1SLAPO_PPOLICY(5) File Formats Manual SLAPO_PPOLICY(5)
2
3
4
6 slapo-ppolicy - Password Policy overlay to slapd
7
9 /etc/openldap/slapd.conf
10
12 The ppolicy overlay is an implementation of the most recent IETF Pass‐
13 word Policy proposal for LDAP. When instantiated, it intercepts, de‐
14 codes and applies specific password policy controls to overall use of a
15 backend database, changes to user password fields, etc.
16
17 The overlay provides a variety of password control mechanisms. They
18 include password aging -- both minimum and maximum ages, password reuse
19 and duplication control, account time-outs, mandatory password resets,
20 acceptable password content, and even grace logins. Different groups
21 of users may be associated with different password policies, and there
22 is no limit to the number of password policies that may be created.
23
24 Note that some of the policies do not take effect when the operation is
25 performed with the rootdn identity; all the operations, when performed
26 with any other identity, may be subjected to constraints, like access
27 control. This overlay requires a rootdn to be configured on the data‐
28 base.
29
30 During password update, an identity with manage access to the userPass‐
31 word attribute is considered a password administrator where relevant to
32 the IETF Password Policy proposal.
33
34 Note that the IETF Password Policy proposal for LDAP makes sense when
35 considering a single-valued password attribute, while the userPassword
36 attribute allows multiple values. This implementation enforces a sin‐
37 gle value for the userPassword attribute, despite its specification.
38
39 In addition to supporting the IETF Password Policy, this module sup‐
40 ports the SunDS Account Usability control (1.3.6.1.4.1.42.2.27.9.5.8)
41 on search requests and can send the Netscape Password validity controls
42 when configured to do so.
43
44
46 These slapd.conf configuration options apply to the ppolicy overlay.
47 They should appear after the overlay directive.
48
49 ppolicy_default <policyDN>
50 Specify the DN of the pwdPolicy object to use when no specific
51 policy is set on a given user's entry. If there is no specific
52 policy for an entry and no default is given, then no policies
53 will be enforced.
54
55 ppolicy_forward_updates
56 Specify that policy state changes that result from Bind opera‐
57 tions (such as recording failures, lockout, etc.) on a consumer
58 should be forwarded to a provider instead of being written di‐
59 rectly into the consumer's local database. This setting is only
60 useful on a replication consumer, and also requires the up‐
61 dateref setting and chain overlay to be appropriately config‐
62 ured.
63
64 ppolicy_hash_cleartext
65 Specify that cleartext passwords present in Add and Modify re‐
66 quests should be hashed before being stored in the database.
67 This violates the X.500/LDAP information model, but may be
68 needed to compensate for LDAP clients that don't use the Pass‐
69 word Modify extended operation to manage passwords. It is rec‐
70 ommended that when this option is used that compare, search, and
71 read access be denied to all directory users.
72
73 ppolicy_use_lockout
74 A client will always receive an LDAP InvalidCredentials response
75 when Binding to a locked account. By default, when a Password
76 Policy control was provided on the Bind request, a Password Pol‐
77 icy response will be included with no special error code set.
78 This option changes the Password Policy response to include the
79 AccountLocked error code. Note that sending the AccountLocked
80 error code provides useful information to an attacker; sites
81 that are sensitive to security issues should not enable this op‐
82 tion.
83
84 ppolicy_send_netscape_controls
85 If set, ppolicy will send the password policy expired
86 (2.16.840.1.113730.3.4.4) and password policy expiring
87 (2.16.840.1.113730.3.4.5) controls when appropriate. The con‐
88 trols are not sent for bind requests where the Password policy
89 control has already been requested. Default is not to send the
90 controls.
91
92 ppolicy_check_module <path>
93 Specify the path of a loadable module containing a check_pass‐
94 word() function for additional password quality checks. The use
95 of this module is described further below in the description of
96 the pwdPolicyChecker objectclass.
97
98 Note: The user-defined loadable module must be in slapd's stan‐
99 dard executable search PATH, or an absolute path must be pro‐
100 vided.
101
102 Note: Use of a ppolicy_check_module is a non-standard extension
103 to the LDAP password policy proposal.
104
105
106
108 The ppolicy overlay depends on the pwdPolicy object class. The defini‐
109 tion of that class is as follows:
110
111 ( 1.3.6.1.4.1.42.2.27.8.2.1
112 NAME 'pwdPolicy'
113 AUXILIARY
114 SUP top
115 MUST ( pwdAttribute )
116 MAY (
117 pwdMinAge $ pwdMaxAge $ pwdInHistory $
118 pwdCheckQuality $ pwdMinLength $ pwdMaxLength $
119 pwdExpireWarning $ pwdGraceAuthnLimit $
120 pwdGraceExpiry $ pwdLockout $ pwdLockoutDuration $
121 pwdMaxFailure $ pwdFailureCountInterval $
122 pwdMustChange $ pwdAllowUserChange $
123 pwdSafeModify $ pwdMaxRecordedFailure $
124 pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
125
126 The pwdPolicy class is not structural, and so entries using it require
127 another, structural, object class. The namedPolicy object class is a
128 good choice. namedPolicy requires a cn attribute, suitable as the pol‐
129 icy entry's rDN.
130
131 This implementation also provides an additional pwdPolicyChecker ob‐
132 jectclass, used for password quality checking (see below).
133
134 ( 1.3.6.1.4.1.4754.2.99.1
135 NAME 'pwdPolicyChecker'
136 AUXILIARY
137 SUP top
138 MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule )
139 )
140
141 Every account that should be subject to password policy control should
142 have a pwdPolicySubentry attribute containing the DN of a valid pwdPol‐
143 icy entry, or they can simply use the configured default. In this way
144 different users may be managed according to different policies.
145
146
148 Each one of the sections below details the meaning and use of a partic‐
149 ular attribute of this pwdPolicy object class.
150
151 pwdAttribute
152
153 This attribute contains the name of the attribute to which the password
154 policy is applied. For example, the password policy may be applied to
155 the userPassword attribute.
156
157 Note: in this implementation, the only value accepted for pwdAttribute
158 is userPassword .
159
160 ( 1.3.6.1.4.1.42.2.27.8.1.1
161 NAME 'pwdAttribute'
162 EQUALITY objectIdentifierMatch
163 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
164
165 pwdMinAge
166
167 This attribute contains the number of seconds that must elapse between
168 modifications allowed to the password. If this attribute is not
169 present, zero seconds is assumed (i.e. the password may be modified
170 whenever and however often is desired).
171
172 ( 1.3.6.1.4.1.42.2.27.8.1.2
173 NAME 'pwdMinAge'
174 EQUALITY integerMatch
175 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
176 SINGLE-VALUE )
177
178 pwdMaxAge
179
180 This attribute contains the number of seconds after which a modified
181 password will expire. If this attribute is not present, or if its
182 value is zero (0), then passwords will not expire.
183
184 ( 1.3.6.1.4.1.42.2.27.8.1.3
185 NAME 'pwdMaxAge'
186 EQUALITY integerMatch
187 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
188 SINGLE-VALUE )
189
190 pwdInHistory
191
192 This attribute is used to specify the maximum number of used passwords
193 that will be stored in the pwdHistory attribute. If the pwdInHistory
194 attribute is not present, or if its value is zero (0), used passwords
195 will not be stored in pwdHistory and thus any previously-used password
196 may be reused. No history checking occurs if the password is being
197 modified by the rootdn, although the password is saved in the history.
198
199 ( 1.3.6.1.4.1.42.2.27.8.1.4
200 NAME 'pwdInHistory'
201 EQUALITY integerMatch
202 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
203 SINGLE-VALUE )
204
205 pwdCheckQuality
206
207 This attribute indicates if and how password syntax will be checked
208 while a password is being modified or added. If this attribute is not
209 present, or its value is zero (0), no syntax checking will be done. If
210 its value is one (1), the server will check the syntax, and if the
211 server is unable to check the syntax, whether due to a client-side
212 hashed password or some other reason, it will be accepted. If its value
213 is two (2), the server will check the syntax, and if the server is un‐
214 able to check the syntax it will return an error refusing the password.
215
216 ( 1.3.6.1.4.1.42.2.27.8.1.5
217 NAME 'pwdCheckQuality'
218 EQUALITY integerMatch
219 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
220 SINGLE-VALUE )
221
222 pwdMinLength
223
224 When syntax checking is enabled (see also the pwdCheckQuality attri‐
225 bute), this attribute contains the minimum length in bytes that will be
226 accepted in a password. If this attribute is not present, minimum pass‐
227 word length is not enforced. If the server is unable to check the
228 length of the password, whether due to a client-side hashed password or
229 some other reason, the server will, depending on the value of pwdCheck‐
230 Quality, either accept the password without checking it (if pwdCheck‐
231 Quality is zero (0) or one (1)) or refuse it (if pwdCheckQuality is two
232 (2)). If the number of characters should be enforced with regards to a
233 particular encoding, the use of an appropriate ppolicy_check_module is
234 required.
235
236 ( 1.3.6.1.4.1.42.2.27.8.1.6
237 NAME 'pwdMinLength'
238 EQUALITY integerMatch
239 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
240 SINGLE-VALUE )
241
242 pwdMaxLength
243
244 When syntax checking is enabled (see also the pwdCheckQuality attri‐
245 bute), this attribute contains the maximum length in bytes that will be
246 accepted in a password. If this attribute is not present, maximum pass‐
247 word length is not enforced. If the server is unable to check the
248 length of the password, whether due to a client-side hashed password or
249 some other reason, the server will, depending on the value of pwdCheck‐
250 Quality, either accept the password without checking it (if pwdCheck‐
251 Quality is zero (0) or one (1)) or refuse it (if pwdCheckQuality is two
252 (2)). If the number of characters should be enforced with regards to a
253 particular encoding, the use of an appropriate ppolicy_check_module is
254 required.
255
256 ( 1.3.6.1.4.1.42.2.27.8.1.31
257 NAME 'pwdMaxLength'
258 EQUALITY integerMatch
259 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
260 SINGLE-VALUE )
261
262 pwdExpireWarning
263
264 This attribute contains the maximum number of seconds before a password
265 is due to expire that expiration warning messages will be returned to a
266 user who is authenticating to the directory. If this attribute is not
267 present, or if the value is zero (0), no warnings will be sent.
268
269 ( 1.3.6.1.4.1.42.2.27.8.1.7
270 NAME 'pwdExpireWarning'
271 EQUALITY integerMatch
272 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
273 SINGLE-VALUE )
274
275 pwdGraceAuthnLimit
276
277 This attribute contains the number of times that an expired password
278 may be used to authenticate a user to the directory. If this attribute
279 is not present or if its value is zero (0), users with expired pass‐
280 words will not be allowed to authenticate to the directory.
281
282 ( 1.3.6.1.4.1.42.2.27.8.1.8
283 NAME 'pwdGraceAuthnLimit'
284 EQUALITY integerMatch
285 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
286 SINGLE-VALUE )
287
288 pwdGraceExpiry
289
290 This attribute specifies the number of seconds the grace authentica‐
291 tions are valid. If this attribute is not present or if the value is
292 zero (0), there is no time limit on the grace authentications.
293
294 ( 1.3.6.1.4.1.42.2.27.8.1.30
295 NAME 'pwdGraceExpiry'
296 EQUALITY integerMatch
297 ORDERING integerOrderingMatch
298 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
299 SINGLE-VALUE )
300
301 pwdLockout
302
303 This attribute specifies the action that should be taken by the direc‐
304 tory when a user has made a number of failed attempts to authenticate
305 to the directory. If pwdLockout is set (its value is "TRUE"), the user
306 will not be allowed to attempt to authenticate to the directory after
307 there have been a specified number of consecutive failed bind attempts.
308 The maximum number of consecutive failed bind attempts allowed is spec‐
309 ified by the pwdMaxFailure attribute. If pwdLockout is not present, or
310 if its value is "FALSE", the password may be used to authenticate no
311 matter how many consecutive failed bind attempts have been made.
312
313 ( 1.3.6.1.4.1.42.2.27.8.1.9
314 NAME 'pwdLockout'
315 EQUALITY booleanMatch
316 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
317 SINGLE-VALUE )
318
319 pwdLockoutDuration
320
321 This attribute contains the number of seconds during which the password
322 cannot be used to authenticate the user to the directory due to too
323 many consecutive failed bind attempts. (See also pwdLockout and pwd‐
324 MaxFailure.) If pwdLockoutDuration is not present, or if its value is
325 zero (0), the password cannot be used to authenticate the user to the
326 directory again until it is reset by an administrator.
327
328 ( 1.3.6.1.4.1.42.2.27.8.1.10
329 NAME 'pwdLockoutDuration'
330 EQUALITY integerMatch
331 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
332 SINGLE-VALUE )
333
334 pwdMaxFailure
335
336 This attribute contains the number of consecutive failed bind attempts
337 after which the password may not be used to authenticate a user to the
338 directory. If pwdMaxFailure is not present, or its value is zero (0),
339 then a user will be allowed to continue to attempt to authenticate to
340 the directory, no matter how many consecutive failed bind attempts have
341 occurred with that user's DN. (See also pwdLockout and pwdLockoutDura‐
342 tion.)
343
344 ( 1.3.6.1.4.1.42.2.27.8.1.11
345 NAME 'pwdMaxFailure'
346 EQUALITY integerMatch
347 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
348 SINGLE-VALUE )
349
350 pwdMaxRecordedFailure
351
352 This attribute contains the maximum number of failed bind attempts to
353 store in a user's entry. If pwdMaxRecordedFailure is not present, or
354 its value is zero (0), then it defaults to the value of pwdMaxFailure.
355 If that value is also 0, the default is 5.
356
357 ( 1.3.6.1.4.1.42.2.27.8.1.32
358 NAME 'pwdMaxRecordedFailure'
359 EQUALITY integerMatch
360 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
361 SINGLE-VALUE )
362
363 pwdFailureCountInterval
364
365 This attribute contains the number of seconds after which old consecu‐
366 tive failed bind attempts are purged from the failure counter, even
367 though no successful authentication has occurred. If pwdFailure‐
368 CountInterval is not present, or its value is zero (0), the failure
369 counter will only be reset by a successful authentication.
370
371 ( 1.3.6.1.4.1.42.2.27.8.1.12
372 NAME 'pwdFailureCountInterval'
373 EQUALITY integerMatch
374 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
375 SINGLE-VALUE )
376
377 pwdMustChange
378
379 This attribute specifies whether users must change their passwords when
380 they first bind to the directory after a password is set or reset by
381 the administrator, or not. If pwdMustChange has a value of "TRUE",
382 users must change their passwords when they first bind to the directory
383 after a password is set or reset by the administrator. If pwd‐
384 MustChange is not present, or its value is "FALSE", users are not re‐
385 quired to change their password upon binding after the administrator
386 sets or resets the password.
387
388 ( 1.3.6.1.4.1.42.2.27.8.1.13
389 NAME 'pwdMustChange'
390 EQUALITY booleanMatch
391 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
392 SINGLE-VALUE )
393
394 pwdAllowUserChange
395
396 This attribute specifies whether users are allowed to change their own
397 passwords or not. If pwdAllowUserChange is set to "TRUE", or if the
398 attribute is not present, users will be allowed to change their own
399 passwords. If its value is "FALSE", users will not be allowed to
400 change their own passwords.
401
402 Note: this implies that when pwdAllowUserChange is set to "TRUE", users
403 will still be able to change the password of another user, subjected to
404 access control. This restriction only applies to modifications of
405 ones's own password. It should also be noted that pwdAllowUserChange
406 was defined in the specification to provide rough access control to the
407 password attribute in implementations that do not allow fine-grain ac‐
408 cess control. Since OpenLDAP provides fine-grain access control, the
409 use of this attribute is discouraged; ACLs should be used instead (see
410 slapd.access(5) for details).
411
412 ( 1.3.6.1.4.1.42.2.27.8.1.14
413 NAME 'pwdAllowUserChange'
414 EQUALITY booleanMatch
415 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
416 SINGLE-VALUE )
417
418 pwdSafeModify
419
420 This attribute denotes whether the user's existing password must be
421 sent along with their new password when changing a password. If pwd‐
422 SafeModify is set to "TRUE", the existing password must be sent along
423 with the new password. If the attribute is not present, or its value
424 is "FALSE", the existing password need not be sent along with the new
425 password.
426
427 ( 1.3.6.1.4.1.42.2.27.8.1.15
428 NAME 'pwdSafeModify'
429 EQUALITY booleanMatch
430 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
431 SINGLE-VALUE )
432
433 pwdMinDelay
434
435 This attribute specifies the number of seconds to delay responding to
436 the first failed authentication attempt. If this attribute is not set
437 or is zero (0), no delays will be used. pwdMaxDelay must also be spec‐
438 ified if pwdMinDelay is set.
439
440 Note that this implementation uses a variable lockout instead of delay‐
441 ing the bind response.
442
443 ( 1.3.6.1.4.1.42.2.27.8.1.24
444 NAME 'pwdMinDelay'
445 EQUALITY integerMatch
446 ORDERING integerOrderingMatch
447 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
448 SINGLE-VALUE )
449
450 pwdMaxDelay
451
452 This attribute specifies the maximum number of seconds to delay when
453 responding to a failed authentication attempt. The time specified in
454 pwdMinDelay is used as the starting time and is then doubled on each
455 failure until the delay time is greater than or equal to pwdMaxDelay
456 (or a successful authentication occurs, which resets the failure
457 counter). pwdMinDelay must also be specified if pwdMaxDelay is set.
458
459 Note that this implementation uses a variable lockout instead of delay‐
460 ing the bind response.
461
462 ( 1.3.6.1.4.1.42.2.27.8.1.25
463 NAME 'pwdMaxDelay'
464 EQUALITY integerMatch
465 ORDERING integerOrderingMatch
466 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
467 SINGLE-VALUE )
468
469 pwdMaxIdle
470
471 This attribute specifies the number of seconds an account may remain
472 unused before it becomes locked. If this attribute is not set or is
473 zero (0), no check is performed. For this to be enforced, lastbind
474 functionality needs to be enabled on the database, that is olcLastBind
475 is set to TRUE.
476
477 ( 1.3.6.1.4.1.42.2.27.8.1.26
478 NAME 'pwdMaxIdle'
479 EQUALITY integerMatch
480 ORDERING integerOrderingMatch
481 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
482 SINGLE-VALUE )
483
484 pwdUseCheckModule/pwdCheckModuleArg
485
486 The pwdUseCheckModule attribute enables use of a loadable module previ‐
487 ously configured with ppolicy_check_module for the current policy. The
488 module must instantiate the check_password() function. This function
489 will be called to further check a new password if pwdCheckQuality is
490 set to one (1) or two (2), after all of the built-in password compli‐
491 ance checks have been passed. This function will be called according
492 to this function prototype:
493 int check_password (char *pPasswd, struct berval *pErrmsg, Entry
494 *pEntry, struct berval *pArg);
495 The pPasswd parameter contains the clear-text user password, the pEr‐
496 rmsg parameter points to a struct berval containing space to return hu‐
497 man-readable details about any error it encounters. The bv_len field
498 must contain the size of the space provided by the bv_val field.
499
500 The pEntry parameter is optional, if non-NULL, carries a pointer to the
501 entry whose password is being checked.
502
503 The optional pArg parameter points to a struct berval containing the
504 value of pwdCheckModuleArg in the effective password policy, if set,
505 otherwise NULL.
506
507 If pErrmsg is NULL, then funcName must NOT attempt to use it. A return
508 value of LDAP_SUCCESS from the called function indicates that the pass‐
509 word is ok, any other value indicates that the password is unaccept‐
510 able. If the password is unacceptable, the server will return an error
511 to the client, and pErrmsg may be used to return a human-readable tex‐
512 tual explanation of the error. If the space passed in by the caller is
513 too small, the function may replace it with a dynamically allocated
514 buffer, which will be free()'d by slapd.
515
516 The pwdCheckModule attribute is now obsolete and is ignored.
517
518
519 ( 1.3.6.1.4.1.4754.1.99.1
520 NAME 'pwdCheckModule'
521 EQUALITY caseExactIA5Match
522 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
523 OBSOLETE
524 SINGLE-VALUE )
525
526 ( 1.3.6.1.4.1.4754.1.99.2
527 NAME 'pwdCheckModuleArg'
528 EQUALITY octetStringMatch
529 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
530 DESC 'Argument to pass to check_password() function'
531 SINGLE-VALUE )
532
533 ( 1.3.6.1.4.1.4754.1.99.3
534 NAME 'pwdUseCheckModule'
535 EQUALITY booleanMatch
536 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
537 SINGLE-VALUE )
538
539
541 The operational attributes used by the ppolicy module are stored in the
542 user's entry. Most of these attributes are not intended to be changed
543 directly by users; they are there to track user activity. They have
544 been detailed here so that administrators and users can both understand
545 the workings of the ppolicy module.
546
547
548 Note that the current IETF Password Policy proposal does not define how
549 these operational attributes are expected to behave in a replication
550 environment. In general, authentication attempts on a replica server
551 only affect the copy of the operational attributes on that replica and
552 will not affect any attributes for a user's entry on the provider. Op‐
553 erational attribute changes resulting from authentication attempts on a
554 provider will usually replicate to the replicas (and also overwrite any
555 changes that originated on the replica). These behaviors are not guar‐
556 anteed and are subject to change when a formal specification emerges.
557
558 userPassword
559
560 The userPassword attribute is not strictly part of the ppolicy module.
561 It is, however, the attribute that is tracked and controlled by the
562 module. Please refer to the standard OpenLDAP schema for its defini‐
563 tion.
564
565 pwdPolicySubentry
566
567 This attribute refers directly to the pwdPolicy subentry that is to be
568 used for this particular directory user. If pwdPolicySubentry exists,
569 it must contain the DN of a valid pwdPolicy object. If it does not ex‐
570 ist, the ppolicy module will enforce the default password policy rules
571 on the user associated with this authenticating DN. If there is no de‐
572 fault, or the referenced subentry does not exist, then no policy rules
573 will be enforced.
574
575 ( 1.3.6.1.4.1.42.2.27.8.1.23
576 NAME 'pwdPolicySubentry'
577 DESC 'The pwdPolicy subentry in effect for
578 this object'
579 EQUALITY distinguishedNameMatch
580 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
581 SINGLE-VALUE
582 USAGE directoryOperation)
583
584 pwdChangedTime
585
586 This attribute denotes the last time that the entry's password was
587 changed. This value is used by the password expiration policy to de‐
588 termine whether the password is too old to be allowed to be used for
589 user authentication. If pwdChangedTime does not exist, the user's
590 password will not expire.
591
592 ( 1.3.6.1.4.1.42.2.27.8.1.16
593 NAME 'pwdChangedTime'
594 DESC 'The time the password was last changed'
595 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
596 EQUALITY generalizedTimeMatch
597 ORDERING generalizedTimeOrderingMatch
598 SINGLE-VALUE
599 NO-USER-MODIFICATION
600 USAGE directoryOperation)
601
602 pwdAccountLockedTime
603
604 This attribute contains the time that the user's account was locked.
605 If the account has been locked, the password may no longer be used to
606 authenticate the user to the directory. If pwdAccountLockedTime is set
607 to 000001010000Z, the user's account has been permanently locked and
608 may only be unlocked by an administrator. Note that account locking
609 only takes effect when the pwdLockout password policy attribute is set
610 to "TRUE".
611
612 ( 1.3.6.1.4.1.42.2.27.8.1.17
613 NAME 'pwdAccountLockedTime'
614 DESC 'The time an user account was locked'
615 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
616 EQUALITY generalizedTimeMatch
617 ORDERING generalizedTimeOrderingMatch
618 SINGLE-VALUE
619 USAGE directoryOperation)
620
621 pwdFailureTime
622
623 This attribute contains the timestamps of each of the consecutive au‐
624 thentication failures made upon attempted authentication to this DN
625 (i.e. account). If too many timestamps accumulate here (refer to the
626 pwdMaxFailure password policy attribute for details), and the pwdLock‐
627 out password policy attribute is set to "TRUE", the account may be
628 locked. (Please also refer to the pwdLockout password policy attri‐
629 bute.) Excess timestamps beyond those allowed by pwdMaxFailure or pwd‐
630 MaxRecordedFailure may also be purged. If a successful authentication
631 is made to this DN (i.e. to this user account), then pwdFailureTime
632 will be cleansed of entries.
633
634 ( 1.3.6.1.4.1.42.2.27.8.1.19
635 NAME 'pwdFailureTime'
636 DESC 'The timestamps of the last consecutive
637 authentication failures'
638 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
639 EQUALITY generalizedTimeMatch
640 ORDERING generalizedTimeOrderingMatch
641 NO-USER-MODIFICATION
642 USAGE directoryOperation )
643
644 pwdHistory
645
646 This attribute contains the history of previously used passwords for
647 this DN (i.e. for this user account). The values of this attribute are
648 stored in string format as follows:
649
650
651 pwdHistory=
652 time "#" syntaxOID "#" length "#" data
653
654 time=
655 GeneralizedTime as specified in section 3.3.13 of [RFC4517]
656
657
658 syntaxOID = numericoid
659 This is the string representation of the dotted-decimal OID
660 that defines the syntax used to store the password. numericoid
661 is described in section 1.4 of [RFC4512].
662
663 length = NumericString
664 The number of octets in the data. NumericString is described
665 in section 3.3.23 of [RFC4517].
666
667 data =
668 Octets representing the password in the format specified by
669 syntaxOID.
670
671
672 This format allows the server to store and transmit a history of pass‐
673 words that have been used. In order for equality matching on the val‐
674 ues in this attribute to function properly, the time field is in GMT
675 format.
676
677 ( 1.3.6.1.4.1.42.2.27.8.1.20
678 NAME 'pwdHistory'
679 DESC 'The history of user passwords'
680 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
681 EQUALITY octetStringMatch
682 NO-USER-MODIFICATION
683 USAGE directoryOperation)
684
685 pwdGraceUseTime
686
687 This attribute contains the list of timestamps of logins made after the
688 user password in the DN has expired. These post-expiration logins are
689 known as "grace logins". If too many grace logins have been used
690 (please refer to the pwdGraceAuthnLimit password policy attribute),
691 then the DN will no longer be allowed to be used to authenticate the
692 user to the directory until the administrator changes the DN's user‐
693 Password attribute.
694
695 ( 1.3.6.1.4.1.42.2.27.8.1.21
696 NAME 'pwdGraceUseTime'
697 DESC 'The timestamps of the grace login once the password has
698 expired'
699 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
700 EQUALITY generalizedTimeMatch
701 NO-USER-MODIFICATION
702 USAGE directoryOperation)
703
704 pwdReset
705
706 This attribute indicates whether the user's password has been reset by
707 the administrator and thus must be changed upon first use of this DN
708 for authentication to the directory. If pwdReset is set to "TRUE",
709 then the password was reset and the user must change it upon first au‐
710 thentication. If the attribute does not exist, or is set to "FALSE",
711 the user need not change their password due to administrative reset.
712
713 ( 1.3.6.1.4.1.42.2.27.8.1.22
714 NAME 'pwdReset'
715 DESC 'The indication that the password has
716 been reset'
717 EQUALITY booleanMatch
718 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
719 SINGLE-VALUE
720 USAGE directoryOperation)
721
722 pwdStartTime
723
724 This attribute specifies the time the entry's password becomes valid
725 for authentication. Authentication attempts made before this time will
726 fail. If this attribute does not exist, then no restriction applies.
727
728 ( 1.3.6.1.4.1.42.2.27.8.1.27
729 NAME 'pwdStartTime'
730 DESC 'The time the password becomes enabled'
731 EQUALITY generalizedTimeMatch
732 ORDERING generalizedTimeOrderingMatch
733 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
734 SINGLE-VALUE
735 USAGE directoryOperation )
736
737 pwdEndTime
738
739 This attribute specifies the time the entry's password becomes invalid
740 for authentication. Authentication attempts made after this time will
741 fail, regardless of expiration or grace settings. If this attribute
742 does not exist, then this restriction does not apply.
743
744 ( 1.3.6.1.4.1.42.2.27.8.1.28
745 NAME 'pwdEndTime'
746 DESC 'The time the password becomes disabled'
747 EQUALITY generalizedTimeMatch
748 ORDERING generalizedTimeOrderingMatch
749 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
750 SINGLE-VALUE
751 USAGE directoryOperation )
752
753 Note that pwdStartTime may be set to a time greater than or equal to
754 pwdEndTime; this simply disables the account.
755
756 pwdAccountTmpLockoutEnd
757
758 This attribute that the user's password has been locked out temporarily
759 according to the pwdMinDelay policy option and when the lockout ends.
760
761 ( 1.3.6.1.4.1.42.2.27.8.1.33
762 NAME 'pwdAccountTmpLockoutEnd'
763 DESC 'Temporary lockout end'
764 EQUALITY generalizedTimeMatch
765 ORDERING generalizedTimeOrderingMatch
766 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
767 SINGLE-VALUE
768 NO-USER-MODIFICATION
769 USAGE directoryOperation )
770
771
773 If the SunDS Account Usability control is used with a search request,
774 the overlay will attach validity information to each entry provided all
775 of the following are met:
776
777 • There is a password policy that applies to the entry
778
779 • The user has compare access to the entry's password attribute.
780
781 • The configured password attribute is present in the entry
782
783
785 database mdb
786 suffix dc=example,dc=com
787 ...
788 overlay ppolicy
789 ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
790
791
793 ldap(3), slapd.conf(5), slapd-config(5), slapo-chain(5).
794
795 "OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
796
797 IETF LDAP password policy proposal by P. Behera, L. Poitou and J.
798 Sermersheim: documented in IETF document "draft-behera-ldap-password-
799 policy-10.txt".
800
801
803 The LDAP Password Policy specification is not yet an approved standard,
804 and it is still evolving. This code will continue to be in flux until
805 the specification is finalized.
806
807
809 This module was written in 2004 by Howard Chu of Symas Corporation with
810 significant input from Neil Dunbar and Kartik Subbarao of Hewlett-
811 Packard.
812
813 This manual page borrows heavily and shamelessly from the specification
814 upon which the password policy module it describes is based. This
815 source is the IETF LDAP password policy proposal by P. Behera, L.
816 Poitou and J. Sermersheim. The proposal is fully documented in the
817 IETF document named draft-behera-ldap-password-policy-10.txt, written
818 in August of 2009.
819
820 OpenLDAP Software is developed and maintained by The OpenLDAP Project
821 <http://www.openldap.org/>. OpenLDAP Software is derived from the Uni‐
822 versity of Michigan LDAP 3.3 Release.
823
824
825
826OpenLDAP 2.6.2 2022/05/04 SLAPO_PPOLICY(5)