1SLAPO_PPOLICY(5)              File Formats Manual             SLAPO_PPOLICY(5)
2
3
4

NAME

6       slapo-ppolicy - Password Policy overlay to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  ppolicy overlay is an implementation of the most recent IETF Pass‐
13       word Policy proposal for  LDAP.    When  instantiated,  it  intercepts,
14       decodes and applies specific password policy controls to overall use of
15       a backend database, changes to user password fields, etc.
16
17       The overlay provides a variety of password  control  mechanisms.   They
18       include password aging -- both minimum and maximum ages, password reuse
19       and duplication control, account time-outs, mandatory password  resets,
20       acceptable  password  content, and even grace logins.  Different groups
21       of users may be associated with different password policies, and  there
22       is no limit to the number of password policies that may be created.
23
24       Note that some of the policies do not take effect when the operation is
25       performed with the rootdn identity; all the operations, when  performed
26       with  any  other identity, may be subjected to constraints, like access
27       control.
28
29       Note that the IETF Password Policy proposal for LDAP makes  sense  when
30       considering  a single-valued password attribute, while the userPassword
31       attribute allows multiple values.  This implementation enforces a  sin‐
32       gle value for the userPassword attribute, despite its specification.
33
34

CONFIGURATION

36       These  slapd.conf  configuration  options apply to the ppolicy overlay.
37       They should appear after the overlay directive.
38
39       ppolicy_default <policyDN>
40              Specify the DN of the pwdPolicy object to use when  no  specific
41              policy  is  set on a given user's entry. If there is no specific
42              policy for an entry and no default is given,  then  no  policies
43              will be enforced.
44
45       ppolicy_forward_updates
46              Specify  that  policy state changes that result from Bind opera‐
47              tions (such as recording failures, lockout, etc.) on a  consumer
48              should  be  forwarded  to  a  master  instead  of  being written
49              directly into the consumer's local  database.  This  setting  is
50              only  useful  on  a  replication consumer, and also requires the
51              updateref setting and chain overlay to be appropriately  config‐
52              ured.
53
54       ppolicy_hash_cleartext
55              Specify  that  cleartext  passwords  present  in  Add and Modify
56              requests should be hashed before being stored in  the  database.
57              This  violates  the  X.500/LDAP  information  model,  but may be
58              needed to compensate for LDAP clients that don't use  the  Pass‐
59              word  Modify extended operation to manage passwords.  It is rec‐
60              ommended that when this option is used that compare, search, and
61              read access be denied to all directory users.
62
63       ppolicy_use_lockout
64              A client will always receive an LDAP InvalidCredentials response
65              when Binding to a locked account. By default,  when  a  Password
66              Policy control was provided on the Bind request, a Password Pol‐
67              icy response will be included with no special  error  code  set.
68              This  option changes the Password Policy response to include the
69              AccountLocked error code. Note that  sending  the  AccountLocked
70              error  code  provides  useful  information to an attacker; sites
71              that are sensitive to security issues  should  not  enable  this
72              option.
73
74

OBJECT CLASS

76       The ppolicy overlay depends on the pwdPolicy object class.  The defini‐
77       tion of that class is as follows:
78
79           (  1.3.6.1.4.1.42.2.27.8.2.1
80               NAME 'pwdPolicy'
81               AUXILIARY
82               SUP top
83               MUST ( pwdAttribute )
84               MAY (
85                   pwdMinAge $ pwdMaxAge $ pwdInHistory $
86                   pwdCheckQuality $ pwdMinLength $
87                   pwdExpireWarning $ pwdGraceAuthnLimit $
88                   pwdLockout $ pwdLockoutDuration $
89                   pwdMaxFailure $ pwdFailureCountInterval $
90                   pwdMustChange $ pwdAllowUserChange $
91                   pwdSafeModify ) )
92
93       This  implementation  also  provides  an  additional   pwdPolicyChecker
94       objectclass, used for password quality checking (see below).
95
96           (  1.3.6.1.4.1.4754.2.99.1
97               NAME 'pwdPolicyChecker'
98               AUXILIARY
99               SUP top
100               MAY ( pwdCheckModule ) )
101
102       Every  account that should be subject to password policy control should
103       have a pwdPolicySubentry attribute containing the DN of a valid pwdPol‐
104       icy  entry, or they can simply use the configured default.  In this way
105       different users may be managed according to different policies.
106
107

OBJECT CLASS ATTRIBUTES

109       Each one of the sections below details the meaning and use of a partic‐
110       ular attribute of this pwdPolicy object class.
111
112       pwdAttribute
113
114       This attribute contains the name of the attribute to which the password
115       policy is applied. For example, the password policy may be  applied  to
116       the userPassword attribute.
117
118       Note:  in this implementation, the only value accepted for pwdAttribute
119       is  userPassword .
120
121           (  1.3.6.1.4.1.42.2.27.8.1.1
122              NAME 'pwdAttribute'
123              EQUALITY objectIdentifierMatch
124              SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
125
126       pwdMinAge
127
128       This attribute contains the number of seconds that must elapse  between
129       modifications  allowed  to  the  password.  If  this  attribute  is not
130       present, zero seconds is assumed (i.e. the  password  may  be  modified
131       whenever and however often is desired).
132
133           (  1.3.6.1.4.1.42.2.27.8.1.2
134              NAME 'pwdMinAge'
135              EQUALITY integerMatch
136              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
137              SINGLE-VALUE )
138
139       pwdMaxAge
140
141       This  attribute  contains  the number of seconds after which a modified
142       password will expire.  If this attribute is  not  present,  or  if  its
143       value is zero (0), then passwords will not expire.
144
145           (  1.3.6.1.4.1.42.2.27.8.1.3
146              NAME 'pwdMaxAge'
147              EQUALITY integerMatch
148              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
149              SINGLE-VALUE )
150
151       pwdInHistory
152
153       This  attribute is used to specify the maximum number of used passwords
154       that will be stored in the pwdHistory attribute.  If  the  pwdInHistory
155       attribute  is  not present, or if its value is zero (0), used passwords
156       will not be stored in pwdHistory and thus any previously-used  password
157       may  be  reused.   No  history checking occurs if the password is being
158       modified by the rootdn, although the password is saved in the history.
159
160           (  1.3.6.1.4.1.42.2.27.8.1.4
161              NAME 'pwdInHistory'
162              EQUALITY integerMatch
163              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
164              SINGLE-VALUE )
165
166       pwdCheckQuality
167
168       This attribute indicates if and how password  syntax  will  be  checked
169       while  a  password is being modified or added. If this attribute is not
170       present, or its value is zero (0), no syntax checking will be done.  If
171       its  value  is  one  (1),  the server will check the syntax, and if the
172       server is unable to check the syntax,  whether  due  to  a  client-side
173       hashed password or some other reason, it will be accepted. If its value
174       is two (2), the server will check the syntax,  and  if  the  server  is
175       unable  to  check the syntax it will return an error refusing the pass‐
176       word.
177
178           (  1.3.6.1.4.1.42.2.27.8.1.5
179              NAME 'pwdCheckQuality'
180              EQUALITY integerMatch
181              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
182              SINGLE-VALUE )
183
184       pwdMinLength
185
186       When  syntax  checking  is  enabled  (see  also   the   pwdCheckQuality
187       attribute),  this  attribute  contains the minimum number of characters
188       that will be accepted in a password. If this attribute is not  present,
189       minimum  password  length  is  not enforced. If the server is unable to
190       check the length of the password, whether due to a  client-side  hashed
191       password  or some other reason, the server will, depending on the value
192       of pwdCheckQuality, either accept the password without checking it  (if
193       pwdCheckQuality  is zero (0) or one (1)) or refuse it (if pwdCheckQual‐
194       ity is two (2)).
195
196           (  1.3.6.1.4.1.42.2.27.8.1.6
197              NAME 'pwdMinLength'
198              EQUALITY integerMatch
199              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
200              SINGLE-VALUE )
201
202       pwdExpireWarning
203
204       This attribute contains the maximum number of seconds before a password
205       is due to expire that expiration warning messages will be returned to a
206       user who is authenticating to the directory.  If this attribute is  not
207       present, or if the value is zero (0), no warnings will be sent.
208
209           (  1.3.6.1.4.1.42.2.27.8.1.7
210              NAME 'pwdExpireWarning'
211              EQUALITY integerMatch
212              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
213              SINGLE-VALUE )
214
215       pwdGraceAuthnLimit
216
217       This  attribute  contains  the number of times that an expired password
218       may be used to authenticate a user to the directory. If this  attribute
219       is  not  present  or if its value is zero (0), users with expired pass‐
220       words will not be allowed to authenticate to the directory.
221
222           (  1.3.6.1.4.1.42.2.27.8.1.8
223              NAME 'pwdGraceAuthnLimit'
224              EQUALITY integerMatch
225              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
226              SINGLE-VALUE )
227
228       pwdLockout
229
230       This attribute specifies the action that should be taken by the  direc‐
231       tory  when  a user has made a number of failed attempts to authenticate
232       to the directory.  If pwdLockout is set (its value is "TRUE"), the user
233       will  not  be allowed to attempt to authenticate to the directory after
234       there have been a specified number of consecutive failed bind attempts.
235       The maximum number of consecutive failed bind attempts allowed is spec‐
236       ified by the pwdMaxFailure attribute.  If pwdLockout is not present, or
237       if  its  value  is "FALSE", the password may be used to authenticate no
238       matter how many consecutive failed bind attempts have been made.
239
240           (  1.3.6.1.4.1.42.2.27.8.1.9
241              NAME 'pwdLockout'
242              EQUALITY booleanMatch
243              SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
244              SINGLE-VALUE )
245
246       pwdLockoutDuration
247
248       This attribute contains the number of seconds during which the password
249       cannot  be  used  to  authenticate the user to the directory due to too
250       many consecutive failed bind attempts.  (See also pwdLockout  and  pwd‐
251       MaxFailure.)   If pwdLockoutDuration is not present, or if its value is
252       zero (0), the password cannot be used to authenticate the user  to  the
253       directory again until it is reset by an administrator.
254
255           (  1.3.6.1.4.1.42.2.27.8.1.10
256              NAME 'pwdLockoutDuration'
257              EQUALITY integerMatch
258              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
259              SINGLE-VALUE )
260
261       pwdMaxFailure
262
263       This  attribute contains the number of consecutive failed bind attempts
264       after which the password may not be used to authenticate a user to  the
265       directory.   If pwdMaxFailure is not present, or its value is zero (0),
266       then a user will be allowed to continue to attempt to  authenticate  to
267       the directory, no matter how many consecutive failed bind attempts have
268       occurred with that user's DN.  (See also pwdLockout and pwdLockoutDura‐
269       tion.)
270
271           (  1.3.6.1.4.1.42.2.27.8.1.11
272              NAME 'pwdMaxFailure'
273              EQUALITY integerMatch
274              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
275              SINGLE-VALUE )
276
277       pwdFailureCountInterval
278
279       This  attribute contains the number of seconds after which old consecu‐
280       tive failed bind attempts are purged from  the  failure  counter,  even
281       though  no  successful  authentication  has  occurred.   If pwdFailure‐
282       CountInterval is not present, or its value is  zero  (0),  the  failure
283       counter will only be reset by a successful authentication.
284
285           (  1.3.6.1.4.1.42.2.27.8.1.12
286              NAME 'pwdFailureCountInterval'
287              EQUALITY integerMatch
288              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
289              SINGLE-VALUE )
290
291       pwdMustChange
292
293       This attribute specifies whether users must change their passwords when
294       they first bind to the directory after a password is set  or  reset  by
295       the  administrator,  or  not.   If pwdMustChange has a value of "TRUE",
296       users must change their passwords when they first bind to the directory
297       after  a  password  is  set  or  reset  by  the administrator.  If pwd‐
298       MustChange is not present, or its  value  is  "FALSE",  users  are  not
299       required  to change their password upon binding after the administrator
300       sets or resets the password.
301
302           (  1.3.6.1.4.1.42.2.27.8.1.13
303             NAME 'pwdMustChange'
304             EQUALITY booleanMatch
305             SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
306             SINGLE-VALUE )
307
308       pwdAllowUserChange
309
310       This attribute specifies whether users are allowed to change their  own
311       passwords  or  not.   If pwdAllowUserChange is set to "TRUE", or if the
312       attribute is not present, users will be allowed  to  change  their  own
313       passwords.   If  its  value  is  "FALSE",  users will not be allowed to
314       change their own passwords.
315
316       Note: this implies that when pwdAllowUserChange is set to "TRUE", users
317       will still be able to change the password of another user, subjected to
318       access control.  This restriction  only  applies  to  modifications  of
319       ones's  own  password.  It should also be noted that pwdAllowUserChange
320       was defined in the specification to provide rough access control to the
321       password  attribute  in  implementations  that  do not allow fine-grain
322       access control.  Since OpenLDAP provides fine-grain access control, the
323       use  of this attribute is discouraged; ACLs should be used instead (see
324       slapd.access(5) for details).
325
326           (  1.3.6.1.4.1.42.2.27.8.1.14
327              NAME 'pwdAllowUserChange'
328              EQUALITY booleanMatch
329              SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
330              SINGLE-VALUE )
331
332       pwdSafeModify
333
334       This attribute denotes whether the user's  existing  password  must  be
335       sent  along  with their new password when changing a password.  If pwd‐
336       SafeModify is set to "TRUE", the existing password must be  sent  along
337       with  the  new password.  If the attribute is not present, or its value
338       is "FALSE", the existing password need not be sent along with  the  new
339       password.
340
341           (  1.3.6.1.4.1.42.2.27.8.1.15
342              NAME 'pwdSafeModify'
343              EQUALITY booleanMatch
344              SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
345              SINGLE-VALUE )
346
347       pwdCheckModule
348
349       This attribute names a user-defined loadable module that must instanti‐
350       ate the check_password() function.  This function  will  be  called  to
351       further  check  a  new password if pwdCheckQuality is set to one (1) or
352       two (2), after all of the built-in password compliance checks have been
353       passed.  This function will be called according to this function proto‐
354       type:
355           int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
356       The pPasswd  parameter  contains  the  clear-text  user  password,  the
357       ppErrStr  parameter  contains a double pointer that allows the function
358       to return human-readable details about any error  it  encounters.   The
359       optional  pEntry parameter, if non-NULL, carries a pointer to the entry
360       whose password is being checked.  If ppErrStr is  NULL,  then  funcName
361       must  NOT  attempt to use it/them.  A return value of LDAP_SUCCESS from
362       the called function indicates that the password is ok, any other  value
363       indicates  that the password is unacceptable.  If the password is unac‐
364       ceptable, the server will return an error to the client,  and  ppErrStr
365       may  be  used  to  return  a  human-readable textual explanation of the
366       error. The error string must be dynamically allocated  as  it  will  be
367       free()'d by slapd.
368
369           (  1.3.6.1.4.1.4754.1.99.1
370              NAME 'pwdCheckModule'
371              EQUALITY caseExactIA5Match
372              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
373              SINGLE-VALUE )
374
375       Note:  The user-defined loadable module named by pwdCheckModule must be
376       in slapd's standard executable search PATH.
377
378       Note: pwdCheckModule is a non-standard extension to the  LDAP  password
379       policy proposal.
380
381

OPERATIONAL ATTRIBUTES

383       The operational attributes used by the ppolicy module are stored in the
384       user's entry.  Most of these attributes are not intended to be  changed
385       directly  by  users;  they are there to track user activity.  They have
386       been detailed here so that administrators and users can both understand
387       the workings of the ppolicy module.
388
389
390       Note that the current IETF Password Policy proposal does not define how
391       these operational attributes are expected to behave  in  a  replication
392       environment. In general, authentication attempts on a slave server only
393       affect the copy of the operational attributes on that  slave  and  will
394       not  affect  any  attributes  for  a user's entry on the master server.
395       Operational attribute changes resulting from authentication attempts on
396       a  master  server  will usually replicate to the slaves (and also over‐
397       write any changes that originated on the slave).  These  behaviors  are
398       not  guaranteed  and  are subject to change when a formal specification
399       emerges.
400
401       userPassword
402
403       The userPassword attribute is not strictly part of the ppolicy  module.
404       It  is,  however,  the  attribute that is tracked and controlled by the
405       module.  Please refer to the standard OpenLDAP schema for  its  defini‐
406       tion.
407
408       pwdPolicySubentry
409
410       This  attribute refers directly to the pwdPolicy subentry that is to be
411       used for this particular directory user.  If pwdPolicySubentry  exists,
412       it  must  contain  the  DN of a valid pwdPolicy object.  If it does not
413       exist, the ppolicy module will  enforce  the  default  password  policy
414       rules  on  the user associated with this authenticating DN. If there is
415       no default, or the referenced subentry does not exist, then  no  policy
416       rules will be enforced.
417
418           (  1.3.6.1.4.1.42.2.27.8.1.23
419              NAME 'pwdPolicySubentry'
420              DESC 'The pwdPolicy subentry in effect for
421                  this object'
422              EQUALITY distinguishedNameMatch
423              SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
424              SINGLE-VALUE
425              NO-USER-MODIFICATION
426              USAGE directoryOperation)
427
428       pwdChangedTime
429
430       This  attribute  denotes  the  last  time that the entry's password was
431       changed.  This value is used  by  the  password  expiration  policy  to
432       determine  whether the password is too old to be allowed to be used for
433       user authentication.  If pwdChangedTime  does  not  exist,  the  user's
434       password will not expire.
435
436           (  1.3.6.1.4.1.42.2.27.8.1.16
437              NAME 'pwdChangedTime'
438              DESC 'The time the password was last changed'
439              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
440              EQUALITY generalizedTimeMatch
441              ORDERING generalizedTimeOrderingMatch
442              SINGLE-VALUE
443              NO-USER-MODIFICATION
444              USAGE directoryOperation)
445
446       pwdAccountLockedTime
447
448       This  attribute  contains  the time that the user's account was locked.
449       If the account has been locked, the password may no longer be  used  to
450       authenticate the user to the directory.  If pwdAccountLockedTime is set
451       to 000001010000Z, the user's account has been  permanently  locked  and
452       may  only  be  unlocked  by an administrator. Note that account locking
453       only takes effect when the pwdLockout password policy attribute is  set
454       to "TRUE".
455
456           (  1.3.6.1.4.1.42.2.27.8.1.17
457              NAME 'pwdAccountLockedTime'
458              DESC 'The time an user account was locked'
459              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
460              EQUALITY generalizedTimeMatch
461              ORDERING generalizedTimeOrderingMatch
462              SINGLE-VALUE
463              NO-USER-MODIFICATION
464              USAGE directoryOperation)
465
466       pwdFailureTime
467
468       This  attribute  contains  the  timestamps  of  each of the consecutive
469       authentication failures made upon attempted authentication to  this  DN
470       (i.e.  account).   If too many timestamps accumulate here (refer to the
471       pwdMaxFailure password policy attribute for details), and the  pwdLock‐
472       out  password  policy  attribute  is  set to "TRUE", the account may be
473       locked.   (Please  also  refer  to  the  pwdLockout   password   policy
474       attribute.)   Excess  timestamps  beyond those allowed by pwdMaxFailure
475       may also be purged.  If a successful authentication is made to this  DN
476       (i.e.  to  this  user account), then pwdFailureTime will be cleansed of
477       entries.
478
479           (  1.3.6.1.4.1.42.2.27.8.1.19
480              NAME 'pwdFailureTime'
481              DESC 'The timestamps of the last consecutive
482                  authentication failures'
483              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
484              EQUALITY generalizedTimeMatch
485              ORDERING generalizedTimeOrderingMatch
486              NO-USER-MODIFICATION
487              USAGE directoryOperation )
488
489       pwdHistory
490
491       This attribute contains the history of previously  used  passwords  for
492       this DN (i.e. for this user account).  The values of this attribute are
493       stored in string format as follows:
494
495
496           pwdHistory=
497               time "#" syntaxOID "#" length "#" data
498
499           time=
500               GeneralizedTime as specified in section 3.3.13 of [RFC4517]
501
502
503           syntaxOID = numericoid
504               This is the string representation  of  the  dotted-decimal  OID
505               that defines the syntax used to store the password.  numericoid
506               is described in section 1.4 of [RFC4512].
507
508           length = NumericString
509               The number of octets in the data.  NumericString  is  described
510               in section 3.3.23 of [RFC4517].
511
512           data =
513               Octets  representing  the  password  in the format specified by
514               syntaxOID.
515
516
517       This format allows the server to store and transmit a history of  pass‐
518       words  that have been used.  In order for equality matching on the val‐
519       ues in this attribute to function properly, the time field  is  in  GMT
520       format.
521
522           (  1.3.6.1.4.1.42.2.27.8.1.20
523              NAME 'pwdHistory'
524              DESC 'The history of user passwords'
525              SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
526              EQUALITY octetStringMatch
527              NO-USER-MODIFICATION
528              USAGE directoryOperation)
529
530       pwdGraceUseTime  This  attribute  contains  the  list  of timestamps of
531       logins made after the user password in the DN has expired.  These post-
532       expiration  logins  are  known  as  "grace  logins".  If too many grace
533       logins have been used (please refer to the pwdGraceLoginLimit  password
534       policy  attribute), then the DN will no longer be allowed to be used to
535       authenticate the user to the directory until the administrator  changes
536       the DN's userPassword attribute.
537
538           (  1.3.6.1.4.1.42.2.27.8.1.21
539              NAME 'pwdGraceUseTime'
540              DESC  'The  timestamps  of the grace login once the password has
541           expired'
542              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
543              EQUALITY generalizedTimeMatch
544              NO-USER-MODIFICATION
545              USAGE directoryOperation)
546
547       pwdReset
548
549       This attribute indicates whether the user's password has been reset  by
550       the  administrator  and  thus must be changed upon first use of this DN
551       for authentication to the directory.  If pwdReset  is  set  to  "TRUE",
552       then  the  password  was  reset  and the user must change it upon first
553       authentication.  If the attribute does not exist, or is set to "FALSE",
554       the user need not change their password due to administrative reset.
555
556           (  1.3.6.1.4.1.42.2.27.8.1.22
557              NAME 'pwdReset'
558              DESC 'The indication that the password has
559                  been reset'
560              EQUALITY booleanMatch
561              SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
562              SINGLE-VALUE
563              USAGE directoryOperation)
564
565

EXAMPLES

567              database bdb
568              suffix dc=example,dc=com
569              ...
570              overlay ppolicy
571              ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
572
573

SEE ALSO

575       ldap(3), slapd.conf(5), slapd-config(5), slapo-chain(5).
576
577       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
578
579       IETF  LDAP  password  policy  proposal  by P. Behera, L.  Poitou and J.
580       Sermersheim:  documented in IETF document  "draft-behera-ldap-password-
581       policy-09.txt".
582
583

BUGS

585       The LDAP Password Policy specification is not yet an approved standard,
586       and it is still evolving. This code will continue to be in  flux  until
587       the specification is finalized.
588
589

ACKNOWLEDGEMENTS

591       This module was written in 2004 by Howard Chu of Symas Corporation with
592       significant input from Neil Dunbar  and  Kartik  Subbarao  of  Hewlett-
593       Packard.
594
595       This manual page borrows heavily and shamelessly from the specification
596       upon which the password policy module  it  describes  is  based.   This
597       source  is  the  IETF  LDAP  password  policy proposal by P. Behera, L.
598       Poitou and J. Sermersheim.  The proposal is  fully  documented  in  the
599       IETF  document  named draft-behera-ldap-password-policy-09.txt, written
600       in July of 2005.
601
602       OpenLDAP Software is developed and maintained by The  OpenLDAP  Project
603       <http://www.openldap.org/>.   OpenLDAP Software is derived from Univer‐
604       sity of Michigan LDAP 3.3 Release.
605
606
607
608OpenLDAP 2.4.40                   2014/09/20                  SLAPO_PPOLICY(5)
Impressum