1 .lf 1 stdin 2 .TH SLAPO_PPOLICY 5 "2025/05/22" "OpenLDAP 2.6.10" 3 .\" Copyright 2004-2024 The OpenLDAP Foundation All Rights Reserved. 4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE. 5 .\" $OpenLDAP$ 6 .SH NAME 7 slapo\-ppolicy \- Password Policy overlay to slapd 8 .SH SYNOPSIS 9 /etc/openldap/slapd.conf 10 .SH DESCRIPTION 11 .LP 12 The 13 .B ppolicy 14 overlay 15 is an implementation of the most recent IETF Password 16 Policy proposal for LDAP. When instantiated, it intercepts, 17 decodes and applies specific password policy controls to overall 18 use of a backend database, changes to user password fields, etc. 19 .P 20 The overlay provides a variety of password control mechanisms. They 21 include password aging -- both minimum and maximum ages, password 22 reuse and duplication control, account time-outs, mandatory password 23 resets, acceptable password content, and even grace logins. 24 Different groups of users may be associated with different password 25 policies, and there is no limit to the number of password policies 26 that may be created. 27 .P 28 Note that some of the policies do not take effect when the operation 29 is performed with the 30 .B rootdn 31 identity; all the operations, when performed with any other identity, 32 may be subjected to constraints, like access control. This overlay 33 requires a rootdn to be configured on the database. 34 .P 35 During password update, an identity with 36 .B manage 37 access to the userPassword attribute is considered a password 38 administrator where relevant to the IETF Password Policy proposal. 39 .P 40 Note that the IETF Password Policy proposal for LDAP makes sense 41 when considering a single-valued password attribute, while 42 the userPassword attribute allows multiple values. This implementation 43 enforces a single value for the userPassword attribute, despite 44 its specification. 45 .P 46 In addition to supporting the IETF Password Policy, this module 47 supports the SunDS Account Usability control (1.3.6.1.4.1.42.2.27.9.5.8) 48 on search requests and can send the Netscape Password validity controls 49 when configured to do so. 50 51 .SH CONFIGURATION 52 These 53 .B slapd.conf 54 configuration options apply to the ppolicy overlay. They should appear 55 after the 56 .B overlay 57 directive. 58 .TP 59 .B ppolicy_default <policyDN> 60 Specify the DN of the pwdPolicy object to use when no specific policy is 61 set on a given user's entry. If there is no specific policy for an entry 62 and no default is given, then no policies will be enforced. 63 .TP 64 .B ppolicy_forward_updates 65 Specify that policy state changes that result from Bind operations (such 66 as recording failures, lockout, etc.) on a consumer should be forwarded 67 to a provider instead of being written directly into the consumer's local 68 database. This setting is only useful on a replication consumer, and 69 also requires the 70 .B updateref 71 setting and 72 .B chain 73 overlay to be appropriately configured. 74 .TP 75 .B ppolicy_hash_cleartext 76 Specify that cleartext passwords present in Add and Modify requests should 77 be hashed before being stored in the database. This violates the X.500/LDAP 78 information model, but may be needed to compensate for LDAP clients that 79 don't use the Password Modify extended operation to manage passwords. It 80 is recommended that when this option is used that compare, search, and 81 read access be denied to all directory users. 82 .TP 83 .B ppolicy_use_lockout 84 A client will always receive an LDAP 85 .B InvalidCredentials 86 response when 87 Binding to a locked account. By default, when a Password Policy control 88 was provided on the Bind request, a Password Policy response will be 89 included with no special error code set. This option changes the 90 Password Policy response to include the 91 .B AccountLocked 92 error code. Note 93 that sending the 94 .B AccountLocked 95 error code provides useful information 96 to an attacker; sites that are sensitive to security issues should not 97 enable this option. 98 .TP 99 .B ppolicy_send_netscape_controls 100 If set, ppolicy will send the password policy expired (2.16.840.1.113730.3.4.4) 101 and password policy expiring (2.16.840.1.113730.3.4.5) controls when 102 appropriate. The controls are not sent for bind requests where the Password 103 policy control has already been requested. Default is not to send the controls. 104 .TP 105 .B ppolicy_check_module <path> 106 Specify the path of a loadable module containing a 107 .B check_password() 108 function for additional password quality checks. The use of this module 109 is described further below in the description of the 110 .B pwdPolicyChecker 111 objectclass. 112 113 Note: The user-defined loadable module must be in 114 .B slapd's 115 standard executable search PATH, or an absolute path must be provided. 116 117 Note: Use of a 118 .B ppolicy_check_module 119 is a non-standard extension to the LDAP password 120 policy proposal. 121 122 123 .SH OBJECT CLASS 124 The 125 .B ppolicy 126 overlay depends on the 127 .B pwdPolicy 128 object class. The definition of that class is as follows: 129 .LP 130 .RS 4 131 ( 1.3.6.1.4.1.42.2.27.8.2.1 132 NAME 'pwdPolicy' 133 AUXILIARY 134 SUP top 135 MUST ( pwdAttribute ) 136 MAY ( 137 pwdMinAge $ pwdMaxAge $ pwdInHistory $ 138 pwdCheckQuality $ pwdMinLength $ pwdMaxLength $ 139 pwdExpireWarning $ pwdGraceAuthnLimit $ 140 pwdGraceExpiry $ pwdLockout $ pwdLockoutDuration $ 141 pwdMaxFailure $ pwdFailureCountInterval $ 142 pwdMustChange $ pwdAllowUserChange $ 143 pwdSafeModify $ pwdMaxRecordedFailure $ 144 pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) ) 145 .RE 146 147 The 148 .B pwdPolicy 149 class is not structural, and so entries using it require another, 150 structural, object class. The 151 .B namedPolicy 152 object class is a good choice. 153 .B namedPolicy 154 requires a 155 .B cn 156 attribute, suitable as the policy entry's rDN. 157 158 This implementation also provides an additional 159 .B pwdPolicyChecker 160 objectclass, used for password quality checking (see below). 161 .LP 162 .RS 4 163 ( 1.3.6.1.4.1.4754.2.99.1 164 NAME 'pwdPolicyChecker' 165 AUXILIARY 166 SUP top 167 MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) ) 168 .RE 169 .P 170 Every account that should be subject to password policy control should 171 have a 172 .B 173 pwdPolicySubentry 174 attribute containing the DN of a valid 175 .B pwdPolicy 176 entry, or they can simply use the configured default. 177 In this way different users may be managed according to 178 different policies. 179 180 .SH OBJECT CLASS ATTRIBUTES 181 .P 182 Each one of the sections below details the meaning and use of a particular 183 attribute of this 184 .B pwdPolicy 185 object class. 186 .P 187 188 .B pwdAttribute 189 .P 190 This attribute contains the name of the attribute to which the password 191 policy is applied. For example, the password policy may be applied 192 to the 193 .B userPassword 194 attribute. 195 .P 196 Note: in this implementation, the only 197 value accepted for 198 .B pwdAttribute 199 is 200 .IR " userPassword ". 201 .LP 202 .RS 4 203 ( 1.3.6.1.4.1.42.2.27.8.1.1 204 NAME 'pwdAttribute' 205 EQUALITY objectIdentifierMatch 206 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 207 .RE 208 209 .B pwdMinAge 210 .P 211 This attribute contains the number of seconds that must elapse 212 between modifications allowed to the password. If this attribute 213 is not present, zero seconds is assumed (i.e. the password may be 214 modified whenever and however often is desired). 215 .LP 216 .RS 4 217 ( 1.3.6.1.4.1.42.2.27.8.1.2 218 NAME 'pwdMinAge' 219 EQUALITY integerMatch 220 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 221 SINGLE\-VALUE ) 222 .RE 223 224 .B pwdMaxAge 225 .P 226 This attribute contains the number of seconds after which a modified 227 password will expire. If this attribute is not present, or if its 228 value is zero (0), then passwords will not expire. 229 .LP 230 .RS 4 231 ( 1.3.6.1.4.1.42.2.27.8.1.3 232 NAME 'pwdMaxAge' 233 EQUALITY integerMatch 234 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 235 SINGLE\-VALUE ) 236 .RE 237 238 .B pwdInHistory 239 .P 240 This attribute is used to specify the maximum number of used 241 passwords that will be stored in the 242 .B pwdHistory 243 attribute. If the 244 .B pwdInHistory 245 attribute is not present, or if its value is 246 zero (0), used passwords will not be stored in 247 .B pwdHistory 248 and thus any previously-used password may be reused. 249 No history checking occurs if the password is being modified by the 250 .BR rootdn , 251 although the password is saved in the history. 252 .LP 253 .RS 4 254 ( 1.3.6.1.4.1.42.2.27.8.1.4 255 NAME 'pwdInHistory' 256 EQUALITY integerMatch 257 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 258 SINGLE\-VALUE ) 259 .RE 260 261 .B pwdCheckQuality 262 .P 263 This attribute indicates if and how password syntax will be checked 264 while a password is being modified or added. If this attribute is 265 not present, or its value is zero (0), no syntax checking will be 266 done. If its value is one (1), the server will check the syntax, 267 and if the server is unable to check the syntax, 268 whether due to a client-side hashed password or some other reason, 269 it will be 270 accepted. If its value is two (2), the server will check the syntax, 271 and if the server is unable to check the syntax it will return an 272 error refusing the password. 273 .LP 274 .RS 4 275 ( 1.3.6.1.4.1.42.2.27.8.1.5 276 NAME 'pwdCheckQuality' 277 EQUALITY integerMatch 278 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 279 SINGLE\-VALUE ) 280 .RE 281 282 .B pwdMinLength 283 .P 284 When syntax checking is enabled 285 (see also the 286 .B pwdCheckQuality 287 attribute), this attribute contains the minimum 288 length in bytes that will be accepted in a password. If this 289 attribute is not present, minimum password length is not 290 enforced. If the server is unable to check the length of the password, 291 whether due to a client-side hashed password or some other reason, 292 the server will, depending on the 293 value of 294 .BR pwdCheckQuality , 295 either accept the password 296 without checking it (if 297 .B pwdCheckQuality 298 is zero (0) or one (1)) or refuse it (if 299 .B pwdCheckQuality 300 is two (2)). If the number of characters should be enforced with regards 301 to a particular encoding, the use of an appropriate 302 .B ppolicy_check_module 303 is required. 304 .LP 305 .RS 4 306 ( 1.3.6.1.4.1.42.2.27.8.1.6 307 NAME 'pwdMinLength' 308 EQUALITY integerMatch 309 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 310 SINGLE\-VALUE ) 311 .RE 312 313 .B pwdMaxLength 314 .P 315 When syntax checking is enabled 316 (see also the 317 .B pwdCheckQuality 318 attribute), this attribute contains the maximum 319 length in bytes that will be accepted in a password. If this 320 attribute is not present, maximum password length is not 321 enforced. If the server is unable to check the length of the password, 322 whether due to a client-side hashed password or some other reason, 323 the server will, depending on the 324 value of 325 .BR pwdCheckQuality , 326 either accept the password 327 without checking it (if 328 .B pwdCheckQuality 329 is zero (0) or one (1)) or refuse it (if 330 .B pwdCheckQuality 331 is two (2)). If the number of characters should be enforced with regards 332 to a particular encoding, the use of an appropriate 333 .B ppolicy_check_module 334 is required. 335 .LP 336 .RS 4 337 ( 1.3.6.1.4.1.42.2.27.8.1.31 338 NAME 'pwdMaxLength' 339 EQUALITY integerMatch 340 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 341 SINGLE\-VALUE ) 342 .RE 343 344 .B pwdExpireWarning 345 .P 346 This attribute contains the maximum number of seconds before a 347 password is due to expire that expiration warning messages will be 348 returned to a user who is authenticating to the directory. 349 If this attribute is not 350 present, or if the value is zero (0), no warnings will be sent. 351 .LP 352 .RS 4 353 ( 1.3.6.1.4.1.42.2.27.8.1.7 354 NAME 'pwdExpireWarning' 355 EQUALITY integerMatch 356 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 357 SINGLE\-VALUE ) 358 .RE 359 360 .B pwdGraceAuthnLimit 361 .P 362 This attribute contains the number of times that an expired password 363 may be used to authenticate a user to the directory. If this 364 attribute is not present or if its value is zero (0), users with 365 expired passwords will not be allowed to authenticate to the 366 directory. 367 .LP 368 .RS 4 369 ( 1.3.6.1.4.1.42.2.27.8.1.8 370 NAME 'pwdGraceAuthnLimit' 371 EQUALITY integerMatch 372 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 373 SINGLE\-VALUE ) 374 .RE 375 376 .B pwdGraceExpiry 377 .P 378 This attribute specifies the number of seconds the grace 379 authentications are valid. If this attribute is not present or if 380 the value is zero (0), there is no time limit on the grace 381 authentications. 382 .LP 383 .RS 4 384 ( 1.3.6.1.4.1.42.2.27.8.1.30 385 NAME 'pwdGraceExpiry' 386 EQUALITY integerMatch 387 ORDERING integerOrderingMatch 388 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 389 SINGLE\-VALUE ) 390 .RE 391 392 .B pwdLockout 393 .P 394 This attribute specifies the action that should be taken 395 by the directory when a user has made a number of failed attempts 396 to authenticate to the directory. If 397 .B pwdLockout 398 is set (its value is "TRUE"), the user will not be allowed to 399 attempt to authenticate to the directory after there have been a 400 specified number of consecutive failed bind attempts. The maximum 401 number of consecutive failed bind attempts allowed is specified by 402 the 403 .B pwdMaxFailure 404 attribute. If 405 .B pwdLockout 406 is not present, or if its value is "FALSE", the password may be 407 used to authenticate no matter how many consecutive failed bind 408 attempts have been made. 409 .LP 410 .RS 4 411 ( 1.3.6.1.4.1.42.2.27.8.1.9 412 NAME 'pwdLockout' 413 EQUALITY booleanMatch 414 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 415 SINGLE\-VALUE ) 416 .RE 417 418 .B pwdLockoutDuration 419 .P 420 This attribute contains the number of seconds during 421 which the password cannot be used to authenticate the 422 user to the directory due to too many consecutive failed 423 bind attempts. 424 (See also 425 .B pwdLockout 426 and 427 .BR pwdMaxFailure .) 428 If 429 .B pwdLockoutDuration 430 is not present, or if its value is zero (0), the password 431 cannot be used to authenticate the user to the directory 432 again until it is reset by an administrator. 433 .LP 434 .RS 4 435 ( 1.3.6.1.4.1.42.2.27.8.1.10 436 NAME 'pwdLockoutDuration' 437 EQUALITY integerMatch 438 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 439 SINGLE\-VALUE ) 440 .RE 441 442 .B pwdMaxFailure 443 .P 444 This attribute contains the number of consecutive failed bind 445 attempts after which the password may not be used to authenticate 446 a user to the directory. 447 If 448 .B pwdMaxFailure 449 is not present, or its value is zero (0), then a user will 450 be allowed to continue to attempt to authenticate to 451 the directory, no matter how many consecutive failed 452 bind attempts have occurred with that user's DN. 453 (See also 454 .B pwdLockout 455 and 456 .BR pwdLockoutDuration .) 457 .LP 458 .RS 4 459 ( 1.3.6.1.4.1.42.2.27.8.1.11 460 NAME 'pwdMaxFailure' 461 EQUALITY integerMatch 462 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 463 SINGLE\-VALUE ) 464 .RE 465 466 .B pwdMaxRecordedFailure 467 .P 468 This attribute contains the maximum number of failed bind 469 attempts to store in a user's entry. 470 If 471 .B pwdMaxRecordedFailure 472 is not present, or its value is zero (0), then it defaults 473 to the value of 474 .BR pwdMaxFailure . 475 If that value is also 0, the default is 5. 476 .LP 477 .RS 4 478 ( 1.3.6.1.4.1.42.2.27.8.1.32 479 NAME 'pwdMaxRecordedFailure' 480 EQUALITY integerMatch 481 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 482 SINGLE\-VALUE ) 483 .RE 484 485 .B pwdFailureCountInterval 486 .P 487 This attribute contains the number of seconds after which old 488 consecutive failed bind attempts are purged from the failure counter, 489 even though no successful authentication has occurred. 490 If 491 .B pwdFailureCountInterval 492 is not present, or its value is zero (0), the failure 493 counter will only be reset by a successful authentication. 494 .LP 495 .RS 4 496 ( 1.3.6.1.4.1.42.2.27.8.1.12 497 NAME 'pwdFailureCountInterval' 498 EQUALITY integerMatch 499 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 500 SINGLE\-VALUE ) 501 .RE 502 503 .B pwdMustChange 504 .P 505 This attribute specifies whether users must change their passwords 506 when they first bind to the directory after a password is set or 507 reset by the administrator, or not. If 508 .B pwdMustChange 509 has a value of "TRUE", users must change their passwords when they 510 first bind to the directory after a password is set or reset by 511 the administrator. If 512 .B pwdMustChange 513 is not present, or its value is "FALSE", 514 users are not required to change their password upon binding after 515 the administrator sets or resets the password. 516 .LP 517 .RS 4 518 ( 1.3.6.1.4.1.42.2.27.8.1.13 519 NAME 'pwdMustChange' 520 EQUALITY booleanMatch 521 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 522 SINGLE\-VALUE ) 523 .RE 524 525 .B pwdAllowUserChange 526 .P 527 This attribute specifies whether users are allowed to change their own 528 passwords or not. If 529 .B pwdAllowUserChange 530 is set to "TRUE", or if the attribute is not present, users will be 531 allowed to change their own passwords. If its value is "FALSE", 532 users will not be allowed to change their own passwords. 533 .LP 534 Note: this implies that when 535 .B pwdAllowUserChange 536 is set to "TRUE", 537 users will still be able to change the password of another user, 538 subjected to access control. 539 This restriction only applies to modifications of ones's own password. 540 It should also be noted that 541 .B pwdAllowUserChange 542 was defined in the specification to provide rough access control 543 to the password attribute in implementations that do not allow fine-grain 544 access control. 545 Since OpenLDAP provides fine-grain access control, the use of this attribute 546 is discouraged; ACLs should be used instead 547 (see 548 .BR slapd.access (5) 549 for details). 550 .LP 551 .RS 4 552 ( 1.3.6.1.4.1.42.2.27.8.1.14 553 NAME 'pwdAllowUserChange' 554 EQUALITY booleanMatch 555 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 556 SINGLE\-VALUE ) 557 .RE 558 559 .B pwdSafeModify 560 .P 561 This attribute denotes whether the user's existing password must be sent 562 along with their new password when changing a password. If 563 .B pwdSafeModify 564 is set to "TRUE", the existing password must be sent 565 along with the new password. If the attribute is not present, or 566 its value is "FALSE", the existing password need not be sent 567 along with the new password. 568 .LP 569 .RS 4 570 ( 1.3.6.1.4.1.42.2.27.8.1.15 571 NAME 'pwdSafeModify' 572 EQUALITY booleanMatch 573 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 574 SINGLE\-VALUE ) 575 .RE 576 577 .B pwdMinDelay 578 .P 579 This attribute specifies the number of seconds to delay responding to 580 the first failed authentication attempt. If this attribute is not 581 set or is zero (0), no delays will be used. 582 .B pwdMaxDelay 583 must also be specified if 584 .B pwdMinDelay 585 is set. 586 587 Note that this implementation uses a variable lockout instead of 588 delaying the bind response. 589 .LP 590 .RS 4 591 ( 1.3.6.1.4.1.42.2.27.8.1.24 592 NAME 'pwdMinDelay' 593 EQUALITY integerMatch 594 ORDERING integerOrderingMatch 595 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 596 SINGLE\-VALUE ) 597 .RE 598 599 .B pwdMaxDelay 600 .P 601 This attribute specifies the maximum number of seconds to delay when 602 responding to a failed authentication attempt. The time specified in 603 .B pwdMinDelay 604 is used as the starting time and is then doubled on each failure until 605 the delay time is greater than or equal to 606 .B pwdMaxDelay 607 (or a successful authentication occurs, which resets the failure 608 counter). 609 .B pwdMinDelay 610 must also be specified if 611 .B pwdMaxDelay 612 is set. 613 614 Note that this implementation uses a variable lockout instead of 615 delaying the bind response. 616 .LP 617 .RS 4 618 ( 1.3.6.1.4.1.42.2.27.8.1.25 619 NAME 'pwdMaxDelay' 620 EQUALITY integerMatch 621 ORDERING integerOrderingMatch 622 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 623 SINGLE\-VALUE ) 624 .RE 625 626 .B pwdMaxIdle 627 .P 628 This attribute specifies the number of seconds an account may remain 629 unused before it becomes locked. If this attribute is not set or is 630 zero (0), no check is performed. For this to be enforced, 631 .B lastbind 632 functionality needs to be enabled on the database, that is 633 .B olcLastBind 634 is set to 635 .BR TRUE . 636 .LP 637 .RS 4 638 ( 1.3.6.1.4.1.42.2.27.8.1.26 639 NAME 'pwdMaxIdle' 640 EQUALITY integerMatch 641 ORDERING integerOrderingMatch 642 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 643 SINGLE\-VALUE ) 644 .RE 645 646 .BR pwdUseCheckModule / pwdCheckModuleArg 647 .P 648 The 649 .B pwdUseCheckModule 650 attribute enables use of a loadable module previously configured with 651 .B ppolicy_check_module 652 for the current policy. The module must 653 instantiate the check_password() function. This function 654 will be called to further check a new password if 655 .B pwdCheckQuality 656 is set to one (1) or two (2), 657 after all of the built-in password compliance checks have 658 been passed. This function will be called according to this 659 function prototype: 660 .RS 4 661 int 662 .I check_password 663 (char *pPasswd, struct berval *pErrmsg, Entry *pEntry, struct berval *pArg); 664 .RE 665 The 666 .B pPasswd 667 parameter contains the clear-text user password, the 668 .B pErrmsg 669 parameter points to a 670 .B struct berval 671 containing space 672 to return human-readable details about any error it encounters. 673 The 674 .B bv_len 675 field must contain the size of the space provided 676 by the 677 .B bv_val 678 field. 679 680 The 681 .B pEntry 682 parameter is optional, if non-NULL, carries a pointer to the 683 entry whose password is being checked. 684 685 The optional 686 .B pArg 687 parameter points to a 688 .B struct berval 689 containing the value of 690 .B pwdCheckModuleArg 691 in the effective password policy, if set, otherwise NULL. 692 693 If 694 .B pErrmsg 695 is NULL, then 696 .I funcName 697 must NOT attempt to use it. 698 A return value of LDAP_SUCCESS from the called 699 function indicates that the password is ok, any other value 700 indicates that the password is unacceptable. If the password is 701 unacceptable, the server will return an error to the client, and 702 .B pErrmsg 703 may be used to return a human-readable textual explanation of the 704 error. If the space passed in by the caller is too small, the function 705 may replace it with a dynamically allocated buffer, which will 706 be free()'d by slapd. 707 708 The 709 .B pwdCheckModule 710 attribute is now obsolete and is ignored. 711 712 .LP 713 .RS 4 714 ( 1.3.6.1.4.1.4754.1.99.1 715 NAME 'pwdCheckModule' 716 EQUALITY caseExactIA5Match 717 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 718 OBSOLETE 719 SINGLE\-VALUE ) 720 721 ( 1.3.6.1.4.1.4754.1.99.2 722 NAME 'pwdCheckModuleArg' 723 EQUALITY octetStringMatch 724 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 725 DESC 'Argument to pass to check_password() function' 726 SINGLE\-VALUE ) 727 728 ( 1.3.6.1.4.1.4754.1.99.3 729 NAME 'pwdUseCheckModule' 730 EQUALITY booleanMatch 731 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 732 SINGLE\-VALUE ) 733 .RE 734 735 .SH OPERATIONAL ATTRIBUTES 736 .P 737 The operational attributes used by the 738 .B ppolicy 739 module are stored in the user's entry. Most of these attributes 740 are not intended to be changed directly by users; they are there 741 to track user activity. They have been detailed here so that 742 administrators and users can both understand the workings of 743 the 744 .B ppolicy 745 module. 746 747 .P 748 Note that the current IETF Password Policy proposal does not define 749 how these operational attributes are expected to behave in a 750 replication environment. In general, authentication attempts on 751 a replica server only affect the copy of the operational attributes 752 on that replica and will not affect any attributes for 753 a user's entry on the provider. Operational attribute changes 754 resulting from authentication attempts on a provider 755 will usually replicate to the replicas (and also overwrite 756 any changes that originated on the replica). 757 These behaviors are not guaranteed and are subject to change 758 when a formal specification emerges. 759 760 .B userPassword 761 .P 762 The 763 .B userPassword 764 attribute is not strictly part of the 765 .B ppolicy 766 module. It is, however, the attribute that is tracked and controlled 767 by the module. Please refer to the standard OpenLDAP schema for 768 its definition. 769 770 .B pwdPolicySubentry 771 .P 772 This attribute refers directly to the 773 .B pwdPolicy 774 subentry that is to be used for this particular directory user. 775 If 776 .B pwdPolicySubentry 777 exists, it must contain the DN of a valid 778 .B pwdPolicy 779 object. If it does not exist, the 780 .B ppolicy 781 module will enforce the default password policy rules on the 782 user associated with this authenticating DN. If there is no 783 default, or the referenced subentry does not exist, then no 784 policy rules will be enforced. 785 .LP 786 .RS 4 787 ( 1.3.6.1.4.1.42.2.27.8.1.23 788 NAME 'pwdPolicySubentry' 789 DESC 'The pwdPolicy subentry in effect for 790 this object' 791 EQUALITY distinguishedNameMatch 792 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 793 SINGLE\-VALUE 794 USAGE directoryOperation) 795 .RE 796 797 .B pwdChangedTime 798 .P 799 This attribute denotes the last time that the entry's password was 800 changed. This value is used by the password expiration policy to 801 determine whether the password is too old to be allowed to be used 802 for user authentication. If 803 .B pwdChangedTime 804 does not exist, the user's password will not expire. 805 .LP 806 .RS 4 807 ( 1.3.6.1.4.1.42.2.27.8.1.16 808 NAME 'pwdChangedTime' 809 DESC 'The time the password was last changed' 810 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 811 EQUALITY generalizedTimeMatch 812 ORDERING generalizedTimeOrderingMatch 813 SINGLE\-VALUE 814 NO\-USER\-MODIFICATION 815 USAGE directoryOperation) 816 .RE 817 818 .B pwdAccountLockedTime 819 .P 820 This attribute contains the time that the user's account was locked. 821 If the account has been locked, the password may no longer be used to 822 authenticate the user to the directory. If 823 .B pwdAccountLockedTime 824 is set to 000001010000Z, the user's account has been permanently locked 825 and may only be unlocked by an administrator. Note that account locking 826 only takes effect when the 827 .B pwdLockout 828 password policy attribute is set to "TRUE". 829 .LP 830 .RS 4 831 ( 1.3.6.1.4.1.42.2.27.8.1.17 832 NAME 'pwdAccountLockedTime' 833 DESC 'The time an user account was locked' 834 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 835 EQUALITY generalizedTimeMatch 836 ORDERING generalizedTimeOrderingMatch 837 SINGLE\-VALUE 838 USAGE directoryOperation) 839 .RE 840 841 .B pwdFailureTime 842 .P 843 This attribute contains the timestamps of each of the consecutive 844 authentication failures made upon attempted authentication to this 845 DN (i.e. account). If too many timestamps accumulate here (refer to 846 the 847 .B pwdMaxFailure 848 password policy attribute for details), 849 and the 850 .B pwdLockout 851 password policy attribute is set to "TRUE", the 852 account may be locked. 853 (Please also refer to the 854 .B pwdLockout 855 password policy attribute.) 856 Excess timestamps beyond those allowed by 857 .B pwdMaxFailure 858 or 859 .B pwdMaxRecordedFailure 860 may also be purged. If a successful authentication is made to this 861 DN (i.e. to this user account), then 862 .B pwdFailureTime 863 will be cleansed of entries. 864 .LP 865 .RS 4 866 ( 1.3.6.1.4.1.42.2.27.8.1.19 867 NAME 'pwdFailureTime' 868 DESC 'The timestamps of the last consecutive 869 authentication failures' 870 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 871 EQUALITY generalizedTimeMatch 872 ORDERING generalizedTimeOrderingMatch 873 NO\-USER\-MODIFICATION 874 USAGE directoryOperation ) 875 .RE 876 877 .B pwdHistory 878 .P 879 This attribute contains the history of previously used passwords 880 for this DN (i.e. for this user account). 881 The values of this attribute are stored in string format as follows: 882 883 .RS 4 884 885 pwdHistory= 886 .RS 4 887 time "#" syntaxOID "#" length "#" data 888 .RE 889 890 time= 891 .RS 4 892 GeneralizedTime as specified in section 3.3.13 of [RFC4517] 893 .RE 894 895 .P 896 syntaxOID = numericoid 897 .RS 4 898 This is the string representation of the dotted-decimal OID that 899 defines the syntax used to store the password. numericoid is 900 described in section 1.4 of [RFC4512]. 901 .RE 902 903 length = NumericString 904 .RS 4 905 The number of octets in the data. NumericString is described in 906 section 3.3.23 of [RFC4517]. 907 .RE 908 909 data = 910 .RS 4 911 Octets representing the password in the format specified by syntaxOID. 912 .RE 913 914 .RE 915 916 This format allows the server to store and transmit a history of 917 passwords that have been used. In order for equality matching 918 on the values in this attribute to function properly, the time 919 field is in GMT format. 920 .LP 921 .RS 4 922 ( 1.3.6.1.4.1.42.2.27.8.1.20 923 NAME 'pwdHistory' 924 DESC 'The history of user passwords' 925 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 926 EQUALITY octetStringMatch 927 NO\-USER\-MODIFICATION 928 USAGE directoryOperation) 929 .RE 930 931 .B pwdGraceUseTime 932 933 This attribute contains the list of timestamps of logins made after 934 the user password in the DN has expired. These post-expiration 935 logins are known as "\fIgrace logins\fP". 936 If too many 937 .I grace logins 938 have been used (please refer to the 939 .B pwdGraceAuthnLimit 940 password policy attribute), then the DN will no longer be allowed 941 to be used to authenticate the user to the directory until the 942 administrator changes the DN's 943 .B userPassword 944 attribute. 945 .LP 946 .RS 4 947 ( 1.3.6.1.4.1.42.2.27.8.1.21 948 NAME 'pwdGraceUseTime' 949 DESC 'The timestamps of the grace login once the password has expired' 950 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 951 EQUALITY generalizedTimeMatch 952 NO\-USER\-MODIFICATION 953 USAGE directoryOperation) 954 .RE 955 956 .B pwdReset 957 .P 958 This attribute indicates whether the user's password has been reset 959 by the administrator and thus must be changed upon first use of this 960 DN for authentication to the directory. If 961 .B pwdReset 962 is set to "TRUE", then the password was reset and the user must change 963 it upon first authentication. If the attribute does not exist, or 964 is set to "FALSE", the user need not change their password due to 965 administrative reset. 966 .LP 967 .RS 4 968 ( 1.3.6.1.4.1.42.2.27.8.1.22 969 NAME 'pwdReset' 970 DESC 'The indication that the password has 971 been reset' 972 EQUALITY booleanMatch 973 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 974 SINGLE\-VALUE 975 USAGE directoryOperation) 976 .RE 977 978 .B pwdStartTime 979 980 This attribute specifies the time the entry's password becomes valid 981 for authentication. Authentication attempts made before this time 982 will fail. If this attribute does not exist, then no restriction 983 applies. 984 .LP 985 .RS 4 986 ( 1.3.6.1.4.1.42.2.27.8.1.27 987 NAME 'pwdStartTime' 988 DESC 'The time the password becomes enabled' 989 EQUALITY generalizedTimeMatch 990 ORDERING generalizedTimeOrderingMatch 991 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 992 SINGLE\-VALUE 993 USAGE directoryOperation ) 994 .RE 995 996 .B pwdEndTime 997 998 This attribute specifies the time the entry's password becomes 999 invalid for authentication. Authentication attempts made after this 1000 time will fail, regardless of expiration or grace settings. If this 1001 attribute does not exist, then this restriction does not apply. 1002 .LP 1003 .RS 4 1004 ( 1.3.6.1.4.1.42.2.27.8.1.28 1005 NAME 'pwdEndTime' 1006 DESC 'The time the password becomes disabled' 1007 EQUALITY generalizedTimeMatch 1008 ORDERING generalizedTimeOrderingMatch 1009 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 1010 SINGLE\-VALUE 1011 USAGE directoryOperation ) 1012 .RE 1013 1014 Note that pwdStartTime may be set to a time greater than or equal to 1015 pwdEndTime; this simply disables the account. 1016 1017 .B pwdAccountTmpLockoutEnd 1018 .P 1019 This attribute that the user's password has been locked out temporarily 1020 according to the 1021 .B pwdMinDelay 1022 policy option and when the lockout ends. 1023 .LP 1024 .RS 4 1025 ( 1.3.6.1.4.1.42.2.27.8.1.33 1026 NAME 'pwdAccountTmpLockoutEnd' 1027 DESC 'Temporary lockout end' 1028 EQUALITY generalizedTimeMatch 1029 ORDERING generalizedTimeOrderingMatch 1030 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 1031 SINGLE\-VALUE 1032 NO\-USER\-MODIFICATION 1033 USAGE directoryOperation ) 1034 .RE 1035 1036 .SH SUNDS ACCOUNT USABILITY CONTROL 1037 .LP 1038 If the SunDS Account Usability control is used with a search request, the 1039 overlay will attach validity information to each entry provided all of the 1040 following are met: 1041 .IP \[bu] 2 1042 There is a password policy that applies to the entry 1043 .IP \[bu] 1044 The user has 1045 .B compare 1046 access to the entry's password attribute. 1047 .IP \[bu] 1048 The configured password attribute is present in the entry 1049 1050 .SH EXAMPLES 1051 .LP 1052 .RS 1053 .nf 1054 database mdb 1055 suffix dc=example,dc=com 1056 \|... 1057 overlay ppolicy 1058 ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com" 1059 .fi 1060 .RE 1061 1062 .SH SEE ALSO 1063 .BR ldap (3), 1064 .BR slapd.conf (5), 1065 .BR slapd\-config (5), 1066 .BR slapo\-chain (5). 1067 .LP 1068 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) 1069 .LP 1070 IETF LDAP password policy proposal by P. Behera, L. Poitou and J. 1071 Sermersheim: documented in IETF document 1072 "draft-behera-ldap-password-policy-10.txt". 1073 1074 .SH BUGS 1075 The LDAP Password Policy specification is not yet an approved standard, 1076 and it is still evolving. This code will continue to be in flux until the 1077 specification is finalized. 1078 1079 .SH ACKNOWLEDGEMENTS 1080 .P 1081 This module was written in 2004 by Howard Chu of Symas Corporation 1082 with significant input from Neil Dunbar and Kartik Subbarao of Hewlett-Packard. 1083 .P 1084 This manual page borrows heavily and shamelessly from the specification 1085 upon which the password policy module it describes is based. This 1086 source is the 1087 IETF LDAP password policy proposal by P. Behera, L. 1088 Poitou and J. Sermersheim. 1089 The proposal is fully documented in 1090 the 1091 IETF document named draft-behera-ldap-password-policy-10.txt, 1092 written in August of 2009. 1093 .P 1094 .lf 1 ./../Project 1095 .\" Shared Project Acknowledgement Text 1096 .B "OpenLDAP Software" 1097 is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. 1098 .B "OpenLDAP Software" 1099 is derived from the University of Michigan LDAP 3.3 Release. 1100 .lf 1094 stdin 1101
Indexes created Tue May 05 00:25:04 UTC 2026