.8.1.20
   NAME 'pwdHistory'
   DESC 'The history of user passwords'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
   EQUALITY octetStringMatch
   NO-USER-MODIFICATION
   USAGE directoryOperation)

pwdGraceUseTimeThis attribute contains the list of timestamps of logins made afterthe user password in the DN has expired. These post-expirationlogins are known as "grace logins".If too manygrace loginshave been used (please refer to thepwdGraceLoginLimitpassword policy attribute), then the DN will no longer be allowedto be used to authenticate the user to the directory until theadministrator changes the DN'suserPasswordattribute.

( 1.3.6.1.4.1.42.2.27.8.1.21
   NAME 'pwdGraceUseTime'
   DESC 'The timestamps of the grace login once the password has expired'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   EQUALITY generalizedTimeMatch
   NO-USER-MODIFICATION
   USAGE directoryOperation)

pwdResetThis attribute indicates whether the user's password has been resetby the administrator and thus must be changed upon first use of thisDN for authentication to the directory. IfpwdReset is set to "TRUE", then the password was reset and the user must changeit upon first authentication. If the attribute does not exist, oris set to "FALSE", the user need not change their password due toadministrative reset.

( 1.3.6.1.4.1.42.2.27.8.1.22
   NAME 'pwdReset'
   DESC 'The indication that the password has
       been reset'
   EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
   SINGLE-VALUE
   USAGE directoryOperation)

 

EXAMPLES

database bdbsuffix dc=example,dc=com...overlay ppolicyppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"

 

SEE ALSO

ldap(3),slapd.conf(5),

"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)

IETF LDAP password policy proposal by P. Behera, L. Poitou and J.Sermersheim: documented in IETF document"draft-behera-ldap-password-policy-09.txt".

 

BUGS

The LDAP Password Policy specification is not yet an approved standard,and it is still evolving. This code will continue to be in flux until thespecification is finalized.

 

ACKNOWLEDGEMENTS

This module was written in 2004 by Howard Chu of Symas Corporationwith significant input from Neil Dunbar and Kartik Subbarao of Hewlett-Packard.This manual page borrows heavily and shamelessly from the specificationupon which the password policy module it describes is based. Thissource is theIETF LDAP password policy proposal by P. Behera, L.Poitou and J. Sermersheim.The proposal is fully documented intheIETF document named draft-behera-ldap-password-policy-09.txt,written in July of 2005.OpenLDAPis developed and maintained by The OpenLDAP Project (http://www.openldap.org/).OpenLDAPis derived from University of Michigan LDAP 3.3 Release.


 

Index

NAME
SYNOPSIS
DESCRIPTION
CONFIGURATION
OBJECT CLASS
OBJECT CLASS ATTRIBUTES
OPERATIONAL ATTRIBUTES
EXAMPLES
SEE ALSO
BUGS
ACKNOWLEDGEMENTS

This document was created byman2html,using the manual pages.