slapo-ppolicy.5 revision 1.4.12.1
1 .lf 1 stdin 2 .TH SLAPO_PPOLICY 5 "2014/01/26" "OpenLDAP 2.4.39" 3 .\" Copyright 2004-2014 The OpenLDAP Foundation All Rights Reserved. 4 .\" Copying restrictions apply. See COPYRIGHT/LICENSE. 5 .\" $OpenLDAP$ 6 .SH NAME 7 slapo\-ppolicy \- Password Policy overlay to slapd 8 .SH SYNOPSIS 9 /etc/openldap/slapd.conf 10 .SH DESCRIPTION 11 .LP 12 The 13 .B ppolicy 14 overlay 15 is an implementation of the most recent IETF Password 16 Policy proposal for LDAP. When instantiated, it intercepts, 17 decodes and applies specific password policy controls to overall 18 use of a backend database, changes to user password fields, etc. 19 .P 20 The overlay provides a variety of password control mechanisms. They 21 include password aging -- both minimum and maximum ages, password 22 reuse and duplication control, account time-outs, mandatory password 23 resets, acceptable password content, and even grace logins. 24 Different groups of users may be associated with different password 25 policies, and there is no limit to the number of password policies 26 that may be created. 27 .P 28 Note that some of the policies do not take effect when the operation 29 is performed with the 30 .B rootdn 31 identity; all the operations, when performed with any other identity, 32 may be subjected to constraints, like access control. 33 .P 34 Note that the IETF Password Policy proposal for LDAP makes sense 35 when considering a single-valued password attribute, while 36 the userPassword attribute allows multiple values. This implementation 37 enforces a single value for the userPassword attribute, despite 38 its specification. 39 40 .SH CONFIGURATION 41 These 42 .B slapd.conf 43 configuration options apply to the ppolicy overlay. They should appear 44 after the 45 .B overlay 46 directive. 47 .TP 48 .B ppolicy_default <policyDN> 49 Specify the DN of the pwdPolicy object to use when no specific policy is 50 set on a given user's entry. If there is no specific policy for an entry 51 and no default is given, then no policies will be enforced. 52 .TP 53 .B ppolicy_forward_updates 54 Specify that policy state changes that result from Bind operations (such 55 as recording failures, lockout, etc.) on a consumer should be forwarded 56 to a master instead of being written directly into the consumer's local 57 database. This setting is only useful on a replication consumer, and 58 also requires the 59 .B updateref 60 setting and 61 .B chain 62 overlay to be appropriately configured. 63 .TP 64 .B ppolicy_hash_cleartext 65 Specify that cleartext passwords present in Add and Modify requests should 66 be hashed before being stored in the database. This violates the X.500/LDAP 67 information model, but may be needed to compensate for LDAP clients that 68 don't use the Password Modify extended operation to manage passwords. It 69 is recommended that when this option is used that compare, search, and 70 read access be denied to all directory users. 71 .TP 72 .B ppolicy_use_lockout 73 A client will always receive an LDAP 74 .B InvalidCredentials 75 response when 76 Binding to a locked account. By default, when a Password Policy control 77 was provided on the Bind request, a Password Policy response will be 78 included with no special error code set. This option changes the 79 Password Policy response to include the 80 .B AccountLocked 81 error code. Note 82 that sending the 83 .B AccountLocked 84 error code provides useful information 85 to an attacker; sites that are sensitive to security issues should not 86 enable this option. 87 88 .SH OBJECT CLASS 89 The 90 .B ppolicy 91 overlay depends on the 92 .B pwdPolicy 93 object class. The definition of that class is as follows: 94 .LP 95 .RS 4 96 ( 1.3.6.1.4.1.42.2.27.8.2.1 97 NAME 'pwdPolicy' 98 AUXILIARY 99 SUP top 100 MUST ( pwdAttribute ) 101 MAY ( 102 pwdMinAge $ pwdMaxAge $ pwdInHistory $ 103 pwdCheckQuality $ pwdMinLength $ 104 pwdExpireWarning $ pwdGraceAuthnLimit $ 105 pwdLockout $ pwdLockoutDuration $ 106 pwdMaxFailure $ pwdFailureCountInterval $ 107 pwdMustChange $ pwdAllowUserChange $ 108 pwdSafeModify ) ) 109 .RE 110 111 This implementation also provides an additional 112 .B pwdPolicyChecker 113 objectclass, used for password quality checking (see below). 114 .LP 115 .RS 4 116 ( 1.3.6.1.4.1.4754.2.99.1 117 NAME 'pwdPolicyChecker' 118 AUXILIARY 119 SUP top 120 MAY ( pwdCheckModule ) ) 121 .RE 122 .P 123 Every account that should be subject to password policy control should 124 have a 125 .B 126 pwdPolicySubentry 127 attribute containing the DN of a valid 128 .B pwdPolicy 129 entry, or they can simply use the configured default. 130 In this way different users may be managed according to 131 different policies. 132 133 .SH OBJECT CLASS ATTRIBUTES 134 .P 135 Each one of the sections below details the meaning and use of a particular 136 attribute of this 137 .B pwdPolicy 138 object class. 139 .P 140 141 .B pwdAttribute 142 .P 143 This attribute contains the name of the attribute to which the password 144 policy is applied. For example, the password policy may be applied 145 to the 146 .B userPassword 147 attribute. 148 .P 149 Note: in this implementation, the only 150 value accepted for 151 .B pwdAttribute 152 is 153 .IR " userPassword ". 154 .LP 155 .RS 4 156 ( 1.3.6.1.4.1.42.2.27.8.1.1 157 NAME 'pwdAttribute' 158 EQUALITY objectIdentifierMatch 159 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 160 .RE 161 162 .B pwdMinAge 163 .P 164 This attribute contains the number of seconds that must elapse 165 between modifications allowed to the password. If this attribute 166 is not present, zero seconds is assumed (i.e. the password may be 167 modified whenever and however often is desired). 168 .LP 169 .RS 4 170 ( 1.3.6.1.4.1.42.2.27.8.1.2 171 NAME 'pwdMinAge' 172 EQUALITY integerMatch 173 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 174 SINGLE\-VALUE ) 175 .RE 176 177 .B pwdMaxAge 178 .P 179 This attribute contains the number of seconds after which a modified 180 password will expire. If this attribute is not present, or if its 181 value is zero (0), then passwords will not expire. 182 .LP 183 .RS 4 184 ( 1.3.6.1.4.1.42.2.27.8.1.3 185 NAME 'pwdMaxAge' 186 EQUALITY integerMatch 187 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 188 SINGLE\-VALUE ) 189 .RE 190 191 .B pwdInHistory 192 .P 193 This attribute is used to specify the maximum number of used 194 passwords that will be stored in the 195 .B pwdHistory 196 attribute. If the 197 .B pwdInHistory 198 attribute is not present, or if its value is 199 zero (0), used passwords will not be stored in 200 .B pwdHistory 201 and thus any previously-used password may be reused. 202 No history checking occurs if the password is being modified by the 203 .BR rootdn , 204 although the password is saved in the history. 205 .LP 206 .RS 4 207 ( 1.3.6.1.4.1.42.2.27.8.1.4 208 NAME 'pwdInHistory' 209 EQUALITY integerMatch 210 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 211 SINGLE\-VALUE ) 212 .RE 213 214 .B pwdCheckQuality 215 .P 216 This attribute indicates if and how password syntax will be checked 217 while a password is being modified or added. If this attribute is 218 not present, or its value is zero (0), no syntax checking will be 219 done. If its value is one (1), the server will check the syntax, 220 and if the server is unable to check the syntax, 221 whether due to a client-side hashed password or some other reason, 222 it will be 223 accepted. If its value is two (2), the server will check the syntax, 224 and if the server is unable to check the syntax it will return an 225 error refusing the password. 226 .LP 227 .RS 4 228 ( 1.3.6.1.4.1.42.2.27.8.1.5 229 NAME 'pwdCheckQuality' 230 EQUALITY integerMatch 231 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 232 SINGLE\-VALUE ) 233 .RE 234 235 .B pwdMinLength 236 .P 237 When syntax checking is enabled 238 (see also the 239 .B pwdCheckQuality 240 attribute), this attribute contains the minimum 241 number of characters that will be accepted in a password. If this 242 attribute is not present, minimum password length is not 243 enforced. If the server is unable to check the length of the password, 244 whether due to a client-side hashed password or some other reason, 245 the server will, depending on the 246 value of 247 .BR pwdCheckQuality , 248 either accept the password 249 without checking it (if 250 .B pwdCheckQuality 251 is zero (0) or one (1)) or refuse it (if 252 .B pwdCheckQuality 253 is two (2)). 254 .LP 255 .RS 4 256 ( 1.3.6.1.4.1.42.2.27.8.1.6 257 NAME 'pwdMinLength' 258 EQUALITY integerMatch 259 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 260 SINGLE\-VALUE ) 261 .RE 262 263 .B pwdExpireWarning 264 .P 265 This attribute contains the maximum number of seconds before a 266 password is due to expire that expiration warning messages will be 267 returned to a user who is authenticating to the directory. 268 If this attribute is not 269 present, or if the value is zero (0), no warnings will be sent. 270 .LP 271 .RS 4 272 ( 1.3.6.1.4.1.42.2.27.8.1.7 273 NAME 'pwdExpireWarning' 274 EQUALITY integerMatch 275 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 276 SINGLE\-VALUE ) 277 .RE 278 279 .B pwdGraceAuthnLimit 280 .P 281 This attribute contains the number of times that an expired password 282 may be used to authenticate a user to the directory. If this 283 attribute is not present or if its value is zero (0), users with 284 expired passwords will not be allowed to authenticate to the 285 directory. 286 .LP 287 .RS 4 288 ( 1.3.6.1.4.1.42.2.27.8.1.8 289 NAME 'pwdGraceAuthnLimit' 290 EQUALITY integerMatch 291 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 292 SINGLE\-VALUE ) 293 .RE 294 295 .B pwdLockout 296 .P 297 This attribute specifies the action that should be taken 298 by the directory when a user has made a number of failed attempts 299 to authenticate to the directory. If 300 .B pwdLockout 301 is set (its value is "TRUE"), the user will not be allowed to 302 attempt to authenticate to the directory after there have been a 303 specified number of consecutive failed bind attempts. The maximum 304 number of consecutive failed bind attempts allowed is specified by 305 the 306 .B pwdMaxFailure 307 attribute. If 308 .B pwdLockout 309 is not present, or if its value is "FALSE", the password may be 310 used to authenticate no matter how many consecutive failed bind 311 attempts have been made. 312 .LP 313 .RS 4 314 ( 1.3.6.1.4.1.42.2.27.8.1.9 315 NAME 'pwdLockout' 316 EQUALITY booleanMatch 317 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 318 SINGLE\-VALUE ) 319 .RE 320 321 .B pwdLockoutDuration 322 .P 323 This attribute contains the number of seconds during 324 which the password cannot be used to authenticate the 325 user to the directory due to too many consecutive failed 326 bind attempts. 327 (See also 328 .B pwdLockout 329 and 330 .BR pwdMaxFailure .) 331 If 332 .B pwdLockoutDuration 333 is not present, or if its value is zero (0), the password 334 cannot be used to authenticate the user to the directory 335 again until it is reset by an administrator. 336 .LP 337 .RS 4 338 ( 1.3.6.1.4.1.42.2.27.8.1.10 339 NAME 'pwdLockoutDuration' 340 EQUALITY integerMatch 341 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 342 SINGLE\-VALUE ) 343 .RE 344 345 .B pwdMaxFailure 346 .P 347 This attribute contains the number of consecutive failed bind 348 attempts after which the password may not be used to authenticate 349 a user to the directory. 350 If 351 .B pwdMaxFailure 352 is not present, or its value is zero (0), then a user will 353 be allowed to continue to attempt to authenticate to 354 the directory, no matter how many consecutive failed 355 bind attempts have occurred with that user's DN. 356 (See also 357 .B pwdLockout 358 and 359 .BR pwdLockoutDuration .) 360 .LP 361 .RS 4 362 ( 1.3.6.1.4.1.42.2.27.8.1.11 363 NAME 'pwdMaxFailure' 364 EQUALITY integerMatch 365 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 366 SINGLE\-VALUE ) 367 .RE 368 369 .B pwdFailureCountInterval 370 .P 371 This attribute contains the number of seconds after which old 372 consecutive failed bind attempts are purged from the failure counter, 373 even though no successful authentication has occurred. 374 If 375 .B pwdFailureCountInterval 376 is not present, or its value is zero (0), the failure 377 counter will only be reset by a successful authentication. 378 .LP 379 .RS 4 380 ( 1.3.6.1.4.1.42.2.27.8.1.12 381 NAME 'pwdFailureCountInterval' 382 EQUALITY integerMatch 383 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 384 SINGLE\-VALUE ) 385 .RE 386 387 .B pwdMustChange 388 .P 389 This attribute specifies whether users must change their passwords 390 when they first bind to the directory after a password is set or 391 reset by the administrator, or not. If 392 .B pwdMustChange 393 has a value of "TRUE", users must change their passwords when they 394 first bind to the directory after a password is set or reset by 395 the administrator. If 396 .B pwdMustChange 397 is not present, or its value is "FALSE", 398 users are not required to change their password upon binding after 399 the administrator sets or resets the password. 400 .LP 401 .RS 4 402 ( 1.3.6.1.4.1.42.2.27.8.1.13 403 NAME 'pwdMustChange' 404 EQUALITY booleanMatch 405 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 406 SINGLE\-VALUE ) 407 .RE 408 409 .B pwdAllowUserChange 410 .P 411 This attribute specifies whether users are allowed to change their own 412 passwords or not. If 413 .B pwdAllowUserChange 414 is set to "TRUE", or if the attribute is not present, users will be 415 allowed to change their own passwords. If its value is "FALSE", 416 users will not be allowed to change their own passwords. 417 .LP 418 Note: this implies that when 419 .B pwdAllowUserChange 420 is set to "TRUE", 421 users will still be able to change the password of another user, 422 subjected to access control. 423 This restriction only applies to modifications of ones's own password. 424 It should also be noted that 425 .B pwdAllowUserChange 426 was defined in the specification to provide rough access control 427 to the password attribute in implementations that do not allow fine-grain 428 access control. 429 Since OpenLDAP provides fine-grain access control, the use of this attribute 430 is discouraged; ACLs should be used instead 431 (see 432 .BR slapd.access (5) 433 for details). 434 .LP 435 .RS 4 436 ( 1.3.6.1.4.1.42.2.27.8.1.14 437 NAME 'pwdAllowUserChange' 438 EQUALITY booleanMatch 439 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 440 SINGLE\-VALUE ) 441 .RE 442 443 .B pwdSafeModify 444 .P 445 This attribute denotes whether the user's existing password must be sent 446 along with their new password when changing a password. If 447 .B pwdSafeModify 448 is set to "TRUE", the existing password must be sent 449 along with the new password. If the attribute is not present, or 450 its value is "FALSE", the existing password need not be sent 451 along with the new password. 452 .LP 453 .RS 4 454 ( 1.3.6.1.4.1.42.2.27.8.1.15 455 NAME 'pwdSafeModify' 456 EQUALITY booleanMatch 457 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 458 SINGLE\-VALUE ) 459 .RE 460 461 .B pwdCheckModule 462 .P 463 This attribute names a user-defined loadable module that must 464 instantiate the check_password() function. This function 465 will be called to further check a new password if 466 .B pwdCheckQuality 467 is set to one (1) or two (2), 468 after all of the built-in password compliance checks have 469 been passed. This function will be called according to this 470 function prototype: 471 .RS 4 472 int 473 .I check_password 474 (char *pPasswd, char **ppErrStr, Entry *pEntry); 475 .RE 476 The 477 .B pPasswd 478 parameter contains the clear-text user password, the 479 .B ppErrStr 480 parameter contains a double pointer that allows the function 481 to return human-readable details about any error it encounters. 482 The optional 483 .B pEntry 484 parameter, if non-NULL, carries a pointer to the 485 entry whose password is being checked. 486 If 487 .B ppErrStr 488 is NULL, then 489 .I funcName 490 must NOT attempt to use it/them. 491 A return value of LDAP_SUCCESS from the called 492 function indicates that the password is ok, any other value 493 indicates that the password is unacceptable. If the password is 494 unacceptable, the server will return an error to the client, and 495 .B ppErrStr 496 may be used to return a human-readable textual explanation of the 497 error. The error string must be dynamically allocated as it will 498 be free()'d by slapd. 499 .LP 500 .RS 4 501 ( 1.3.6.1.4.1.4754.1.99.1 502 NAME 'pwdCheckModule' 503 EQUALITY caseExactIA5Match 504 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 505 SINGLE\-VALUE ) 506 .RE 507 .P 508 Note: 509 The user-defined loadable module named by 510 .B pwdCheckModule 511 must be in 512 .B slapd's 513 standard executable search PATH. 514 .P 515 Note: 516 .B pwdCheckModule 517 is a non-standard extension to the LDAP password 518 policy proposal. 519 520 .SH OPERATIONAL ATTRIBUTES 521 .P 522 The operational attributes used by the 523 .B ppolicy 524 module are stored in the user's entry. Most of these attributes 525 are not intended to be changed directly by users; they are there 526 to track user activity. They have been detailed here so that 527 administrators and users can both understand the workings of 528 the 529 .B ppolicy 530 module. 531 532 .P 533 Note that the current IETF Password Policy proposal does not define 534 how these operational attributes are expected to behave in a 535 replication environment. In general, authentication attempts on 536 a slave server only affect the copy of the operational attributes 537 on that slave and will not affect any attributes for 538 a user's entry on the master server. Operational attribute changes 539 resulting from authentication attempts on a master server 540 will usually replicate to the slaves (and also overwrite 541 any changes that originated on the slave). 542 These behaviors are not guaranteed and are subject to change 543 when a formal specification emerges. 544 545 .B userPassword 546 .P 547 The 548 .B userPassword 549 attribute is not strictly part of the 550 .B ppolicy 551 module. It is, however, the attribute that is tracked and controlled 552 by the module. Please refer to the standard OpenLDAP schema for 553 its definition. 554 555 .B pwdPolicySubentry 556 .P 557 This attribute refers directly to the 558 .B pwdPolicy 559 subentry that is to be used for this particular directory user. 560 If 561 .B pwdPolicySubentry 562 exists, it must contain the DN of a valid 563 .B pwdPolicy 564 object. If it does not exist, the 565 .B ppolicy 566 module will enforce the default password policy rules on the 567 user associated with this authenticating DN. If there is no 568 default, or the referenced subentry does not exist, then no 569 policy rules will be enforced. 570 .LP 571 .RS 4 572 ( 1.3.6.1.4.1.42.2.27.8.1.23 573 NAME 'pwdPolicySubentry' 574 DESC 'The pwdPolicy subentry in effect for 575 this object' 576 EQUALITY distinguishedNameMatch 577 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 578 SINGLE\-VALUE 579 NO\-USER\-MODIFICATION 580 USAGE directoryOperation) 581 .RE 582 583 .B pwdChangedTime 584 .P 585 This attribute denotes the last time that the entry's password was 586 changed. This value is used by the password expiration policy to 587 determine whether the password is too old to be allowed to be used 588 for user authentication. If 589 .B pwdChangedTime 590 does not exist, the user's password will not expire. 591 .LP 592 .RS 4 593 ( 1.3.6.1.4.1.42.2.27.8.1.16 594 NAME 'pwdChangedTime' 595 DESC 'The time the password was last changed' 596 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 597 EQUALITY generalizedTimeMatch 598 ORDERING generalizedTimeOrderingMatch 599 SINGLE\-VALUE 600 NO\-USER\-MODIFICATION 601 USAGE directoryOperation) 602 .RE 603 604 .B pwdAccountLockedTime 605 .P 606 This attribute contains the time that the user's account was locked. 607 If the account has been locked, the password may no longer be used to 608 authenticate the user to the directory. If 609 .B pwdAccountLockedTime 610 is set to 000001010000Z, the user's account has been permanently locked 611 and may only be unlocked by an administrator. Note that account locking 612 only takes effect when the 613 .B pwdLockout 614 password policy attribute is set to "TRUE". 615 .LP 616 .RS 4 617 ( 1.3.6.1.4.1.42.2.27.8.1.17 618 NAME 'pwdAccountLockedTime' 619 DESC 'The time an user account was locked' 620 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 621 EQUALITY generalizedTimeMatch 622 ORDERING generalizedTimeOrderingMatch 623 SINGLE\-VALUE 624 NO\-USER\-MODIFICATION 625 USAGE directoryOperation) 626 .RE 627 628 .B pwdFailureTime 629 .P 630 This attribute contains the timestamps of each of the consecutive 631 authentication failures made upon attempted authentication to this 632 DN (i.e. account). If too many timestamps accumulate here (refer to 633 the 634 .B pwdMaxFailure 635 password policy attribute for details), 636 and the 637 .B pwdLockout 638 password policy attribute is set to "TRUE", the 639 account may be locked. 640 (Please also refer to the 641 .B pwdLockout 642 password policy attribute.) 643 Excess timestamps beyond those allowed by 644 .B pwdMaxFailure 645 may also be purged. If a successful authentication is made to this 646 DN (i.e. to this user account), then 647 .B pwdFailureTime 648 will be cleansed of entries. 649 .LP 650 .RS 4 651 ( 1.3.6.1.4.1.42.2.27.8.1.19 652 NAME 'pwdFailureTime' 653 DESC 'The timestamps of the last consecutive 654 authentication failures' 655 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 656 EQUALITY generalizedTimeMatch 657 ORDERING generalizedTimeOrderingMatch 658 NO\-USER\-MODIFICATION 659 USAGE directoryOperation ) 660 .RE 661 662 .B pwdHistory 663 .P 664 This attribute contains the history of previously used passwords 665 for this DN (i.e. for this user account). 666 The values of this attribute are stored in string format as follows: 667 668 .RS 4 669 670 pwdHistory= 671 .RS 4 672 time "#" syntaxOID "#" length "#" data 673 .RE 674 675 time= 676 .RS 4 677 GeneralizedTime as specified in section 3.3.13 of [RFC4517] 678 .RE 679 680 .P 681 syntaxOID = numericoid 682 .RS 4 683 This is the string representation of the dotted-decimal OID that 684 defines the syntax used to store the password. numericoid is 685 described in section 1.4 of [RFC4512]. 686 .RE 687 688 length = NumericString 689 .RS 4 690 The number of octets in the data. NumericString is described in 691 section 3.3.23 of [RFC4517]. 692 .RE 693 694 data = 695 .RS 4 696 Octets representing the password in the format specified by syntaxOID. 697 .RE 698 699 .RE 700 701 This format allows the server to store and transmit a history of 702 passwords that have been used. In order for equality matching 703 on the values in this attribute to function properly, the time 704 field is in GMT format. 705 .LP 706 .RS 4 707 ( 1.3.6.1.4.1.42.2.27.8.1.20 708 NAME 'pwdHistory' 709 DESC 'The history of user passwords' 710 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 711 EQUALITY octetStringMatch 712 NO\-USER\-MODIFICATION 713 USAGE directoryOperation) 714 .RE 715 716 .B pwdGraceUseTime 717 This attribute contains the list of timestamps of logins made after 718 the user password in the DN has expired. These post-expiration 719 logins are known as "\fIgrace logins\fP". 720 If too many 721 .I grace logins 722 have been used (please refer to the 723 .B pwdGraceLoginLimit 724 password policy attribute), then the DN will no longer be allowed 725 to be used to authenticate the user to the directory until the 726 administrator changes the DN's 727 .B userPassword 728 attribute. 729 .LP 730 .RS 4 731 ( 1.3.6.1.4.1.42.2.27.8.1.21 732 NAME 'pwdGraceUseTime' 733 DESC 'The timestamps of the grace login once the password has expired' 734 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 735 EQUALITY generalizedTimeMatch 736 NO\-USER\-MODIFICATION 737 USAGE directoryOperation) 738 .RE 739 740 .B pwdReset 741 .P 742 This attribute indicates whether the user's password has been reset 743 by the administrator and thus must be changed upon first use of this 744 DN for authentication to the directory. If 745 .B pwdReset 746 is set to "TRUE", then the password was reset and the user must change 747 it upon first authentication. If the attribute does not exist, or 748 is set to "FALSE", the user need not change their password due to 749 administrative reset. 750 .LP 751 .RS 4 752 ( 1.3.6.1.4.1.42.2.27.8.1.22 753 NAME 'pwdReset' 754 DESC 'The indication that the password has 755 been reset' 756 EQUALITY booleanMatch 757 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 758 SINGLE\-VALUE 759 USAGE directoryOperation) 760 .RE 761 762 .SH EXAMPLES 763 .LP 764 .RS 765 .nf 766 database bdb 767 suffix dc=example,dc=com 768 \|... 769 overlay ppolicy 770 ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com" 771 .fi 772 .RE 773 774 .SH SEE ALSO 775 .BR ldap (3), 776 .BR slapd.conf (5), 777 .BR slapd\-config (5), 778 .BR slapo\-chain (5). 779 .LP 780 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) 781 .LP 782 IETF LDAP password policy proposal by P. Behera, L. Poitou and J. 783 Sermersheim: documented in IETF document 784 "draft-behera-ldap-password-policy-09.txt". 785 786 .SH BUGS 787 The LDAP Password Policy specification is not yet an approved standard, 788 and it is still evolving. This code will continue to be in flux until the 789 specification is finalized. 790 791 .SH ACKNOWLEDGEMENTS 792 .P 793 This module was written in 2004 by Howard Chu of Symas Corporation 794 with significant input from Neil Dunbar and Kartik Subbarao of Hewlett-Packard. 795 .P 796 This manual page borrows heavily and shamelessly from the specification 797 upon which the password policy module it describes is based. This 798 source is the 799 IETF LDAP password policy proposal by P. Behera, L. 800 Poitou and J. Sermersheim. 801 The proposal is fully documented in 802 the 803 IETF document named draft-behera-ldap-password-policy-09.txt, 804 written in July of 2005. 805 .P 806 .lf 1 ./../Project 807 .\" Shared Project Acknowledgement Text 808 .B "OpenLDAP Software" 809 is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. 810 .B "OpenLDAP Software" 811 is derived from University of Michigan LDAP 3.3 Release. 812 .lf 806 stdin 813
Indexes created Wed May 13 00:24:45 UTC 2026