1SLAPO_PPOLICY(5)              File Formats Manual             SLAPO_PPOLICY(5)
2
3
4

NAME

6       slapo-ppolicy - Password Policy overlay to slapd
7

SYNOPSIS

9       /etc/openldap/slapd.conf
10

DESCRIPTION

12       The  ppolicy overlay is an implementation of the most recent IETF Pass‐
13       word Policy proposal for LDAP.   When instantiated, it intercepts,  de‐
14       codes and applies specific password policy controls to overall use of a
15       backend database, changes to user password fields, etc.
16
17       The overlay provides a variety of password  control  mechanisms.   They
18       include password aging -- both minimum and maximum ages, password reuse
19       and duplication control, account time-outs, mandatory password  resets,
20       acceptable  password  content, and even grace logins.  Different groups
21       of users may be associated with different password policies, and  there
22       is no limit to the number of password policies that may be created.
23
24       Note that some of the policies do not take effect when the operation is
25       performed with the rootdn identity; all the operations, when  performed
26       with  any  other identity, may be subjected to constraints, like access
27       control.  This overlay requires a rootdn to be configured on the  data‐
28       base.
29
30       During password update, an identity with manage access to the userPass‐
31       word attribute is considered a password administrator where relevant to
32       the IETF Password Policy proposal.
33
34       Note  that  the IETF Password Policy proposal for LDAP makes sense when
35       considering a single-valued password attribute, while the  userPassword
36       attribute  allows multiple values.  This implementation enforces a sin‐
37       gle value for the userPassword attribute, despite its specification.
38
39       In addition to supporting the IETF Password Policy,  this  module  sup‐
40       ports  the  SunDS Account Usability control (1.3.6.1.4.1.42.2.27.9.5.8)
41       on search requests and can send the Netscape Password validity controls
42       when configured to do so.
43
44

CONFIGURATION

46       These  slapd.conf  configuration  options apply to the ppolicy overlay.
47       They should appear after the overlay directive.
48
49       ppolicy_default <policyDN>
50              Specify the DN of the pwdPolicy object to use when  no  specific
51              policy  is  set on a given user's entry. If there is no specific
52              policy for an entry and no default is given,  then  no  policies
53              will be enforced.
54
55       ppolicy_forward_updates
56              Specify  that  policy state changes that result from Bind opera‐
57              tions (such as recording failures, lockout, etc.) on a  consumer
58              should  be  forwarded to a provider instead of being written di‐
59              rectly into the consumer's local database. This setting is  only
60              useful  on  a  replication  consumer,  and also requires the up‐
61              dateref setting and chain overlay to  be  appropriately  config‐
62              ured.
63
64       ppolicy_hash_cleartext
65              Specify  that  cleartext passwords present in Add and Modify re‐
66              quests should be hashed before being  stored  in  the  database.
67              This  violates  the  X.500/LDAP  information  model,  but may be
68              needed to compensate for LDAP clients that don't use  the  Pass‐
69              word  Modify extended operation to manage passwords.  It is rec‐
70              ommended that when this option is used that compare, search, and
71              read access be denied to all directory users.
72
73       ppolicy_use_lockout
74              A client will always receive an LDAP InvalidCredentials response
75              when Binding to a locked account. By default,  when  a  Password
76              Policy control was provided on the Bind request, a Password Pol‐
77              icy response will be included with no special  error  code  set.
78              This  option changes the Password Policy response to include the
79              AccountLocked error code. Note that  sending  the  AccountLocked
80              error  code  provides  useful  information to an attacker; sites
81              that are sensitive to security issues should not enable this op‐
82              tion.
83
84       ppolicy_send_netscape_controls
85              If   set,   ppolicy   will  send  the  password  policy  expired
86              (2.16.840.1.113730.3.4.4)   and   password    policy    expiring
87              (2.16.840.1.113730.3.4.5)  controls  when  appropriate. The con‐
88              trols are not sent for bind requests where the  Password  policy
89              control  has  already been requested. Default is not to send the
90              controls.
91
92       ppolicy_check_module <path>
93              Specify the path of a loadable module containing  a  check_pass‐
94              word()  function for additional password quality checks. The use
95              of this module is described further below in the description  of
96              the pwdPolicyChecker objectclass.
97
98              Note:  The user-defined loadable module must be in slapd's stan‐
99              dard executable search PATH, or an absolute path  must  be  pro‐
100              vided.
101
102              Note:  Use of a ppolicy_check_module is a non-standard extension
103              to the LDAP password policy proposal.
104
105
106

OBJECT CLASS

108       The ppolicy overlay depends on the pwdPolicy object class.  The defini‐
109       tion of that class is as follows:
110
111           (  1.3.6.1.4.1.42.2.27.8.2.1
112               NAME 'pwdPolicy'
113               AUXILIARY
114               SUP top
115               MUST ( pwdAttribute )
116               MAY (
117                   pwdMinAge $ pwdMaxAge $ pwdInHistory $
118                   pwdCheckQuality $ pwdMinLength $ pwdMaxLength $
119                   pwdExpireWarning $ pwdGraceAuthnLimit $
120                   pwdGraceExpiry $ pwdLockout $ pwdLockoutDuration $
121                   pwdMaxFailure $ pwdFailureCountInterval $
122                   pwdMustChange $ pwdAllowUserChange $
123                   pwdSafeModify $ pwdMaxRecordedFailure $
124                   pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
125
126       The  pwdPolicy class is not structural, and so entries using it require
127       another, structural, object class.  The namedPolicy object class  is  a
128       good choice.  namedPolicy requires a cn attribute, suitable as the pol‐
129       icy entry's rDN.
130
131       This implementation also provides an  additional  pwdPolicyChecker  ob‐
132       jectclass, used for password quality checking (see below).
133
134           (  1.3.6.1.4.1.4754.2.99.1
135               NAME 'pwdPolicyChecker'
136               AUXILIARY
137               SUP top
138               MAY  ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule )
139           )
140
141       Every account that should be subject to password policy control  should
142       have a pwdPolicySubentry attribute containing the DN of a valid pwdPol‐
143       icy entry, or they can simply use the configured default.  In this  way
144       different users may be managed according to different policies.
145
146

OBJECT CLASS ATTRIBUTES

148       Each one of the sections below details the meaning and use of a partic‐
149       ular attribute of this pwdPolicy object class.
150
151       pwdAttribute
152
153       This attribute contains the name of the attribute to which the password
154       policy  is  applied. For example, the password policy may be applied to
155       the userPassword attribute.
156
157       Note: in this implementation, the only value accepted for  pwdAttribute
158       is  userPassword .
159
160           (  1.3.6.1.4.1.42.2.27.8.1.1
161              NAME 'pwdAttribute'
162              EQUALITY objectIdentifierMatch
163              SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
164
165       pwdMinAge
166
167       This  attribute contains the number of seconds that must elapse between
168       modifications allowed  to  the  password.  If  this  attribute  is  not
169       present,  zero  seconds  is  assumed (i.e. the password may be modified
170       whenever and however often is desired).
171
172           (  1.3.6.1.4.1.42.2.27.8.1.2
173              NAME 'pwdMinAge'
174              EQUALITY integerMatch
175              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
176              SINGLE-VALUE )
177
178       pwdMaxAge
179
180       This attribute contains the number of seconds after  which  a  modified
181       password  will  expire.   If  this  attribute is not present, or if its
182       value is zero (0), then passwords will not expire.
183
184           (  1.3.6.1.4.1.42.2.27.8.1.3
185              NAME 'pwdMaxAge'
186              EQUALITY integerMatch
187              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
188              SINGLE-VALUE )
189
190       pwdInHistory
191
192       This attribute is used to specify the maximum number of used  passwords
193       that  will  be stored in the pwdHistory attribute.  If the pwdInHistory
194       attribute is not present, or if its value is zero (0),  used  passwords
195       will  not be stored in pwdHistory and thus any previously-used password
196       may be reused.  No history checking occurs if  the  password  is  being
197       modified by the rootdn, although the password is saved in the history.
198
199           (  1.3.6.1.4.1.42.2.27.8.1.4
200              NAME 'pwdInHistory'
201              EQUALITY integerMatch
202              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
203              SINGLE-VALUE )
204
205       pwdCheckQuality
206
207       This  attribute  indicates  if  and how password syntax will be checked
208       while a password is being modified or added. If this attribute  is  not
209       present,  or its value is zero (0), no syntax checking will be done. If
210       its value is one (1), the server will check  the  syntax,  and  if  the
211       server  is  unable  to  check  the syntax, whether due to a client-side
212       hashed password or some other reason, it will be accepted. If its value
213       is  two (2), the server will check the syntax, and if the server is un‐
214       able to check the syntax it will return an error refusing the password.
215
216           (  1.3.6.1.4.1.42.2.27.8.1.5
217              NAME 'pwdCheckQuality'
218              EQUALITY integerMatch
219              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
220              SINGLE-VALUE )
221
222       pwdMinLength
223
224       When syntax checking is enabled (see also  the  pwdCheckQuality  attri‐
225       bute), this attribute contains the minimum length in bytes that will be
226       accepted in a password. If this attribute is not present, minimum pass‐
227       word  length  is  not  enforced.  If  the server is unable to check the
228       length of the password, whether due to a client-side hashed password or
229       some other reason, the server will, depending on the value of pwdCheck‐
230       Quality, either accept the password without checking it  (if  pwdCheck‐
231       Quality is zero (0) or one (1)) or refuse it (if pwdCheckQuality is two
232       (2)). If the number of characters should be enforced with regards to  a
233       particular  encoding, the use of an appropriate ppolicy_check_module is
234       required.
235
236           (  1.3.6.1.4.1.42.2.27.8.1.6
237              NAME 'pwdMinLength'
238              EQUALITY integerMatch
239              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
240              SINGLE-VALUE )
241
242       pwdMaxLength
243
244       When syntax checking is enabled (see also  the  pwdCheckQuality  attri‐
245       bute), this attribute contains the maximum length in bytes that will be
246       accepted in a password. If this attribute is not present, maximum pass‐
247       word  length  is  not  enforced.  If  the server is unable to check the
248       length of the password, whether due to a client-side hashed password or
249       some other reason, the server will, depending on the value of pwdCheck‐
250       Quality, either accept the password without checking it  (if  pwdCheck‐
251       Quality is zero (0) or one (1)) or refuse it (if pwdCheckQuality is two
252       (2)). If the number of characters should be enforced with regards to  a
253       particular  encoding, the use of an appropriate ppolicy_check_module is
254       required.
255
256           (  1.3.6.1.4.1.42.2.27.8.1.31
257              NAME 'pwdMaxLength'
258              EQUALITY integerMatch
259              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
260              SINGLE-VALUE )
261
262       pwdExpireWarning
263
264       This attribute contains the maximum number of seconds before a password
265       is due to expire that expiration warning messages will be returned to a
266       user who is authenticating to the directory.  If this attribute is  not
267       present, or if the value is zero (0), no warnings will be sent.
268
269           (  1.3.6.1.4.1.42.2.27.8.1.7
270              NAME 'pwdExpireWarning'
271              EQUALITY integerMatch
272              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
273              SINGLE-VALUE )
274
275       pwdGraceAuthnLimit
276
277       This  attribute  contains  the number of times that an expired password
278       may be used to authenticate a user to the directory. If this  attribute
279       is  not  present  or if its value is zero (0), users with expired pass‐
280       words will not be allowed to authenticate to the directory.
281
282           (  1.3.6.1.4.1.42.2.27.8.1.8
283              NAME 'pwdGraceAuthnLimit'
284              EQUALITY integerMatch
285              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
286              SINGLE-VALUE )
287
288       pwdGraceExpiry
289
290       This attribute specifies the number of seconds  the  grace  authentica‐
291       tions  are  valid.  If this attribute is not present or if the value is
292       zero (0), there is no time limit on the grace authentications.
293
294           (  1.3.6.1.4.1.42.2.27.8.1.30
295              NAME 'pwdGraceExpiry'
296              EQUALITY integerMatch
297              ORDERING integerOrderingMatch
298              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
299              SINGLE-VALUE )
300
301       pwdLockout
302
303       This attribute specifies the action that should be taken by the  direc‐
304       tory  when  a user has made a number of failed attempts to authenticate
305       to the directory.  If pwdLockout is set (its value is "TRUE"), the user
306       will  not  be allowed to attempt to authenticate to the directory after
307       there have been a specified number of consecutive failed bind attempts.
308       The maximum number of consecutive failed bind attempts allowed is spec‐
309       ified by the pwdMaxFailure attribute.  If pwdLockout is not present, or
310       if  its  value  is "FALSE", the password may be used to authenticate no
311       matter how many consecutive failed bind attempts have been made.
312
313           (  1.3.6.1.4.1.42.2.27.8.1.9
314              NAME 'pwdLockout'
315              EQUALITY booleanMatch
316              SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
317              SINGLE-VALUE )
318
319       pwdLockoutDuration
320
321       This attribute contains the number of seconds during which the password
322       cannot  be  used  to  authenticate the user to the directory due to too
323       many consecutive failed bind attempts.  (See also pwdLockout  and  pwd‐
324       MaxFailure.)   If pwdLockoutDuration is not present, or if its value is
325       zero (0), the password cannot be used to authenticate the user  to  the
326       directory again until it is reset by an administrator.
327
328           (  1.3.6.1.4.1.42.2.27.8.1.10
329              NAME 'pwdLockoutDuration'
330              EQUALITY integerMatch
331              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
332              SINGLE-VALUE )
333
334       pwdMaxFailure
335
336       This  attribute contains the number of consecutive failed bind attempts
337       after which the password may not be used to authenticate a user to  the
338       directory.   If pwdMaxFailure is not present, or its value is zero (0),
339       then a user will be allowed to continue to attempt to  authenticate  to
340       the directory, no matter how many consecutive failed bind attempts have
341       occurred with that user's DN.  (See also pwdLockout and pwdLockoutDura‐
342       tion.)
343
344           (  1.3.6.1.4.1.42.2.27.8.1.11
345              NAME 'pwdMaxFailure'
346              EQUALITY integerMatch
347              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
348              SINGLE-VALUE )
349
350       pwdMaxRecordedFailure
351
352       This  attribute  contains the maximum number of failed bind attempts to
353       store in a user's entry.  If pwdMaxRecordedFailure is not  present,  or
354       its  value is zero (0), then it defaults to the value of pwdMaxFailure.
355       If that value is also 0, the default is 5.
356
357           (  1.3.6.1.4.1.42.2.27.8.1.32
358              NAME 'pwdMaxRecordedFailure'
359              EQUALITY integerMatch
360              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
361              SINGLE-VALUE )
362
363       pwdFailureCountInterval
364
365       This attribute contains the number of seconds after which old  consecu‐
366       tive  failed  bind  attempts  are purged from the failure counter, even
367       though no  successful  authentication  has  occurred.   If  pwdFailure‐
368       CountInterval  is  not  present,  or its value is zero (0), the failure
369       counter will only be reset by a successful authentication.
370
371           (  1.3.6.1.4.1.42.2.27.8.1.12
372              NAME 'pwdFailureCountInterval'
373              EQUALITY integerMatch
374              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
375              SINGLE-VALUE )
376
377       pwdMustChange
378
379       This attribute specifies whether users must change their passwords when
380       they  first  bind  to the directory after a password is set or reset by
381       the administrator, or not.  If pwdMustChange has  a  value  of  "TRUE",
382       users must change their passwords when they first bind to the directory
383       after a password is  set  or  reset  by  the  administrator.   If  pwd‐
384       MustChange  is  not present, or its value is "FALSE", users are not re‐
385       quired to change their password upon binding  after  the  administrator
386       sets or resets the password.
387
388           (  1.3.6.1.4.1.42.2.27.8.1.13
389             NAME 'pwdMustChange'
390             EQUALITY booleanMatch
391             SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
392             SINGLE-VALUE )
393
394       pwdAllowUserChange
395
396       This  attribute specifies whether users are allowed to change their own
397       passwords or not.  If pwdAllowUserChange is set to "TRUE",  or  if  the
398       attribute  is  not  present,  users will be allowed to change their own
399       passwords.  If its value is "FALSE",  users  will  not  be  allowed  to
400       change their own passwords.
401
402       Note: this implies that when pwdAllowUserChange is set to "TRUE", users
403       will still be able to change the password of another user, subjected to
404       access  control.   This  restriction  only  applies to modifications of
405       ones's own password.  It should also be noted  that  pwdAllowUserChange
406       was defined in the specification to provide rough access control to the
407       password attribute in implementations that do not allow fine-grain  ac‐
408       cess  control.   Since OpenLDAP provides fine-grain access control, the
409       use of this attribute is discouraged; ACLs should be used instead  (see
410       slapd.access(5) for details).
411
412           (  1.3.6.1.4.1.42.2.27.8.1.14
413              NAME 'pwdAllowUserChange'
414              EQUALITY booleanMatch
415              SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
416              SINGLE-VALUE )
417
418       pwdSafeModify
419
420       This  attribute  denotes  whether  the user's existing password must be
421       sent along with their new password when changing a password.   If  pwd‐
422       SafeModify  is  set to "TRUE", the existing password must be sent along
423       with the new password.  If the attribute is not present, or  its  value
424       is  "FALSE",  the existing password need not be sent along with the new
425       password.
426
427           (  1.3.6.1.4.1.42.2.27.8.1.15
428              NAME 'pwdSafeModify'
429              EQUALITY booleanMatch
430              SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
431              SINGLE-VALUE )
432
433       pwdMinDelay
434
435       This attribute specifies the number of seconds to delay  responding  to
436       the  first failed authentication attempt.  If this attribute is not set
437       or is zero (0), no delays will be used.  pwdMaxDelay must also be spec‐
438       ified if pwdMinDelay is set.
439
440       Note that this implementation uses a variable lockout instead of delay‐
441       ing the bind response.
442
443           (  1.3.6.1.4.1.42.2.27.8.1.24
444              NAME 'pwdMinDelay'
445              EQUALITY integerMatch
446              ORDERING integerOrderingMatch
447              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
448              SINGLE-VALUE )
449
450       pwdMaxDelay
451
452       This attribute specifies the maximum number of seconds  to  delay  when
453       responding  to  a failed authentication attempt.  The time specified in
454       pwdMinDelay is used as the starting time and is then  doubled  on  each
455       failure  until  the  delay time is greater than or equal to pwdMaxDelay
456       (or a  successful  authentication  occurs,  which  resets  the  failure
457       counter).  pwdMinDelay must also be specified if pwdMaxDelay is set.
458
459       Note that this implementation uses a variable lockout instead of delay‐
460       ing the bind response.
461
462           (  1.3.6.1.4.1.42.2.27.8.1.25
463              NAME 'pwdMaxDelay'
464              EQUALITY integerMatch
465              ORDERING integerOrderingMatch
466              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
467              SINGLE-VALUE )
468
469       pwdMaxIdle
470
471       This attribute specifies the number of seconds an  account  may  remain
472       unused  before  it  becomes locked.  If this attribute is not set or is
473       zero (0), no check is performed. For  this  to  be  enforced,  lastbind
474       functionality  needs to be enabled on the database, that is olcLastBind
475       is set to TRUE.
476
477           (  1.3.6.1.4.1.42.2.27.8.1.26
478              NAME 'pwdMaxIdle'
479              EQUALITY integerMatch
480              ORDERING integerOrderingMatch
481              SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
482              SINGLE-VALUE )
483
484       pwdUseCheckModule/pwdCheckModuleArg
485
486       The pwdUseCheckModule attribute enables use of a loadable module previ‐
487       ously  configured with ppolicy_check_module for the current policy. The
488       module must instantiate the check_password() function.   This  function
489       will  be  called  to further check a new password if pwdCheckQuality is
490       set to one (1) or two (2), after all of the built-in  password  compli‐
491       ance  checks  have been passed.  This function will be called according
492       to this function prototype:
493           int check_password (char *pPasswd, struct  berval  *pErrmsg,  Entry
494           *pEntry, struct berval *pArg);
495       The  pPasswd  parameter contains the clear-text user password, the pEr‐
496       rmsg parameter points to a struct berval containing space to return hu‐
497       man-readable  details  about any error it encounters.  The bv_len field
498       must contain the size of the space provided by the bv_val field.
499
500       The pEntry parameter is optional, if non-NULL, carries a pointer to the
501       entry whose password is being checked.
502
503       The  optional  pArg  parameter points to a struct berval containing the
504       value of pwdCheckModuleArg in the effective password  policy,  if  set,
505       otherwise NULL.
506
507       If pErrmsg is NULL, then funcName must NOT attempt to use it.  A return
508       value of LDAP_SUCCESS from the called function indicates that the pass‐
509       word  is  ok,  any other value indicates that the password is unaccept‐
510       able.  If the password is unacceptable, the server will return an error
511       to  the client, and pErrmsg may be used to return a human-readable tex‐
512       tual explanation of the error. If the space passed in by the caller  is
513       too  small,  the  function  may replace it with a dynamically allocated
514       buffer, which will be free()'d by slapd.
515
516       The pwdCheckModule attribute is now obsolete and is ignored.
517
518
519           (  1.3.6.1.4.1.4754.1.99.1
520              NAME 'pwdCheckModule'
521              EQUALITY caseExactIA5Match
522              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
523              OBSOLETE
524              SINGLE-VALUE )
525
526           ( 1.3.6.1.4.1.4754.1.99.2
527              NAME 'pwdCheckModuleArg'
528              EQUALITY octetStringMatch
529              SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
530              DESC 'Argument to pass to check_password() function'
531              SINGLE-VALUE )
532
533           (  1.3.6.1.4.1.4754.1.99.3
534              NAME 'pwdUseCheckModule'
535              EQUALITY booleanMatch
536              SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
537              SINGLE-VALUE )
538
539

OPERATIONAL ATTRIBUTES

541       The operational attributes used by the ppolicy module are stored in the
542       user's  entry.  Most of these attributes are not intended to be changed
543       directly by users; they are there to track user  activity.   They  have
544       been detailed here so that administrators and users can both understand
545       the workings of the ppolicy module.
546
547
548       Note that the current IETF Password Policy proposal does not define how
549       these  operational  attributes  are expected to behave in a replication
550       environment. In general, authentication attempts on  a  replica  server
551       only  affect the copy of the operational attributes on that replica and
552       will not affect any attributes for a user's entry on the provider.  Op‐
553       erational attribute changes resulting from authentication attempts on a
554       provider will usually replicate to the replicas (and also overwrite any
555       changes that originated on the replica).  These behaviors are not guar‐
556       anteed and are subject to change when a formal specification emerges.
557
558       userPassword
559
560       The userPassword attribute is not strictly part of the ppolicy  module.
561       It  is,  however,  the  attribute that is tracked and controlled by the
562       module.  Please refer to the standard OpenLDAP schema for  its  defini‐
563       tion.
564
565       pwdPolicySubentry
566
567       This  attribute refers directly to the pwdPolicy subentry that is to be
568       used for this particular directory user.  If pwdPolicySubentry  exists,
569       it must contain the DN of a valid pwdPolicy object.  If it does not ex‐
570       ist, the ppolicy module will enforce the default password policy  rules
571       on  the user associated with this authenticating DN. If there is no de‐
572       fault, or the referenced subentry does not exist, then no policy  rules
573       will be enforced.
574
575           (  1.3.6.1.4.1.42.2.27.8.1.23
576              NAME 'pwdPolicySubentry'
577              DESC 'The pwdPolicy subentry in effect for
578                  this object'
579              EQUALITY distinguishedNameMatch
580              SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
581              SINGLE-VALUE
582              USAGE directoryOperation)
583
584       pwdChangedTime
585
586       This  attribute  denotes  the  last  time that the entry's password was
587       changed.  This value is used by the password expiration policy  to  de‐
588       termine  whether  the  password is too old to be allowed to be used for
589       user authentication.  If pwdChangedTime  does  not  exist,  the  user's
590       password will not expire.
591
592           (  1.3.6.1.4.1.42.2.27.8.1.16
593              NAME 'pwdChangedTime'
594              DESC 'The time the password was last changed'
595              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
596              EQUALITY generalizedTimeMatch
597              ORDERING generalizedTimeOrderingMatch
598              SINGLE-VALUE
599              NO-USER-MODIFICATION
600              USAGE directoryOperation)
601
602       pwdAccountLockedTime
603
604       This  attribute  contains  the time that the user's account was locked.
605       If the account has been locked, the password may no longer be  used  to
606       authenticate the user to the directory.  If pwdAccountLockedTime is set
607       to 000001010000Z, the user's account has been  permanently  locked  and
608       may  only  be  unlocked  by an administrator. Note that account locking
609       only takes effect when the pwdLockout password policy attribute is  set
610       to "TRUE".
611
612           (  1.3.6.1.4.1.42.2.27.8.1.17
613              NAME 'pwdAccountLockedTime'
614              DESC 'The time an user account was locked'
615              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
616              EQUALITY generalizedTimeMatch
617              ORDERING generalizedTimeOrderingMatch
618              SINGLE-VALUE
619              USAGE directoryOperation)
620
621       pwdFailureTime
622
623       This  attribute  contains the timestamps of each of the consecutive au‐
624       thentication failures made upon attempted  authentication  to  this  DN
625       (i.e.  account).   If too many timestamps accumulate here (refer to the
626       pwdMaxFailure password policy attribute for details), and the  pwdLock‐
627       out  password  policy  attribute  is  set to "TRUE", the account may be
628       locked.  (Please also refer to the pwdLockout  password  policy  attri‐
629       bute.)  Excess timestamps beyond those allowed by pwdMaxFailure or pwd‐
630       MaxRecordedFailure may also be purged.  If a successful  authentication
631       is  made  to  this  DN (i.e. to this user account), then pwdFailureTime
632       will be cleansed of entries.
633
634           (  1.3.6.1.4.1.42.2.27.8.1.19
635              NAME 'pwdFailureTime'
636              DESC 'The timestamps of the last consecutive
637                  authentication failures'
638              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
639              EQUALITY generalizedTimeMatch
640              ORDERING generalizedTimeOrderingMatch
641              NO-USER-MODIFICATION
642              USAGE directoryOperation )
643
644       pwdHistory
645
646       This attribute contains the history of previously  used  passwords  for
647       this DN (i.e. for this user account).  The values of this attribute are
648       stored in string format as follows:
649
650
651           pwdHistory=
652               time "#" syntaxOID "#" length "#" data
653
654           time=
655               GeneralizedTime as specified in section 3.3.13 of [RFC4517]
656
657
658           syntaxOID = numericoid
659               This is the string representation  of  the  dotted-decimal  OID
660               that defines the syntax used to store the password.  numericoid
661               is described in section 1.4 of [RFC4512].
662
663           length = NumericString
664               The number of octets in the data.  NumericString  is  described
665               in section 3.3.23 of [RFC4517].
666
667           data =
668               Octets  representing  the  password  in the format specified by
669               syntaxOID.
670
671
672       This format allows the server to store and transmit a history of  pass‐
673       words  that have been used.  In order for equality matching on the val‐
674       ues in this attribute to function properly, the time field  is  in  GMT
675       format.
676
677           (  1.3.6.1.4.1.42.2.27.8.1.20
678              NAME 'pwdHistory'
679              DESC 'The history of user passwords'
680              SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
681              EQUALITY octetStringMatch
682              NO-USER-MODIFICATION
683              USAGE directoryOperation)
684
685       pwdGraceUseTime
686
687       This attribute contains the list of timestamps of logins made after the
688       user password in the DN has expired.  These post-expiration logins  are
689       known  as  "grace  logins".   If  too  many grace logins have been used
690       (please refer to the  pwdGraceAuthnLimit  password  policy  attribute),
691       then  the  DN  will no longer be allowed to be used to authenticate the
692       user to the directory until the administrator changes  the  DN's  user‐
693       Password attribute.
694
695           (  1.3.6.1.4.1.42.2.27.8.1.21
696              NAME 'pwdGraceUseTime'
697              DESC  'The  timestamps  of the grace login once the password has
698           expired'
699              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
700              EQUALITY generalizedTimeMatch
701              NO-USER-MODIFICATION
702              USAGE directoryOperation)
703
704       pwdReset
705
706       This attribute indicates whether the user's password has been reset  by
707       the  administrator  and  thus must be changed upon first use of this DN
708       for authentication to the directory.  If pwdReset  is  set  to  "TRUE",
709       then  the password was reset and the user must change it upon first au‐
710       thentication.  If the attribute does not exist, or is set  to  "FALSE",
711       the user need not change their password due to administrative reset.
712
713           (  1.3.6.1.4.1.42.2.27.8.1.22
714              NAME 'pwdReset'
715              DESC 'The indication that the password has
716                  been reset'
717              EQUALITY booleanMatch
718              SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
719              SINGLE-VALUE
720              USAGE directoryOperation)
721
722       pwdStartTime
723
724       This  attribute  specifies  the time the entry's password becomes valid
725       for authentication.  Authentication attempts made before this time will
726       fail.  If this attribute does not exist, then no restriction applies.
727
728           (  1.3.6.1.4.1.42.2.27.8.1.27
729              NAME 'pwdStartTime'
730              DESC 'The time the password becomes enabled'
731              EQUALITY generalizedTimeMatch
732              ORDERING generalizedTimeOrderingMatch
733              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
734              SINGLE-VALUE
735              USAGE directoryOperation )
736
737       pwdEndTime
738
739       This  attribute specifies the time the entry's password becomes invalid
740       for authentication.  Authentication attempts made after this time  will
741       fail,  regardless  of  expiration or grace settings.  If this attribute
742       does not exist, then this restriction does not apply.
743
744           (  1.3.6.1.4.1.42.2.27.8.1.28
745              NAME 'pwdEndTime'
746              DESC 'The time the password becomes disabled'
747              EQUALITY generalizedTimeMatch
748              ORDERING generalizedTimeOrderingMatch
749              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
750              SINGLE-VALUE
751              USAGE directoryOperation )
752
753       Note that pwdStartTime may be set to a time greater than  or  equal  to
754       pwdEndTime; this simply disables the account.
755
756       pwdAccountTmpLockoutEnd
757
758       This attribute that the user's password has been locked out temporarily
759       according to the pwdMinDelay policy option and when the lockout ends.
760
761           (  1.3.6.1.4.1.42.2.27.8.1.33
762              NAME 'pwdAccountTmpLockoutEnd'
763              DESC 'Temporary lockout end'
764              EQUALITY generalizedTimeMatch
765              ORDERING generalizedTimeOrderingMatch
766              SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
767              SINGLE-VALUE
768              NO-USER-MODIFICATION
769              USAGE directoryOperation )
770
771

SUNDS ACCOUNT USABILITY CONTROL

773       If the SunDS Account Usability control is used with a  search  request,
774       the overlay will attach validity information to each entry provided all
775       of the following are met:
776
777       • There is a password policy that applies to the entry
778
779       • The user has compare access to the entry's password attribute.
780
781       • The configured password attribute is present in the entry
782
783

EXAMPLES

785              database mdb
786              suffix dc=example,dc=com
787              ...
788              overlay ppolicy
789              ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
790
791

SEE ALSO

793       ldap(3), slapd.conf(5), slapd-config(5), slapo-chain(5).
794
795       "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
796
797       IETF LDAP password policy proposal by P.  Behera,  L.   Poitou  and  J.
798       Sermersheim:   documented in IETF document "draft-behera-ldap-password-
799       policy-10.txt".
800
801

BUGS

803       The LDAP Password Policy specification is not yet an approved standard,
804       and  it  is still evolving. This code will continue to be in flux until
805       the specification is finalized.
806
807

ACKNOWLEDGEMENTS

809       This module was written in 2004 by Howard Chu of Symas Corporation with
810       significant  input  from  Neil  Dunbar  and Kartik Subbarao of Hewlett-
811       Packard.
812
813       This manual page borrows heavily and shamelessly from the specification
814       upon  which  the  password  policy  module it describes is based.  This
815       source is the IETF LDAP password  policy  proposal  by  P.  Behera,  L.
816       Poitou  and  J.  Sermersheim.   The proposal is fully documented in the
817       IETF document named  draft-behera-ldap-password-policy-10.txt,  written
818       in August of 2009.
819
820       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
821       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni‐
822       versity of Michigan LDAP 3.3 Release.
823
824
825
826OpenLDAP 2.6.2                    2022/05/04                  SLAPO_PPOLICY(5)
Impressum