Manual Pages for UNIX Darwin command on man slapo-ppolicy

SLAPOPPOLICY(5) SLAPOPPOLICY(5)

NAME

slapo-ppolicy - Password Policy overlay

SYNOPSIS

/etc/openldap/slapd.conf

DESCRIPTION

The ppppoolliiccyy overlay is an implementation of the most recent IETF Pass-

word Policy proposal for LDAP. When instantiated, it intercepts, decodes and applies specific password policy controls to overall use of a backend database, changes to user password fields, etc. The overlay provides a variety of password control mechanisms. They

include password aging-both minimum and maximum ages, password reuse

and duplication control, account time-outs, mandatory password resets,

acceptable password content, and even grace logins. Different groups of users may be associated with different password policies, and there is no limit to the number of password policies that may be created. Note that some of the policies do not take effect when the operation is performed with the rroooottddnn identity; all the operations, when performed with any other identity, may be subjected to constraints, like access control. CCOONNFFIIGGUURRAATTIIOONN These ssllaappdd..ccoonnff configuration options apply to the ppolicy overlay. They should appear after the oovveerrllaayy directive. ppppoolliiccyyddeeffaauulltt <> Specify the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry and no default is given, then no policies will be enforced. ppppoolliiccyyhhaasshhcclleeaarrtteexxtt Specify that cleartext passwords present in Add and Modify requests should be hashed before being stored in the database. This violates the X.500/LDAP information model, but may be

needed to compensate for LDAP clients that don't use the Pass-

word Modify extended operation to manage passwords. It is rec-

ommended that when this option is used that compare, search, and read access be denied to all directory users. ppppoolliiccyyuusseelloocckkoouutt A client will always receive an LDAP IInnvvaalliiddCCrreeddeennttiiaallss response when Binding to a locked account. By default, when a Password

Policy control was provided on the Bind request, a Password Pol-

icy response will be included with no special error code set. This option changes the Password Policy response to include the AAccccoouunnttLLoocckkeedd error code. Note that sending the AAccccoouunnttLLoocckkeedd error code provides useful information to an attacker; sites that are sensitive to security issues should not enable this option. OOBBJJEECCTT CCLLAASSSS

The ppppoolliiccyy overlay depends on the ppwwddPPoolliiccyy object class. The defini-

tion of that class is as follows: ( 1.3.6.1.4.1.42.2.27.8.2.1

NAME 'pwdPolicy'

AUXILIARY SUP top MUST ( pwdAttribute ) MAY (

pwdMinAge $ pwdMaxAge $ pwdInHistory $

pwdCheckQuality $ pwdMinLength $

pwdExpireWarning $ pwdGraceAuthnLimit $

pwdLockout $ pwdLockoutDuration $

pwdMaxFailure $ pwdFailureCountInterval $

pwdMustChange $ pwdAllowUserChange $

pwdSafeModify ) ) This implementation also provides an additional ppwwddPPoolliiccyyCChheecckkeerr objectclass, used for password quality checking (see below). ( 1.3.6.1.4.1.4754.2.99.1

NAME 'pwdPolicyChecker'

AUXILIARY SUP top MAY ( pwdCheckModule ) ) Every account that should be subject to password policy control should

have a ppwwddPPoolliiccyySSuubbeennttrryy attribute containing the DN of a valid ppwwddPPooll-

iiccyy entry, or they can simply use the configured default. In this way different users may be managed according to different policies. OOBBJJEECCTT CCLLAASSSS AATTTTRRIIBBUUTTEESS

Each one of the sections below details the meaning and use of a partic-

ular attribute of this ppwwddPPoolliiccyy object class. ppwwddAAttttrriibbuuttee This attribute contains the name of the attribute to which the password policy is applied. For example, the password policy may be applied to the uusseerrPPaasssswwoorrdd attribute. Note: in this implementation, the only value accepted for ppwwddAAttttrriibbuuttee is userPassword . ( 1.3.6.1.4.1.42.2.27.8.1.1

NAME 'pwdAttribute'

EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) ppwwddMMiinnAAggee This attribute contains the number of seconds that must elapse between modifications allowed to the password. If this attribute is not present, zero seconds is assumed (i.e. the password may be modified whenever and however often is desired). ( 1.3.6.1.4.1.42.2.27.8.1.2

NAME 'pwdMinAge'

EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

SINGLE-VALUE )

ppwwddMMaaxxAAggee This attribute contains the number of seconds after which a modified password will expire. If this attribute is not present, or if its value is zero (0), then passwords will not expire. ( 1.3.6.1.4.1.42.2.27.8.1.3

NAME 'pwdMaxAge'

EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

SINGLE-VALUE )

ppwwddIInnHHiissttoorryy This attribute is used to specify the maximum number of used passwords that will be stored in the ppwwddHHiissttoorryy attribute. If the ppwwddIInnHHiissttoorryy attribute is not present, or if its value is zero (0), used passwords

will not be stored in ppwwddHHiissttoorryy and thus any previously-used password

may be reused. No history checking occurs if the password is being modified by the rroooottddnn, although the password is saved in the history. ( 1.3.6.1.4.1.42.2.27.8.1.4

NAME 'pwdInHistory'

EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

SINGLE-VALUE )

ppwwddCChheecckkQQuuaalliittyy This attribute indicates if and how password syntax will be checked while a password is being modified or added. If this attribute is not present, or its value is zero (0), no syntax checking will be done. If its value is one (1), the server will check the syntax, and if the

server is unable to check the syntax, whether due to a client-side

hashed password or some other reason, it will be accepted. If its value is two (2), the server will check the syntax, and if the server is

unable to check the syntax it will return an error refusing the pass-

word. ( 1.3.6.1.4.1.42.2.27.8.1.5

NAME 'pwdCheckQuality'

EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

SINGLE-VALUE )

ppwwddMMiinnLLeennggtthh When syntax checking is enabled (see also the ppwwddCChheecckkQQuuaalliittyy attribute), this attribute contains the minimum number of characters that will be accepted in a password. If this attribute is not present, minimum password length is not enforced. If the server is unable to

check the length of the password, whether due to a client-side hashed

password or some other reason, the server will, depending on the value of ppwwddCChheecckkQQuuaalliittyy, either accept the password without checking it (if

ppwwddCChheecckkQQuuaalliittyy is zero (0) or one (1)) or refuse it (if ppwwddCChheecckkQQuuaall-

iittyy is two (2)). ( 1.3.6.1.4.1.42.2.27.8.1.6

NAME 'pwdMinLength'

EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

SINGLE-VALUE )

ppwwddEExxppiirreeWWaarrnniinngg This attribute contains the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to a user who is authenticating to the directory. If this attribute is not present, or if the value is zero (0), no warnings will be sent. ( 1.3.6.1.4.1.42.2.27.8.1.7

NAME 'pwdExpireWarning'

EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

SINGLE-VALUE )

ppwwddGGrraacceeAAuutthhnnLLiimmiitt This attribute contains the number of times that an expired password may be used to authenticate a user to the directory. If this attribute

is not present or if its value is zero (0), users with expired pass-

words will not be allowed to authenticate to the directory. ( 1.3.6.1.4.1.42.2.27.8.1.8

NAME 'pwdGraceAuthnLimit'

EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

SINGLE-VALUE )

ppwwddLLoocckkoouutt

This attribute specifies the action that should be taken by the direc-

tory when a user has made a number of failed attempts to authenticate to the directory. If ppwwddLLoocckkoouutt is set (its value is "TRUE"), the user will not be allowed to attempt to authenticate to the directory after there have been a specified number of consecutive failed bind attempts.

The maximum number of consecutive failed bind attempts allowed is spec-

ified by the ppwwddMMaaxxFFaaiilluurree attribute. If ppwwddLLoocckkoouutt is not present, or if its value is "FALSE", the password may be used to authenticate no matter how many consecutive failed bind attempts have been made. ( 1.3.6.1.4.1.42.2.27.8.1.9

NAME 'pwdLockout'

EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7

SINGLE-VALUE )

ppwwddLLoocckkoouuttDDuurraattiioonn This attribute contains the number of seconds during which the password cannot be used to authenticate the user to the directory due to too

many consecutive failed bind attempts. (See also ppwwddLLoocckkoouutt and ppwwdd-

MMaaxxFFaaiilluurree.) If ppwwddLLoocckkoouuttDDuurraattiioonn is not present, or if its value is zero (0), the password cannot be used to authenticate the user to the directory again until it is reset by an administrator. ( 1.3.6.1.4.1.42.2.27.8.1.10

NAME 'pwdLockoutDuration'

EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

SINGLE-VALUE )

ppwwddMMaaxxFFaaiilluurree This attribute contains the number of consecutive failed bind attempts after which the password may not be used to authenticate a user to the directory. If ppwwddMMaaxxFFaaiilluurree is not present, or its value is zero (0), then a user will be allowed to continue to attempt to authenticate to the directory, no matter how many consecutive failed bind attempts have

occurred with that user's DN. (See also ppwwddLLoocckkoouutt and ppwwddLLoocckkoouuttDDuurraa-

ttiioonn.) ( 1.3.6.1.4.1.42.2.27.8.1.11

NAME 'pwdMaxFailure'

EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

SINGLE-VALUE )

ppwwddFFaaiilluurreeCCoouunnttIInntteerrvvaall

This attribute contains the number of seconds after which old consecu-

tive failed bind attempts are purged from the failure counter, even

though no successful authentication has occurred. If ppwwddFFaaiilluurree-

CCoouunnttIInntteerrvvaall is not present, or its value is zero (0), the failure counter will only be reset by a successful authentication. ( 1.3.6.1.4.1.42.2.27.8.1.12

NAME 'pwdFailureCountInterval'

EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

SINGLE-VALUE )

ppwwddMMuussttCChhaannggee This attribute specifies whether users must change their passwords when they first bind to the directory after a password is set or reset by the administrator, or not. If ppwwddMMuussttCChhaannggee has a value of "TRUE", users must change their passwords when they first bind to the directory

after a password is set or reset by the administrator. If ppwwdd-

MMuussttCChhaannggee is not present, or its value is "FALSE", users are not required to change their password upon binding after the administrator sets or resets the password. ( 1.3.6.1.4.1.42.2.27.8.1.13

NAME 'pwdMustChange'

EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7

SINGLE-VALUE )

ppwwddAAlllloowwUUsseerrCChhaannggee This attribute specifies whether users are allowed to change their own passwords or not. If ppwwddAAlllloowwUUsseerrCChhaannggee is set to "TRUE", or if the attribute is not present, users will be allowed to change their own passwords. If its value is "FALSE", users will not be allowed to change their own passwords. ( 1.3.6.1.4.1.42.2.27.8.1.14

NAME 'pwdAllowUserChange'

EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7

SINGLE-VALUE )

ppwwddSSaaffeeMMooddiiffyy This attribute denotes whether the user's existing password must be

sent along with their new password when changing a password. If ppwwdd-

SSaaffeeMMooddiiffyy is set to "TRUE", the existing password must be sent along with the new password. If the attribute is not present, or its value is "FALSE", the existing password need not be sent along with the new password. ( 1.3.6.1.4.1.42.2.27.8.1.15

NAME 'pwdSafeModify'

EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7

SINGLE-VALUE )

ppwwddCChheecckkMMoodduullee

This attribute names a user-defined loadable module that must instanti-

ate the checkpassword() function. This function will be called to further check a new password if ppwwddCChheecckkQQuuaalliittyy is set to one (1) or

two (2), after all of the built-in password compliance checks have been

passed. This function will be called according to this function proto-

type: int checkpassword (char *pPasswd, char **ppErrStr, Entry *pEntry);

The ppPPaasssswwdd parameter contains the clear-text user password, the

ppppEErrrrSSttrr parameter contains a double pointer that allows the function

to return human-readable details about any error it encounters. The

optional ppEEnnttrryy parameter, if non-NULL, carries a pointer to the entry

whose password is being checked. If ppppEErrrrSSttrr is NULL, then funcName must NOT attempt to use it/them. A return value of LDAPSUCCESS from the called function indicates that the password is ok, any other value

indicates that the password is unacceptable. If the password is unac-

ceptable, the server will return an error to the client, and ppppEErrrrSSttrr

may be used to return a human-readable textual explanation of the

error. The error string must be dynamically allocated as it will be free()'d by slapd. ( 1.3.6.1.4.1.4754.1.99.1

NAME 'pwdCheckModule'

EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26

SINGLE-VALUE )

Note: The user-defined loadable module named by ppwwddCChheecckkMMoodduullee must be

in ssllaappdd''ss standard executable search PATH.

Note: ppwwddCChheecckkMMoodduullee is a non-standard extension to the LDAP password

policy proposal. OOPPEERRAATTIIOONNAALL AATTTTRRIIBBUUTTEESS The operational attributes used by the ppaasssswwddppoolliiccyy module are stored in the user's entry. Most of these attributes are not intended to be changed directly by users; they are there to track user activity. They have been detailed here so that administrators and users can both understand the workings of the ppppoolliiccyy module. uusseerrPPaasssswwoorrdd

The attribute is not strictly part of the ppppoolliiccyy module. It is, how-

ever, the attribute that is tracked and controlled by the module. Please refer to the standard OpenLDAP schema for its definition. ppwwddPPoolliiccyySSuubbeennttrryy This attribute refers directly to the ppwwddPPoolliiccyy subentry that is to be used for this particular directory user. If ppwwddPPoolliiccyySSuubbeennttrryy exists, it must contain the DN of a valid ppwwddPPoolliiccyy object. If it does not exist, the ppppoolliiccyy module will enforce the default password policy rules on the user associated with this authenticating DN. If there is no default, or the referenced subentry does not exist, then no policy rules will be enforced. ( 1.3.6.1.4.1.42.2.27.8.1.23

NAME 'pwdPolicySubentry'

DESC 'The pwdPolicy subentry in effect for this object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12

SINGLE-VALUE

NO-USER-MODIFICATION

USAGE directoryOperation)

ppwwddCChhaannggeeddTTiimmee This attribute denotes the last time that the entry's password was changed. This value is used by the password expiration policy to determine whether the password is too old to be allowed to be used for user authentication. If ppwwddCChhaannggeeddTTiimmee does not exist, the user's password will not expire. ( 1.3.6.1.4.1.42.2.27.8.1.16

NAME 'pwdChangedTime'

DESC 'The time the password was last changed' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch

SINGLE-VALUE

NO-USER-MODIFICATION

USAGE directoryOperation)

ppwwddAAccccoouunnttLLoocckkeeddTTiimmee This attribute contains the time that the user's account was locked. If the account has been locked, the password may no longer be used to authenticate the user to the directory. If ppwwddAAccccoouunnttLLoocckkeeddTTiimmee is set to zero (0), the user's account has been permanently locked and may only be unlocked by an administrator. ( 1.3.6.1.4.1.42.2.27.8.1.17

NAME 'pwdAccountLockedTime'

DESC 'The time an user account was locked' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch

SINGLE-VALUE

NO-USER-MODIFICATION

USAGE directoryOperation)

ppwwddFFaaiilluurreeTTiimmee This attribute contains the timestamps of each of the consecutive authentication failures made upon attempted authentication to this DN (i.e. account). If too many timestamps accumulate here (refer to the

ppwwddMMaaxxFFaaiilluurree password policy attribute for details), and the ppwwddLLoocckk-

oouutt password policy attribute is set to "TRUE", the account may be locked. (Please also refer to the ppwwddLLoocckkoouutt password policy attribute.) Excess timestamps beyond those allowed by ppwwddMMaaxxFFaaiilluurree may also be purged. If a successful authentication is made to this DN (i.e. to this user account), then ppwwddFFaaiilluurreeTTiimmee will be cleansed of entries. ( 1.3.6.1.4.1.42.2.27.8.1.19

NAME 'pwdFailureTime'

DESC 'The timestamps of the last consecutive authentication failures' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch

NO-USER-MODIFICATION

USAGE directoryOperation )

ppwwddHHiissttoorryy This attribute contains the history of previously used passwords for this DN (i.e. for this user account). The values of this attribute are stored in string format as follows: pwdHistory=

time "#" syntaxOID "#" length "#" data

time= generalizedTimeString as specified in section 6.14 of [RFC2252] syntaxOID = numericoid

This is the string representation of the dotted-decimal OID

that defines the syntax used to store the password. numericoid is described in section 4.1 of [RFC2252]. length = numericstring The number of octets in the data. numericstring is described in section 4.1 of [RFC2252]. data = Octets representing the password in the format specified by syntaxOID.

This format allows the server to store and transmit a history of pass-

words that have been used. In order for equality matching on the val-

ues in this attribute to function properly, the time field is in GMT format. ( 1.3.6.1.4.1.42.2.27.8.1.20

NAME 'pwdHistory'

DESC 'The history of user passwords' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 EQUALITY octetStringMatch

NO-USER-MODIFICATION

USAGE directoryOperation)

ppwwddGGrraacceeUUsseeTTiimmee This attribute contains the list of timestamps of

logins made after the user password in the DN has expired. These post-

expiration logins are known as "grace logins". If too many grace logins have been used (please refer to the ppwwddGGrraacceeLLooggiinnLLiimmiitt password policy attribute), then the DN will no longer be allowed to be used to authenticate the user to the directory until the administrator changes the DN's uusseerrPPaasssswwoorrdd attribute. ( 1.3.6.1.4.1.42.2.27.8.1.21

NAME 'pwdGraceUseTime'

DESC 'The timestamps of the grace login once the password has expired' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch

NO-USER-MODIFICATION

USAGE directoryOperation)

ppwwddRReesseett This attribute indicates whether the user's password has been reset by the administrator and thus must be changed upon first use of this DN for authentication to the directory. If ppwwddRReesseett is set to "TRUE", then the password was reset and the user must change it upon first authentication. If the attribute does not exist, or is set to "FALSE", the user need not change their password due to administrative reset. ( 1.3.6.1.4.1.42.2.27.8.1.22

NAME 'pwdReset'

DESC 'The indication that the password has been reset' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7

SINGLE-VALUE

USAGE directoryOperation)

EEXXAAMMPPLLEESS database bdb suffix dc=example,dc=com overlay ppolicy ppolicydefault "cn=Standard,ou=Policies,dc=example,dc=com"

BUGS

The LDAP Password Policy specification is not yet an approved standard, and it is still evolving. This code will continue to be in flux until the specification is finalized. AACCKKNNOOWWLLEEDDGGEEMMEENNTTSS This module was written in 2004 by Howard Chu of Symas Corporation with

significant input from Neil Dunbar and Kartik Subbarao of Hewlett-

Packard. This manual page borrows heavily and shamelessly from the specification upon which the password policy module it describes is based. This source is the IETF LDAP password policy proposal by P. Behera, L. Poitou and J. Sermersheim. The proposal is fully documented in the

IETF document named draft-behera-ldap-password-policy-09.txt, written

in July of 2005. OOppeennLLDDAAPP is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). OOppeennLLDDAAPP is derived from University of Michigan LDAP 3.3 Release. OpenLDAP 2.3.27 2006/08/19 SLAPOPPOLICY(5)