1 # $OpenLDAP: pkg/ldap/servers/slapd/schema/ppolicy.schema,v 1.7.2.3 2008/02/11 23:26:49 kurt Exp $
2 ## This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 ## Copyright 2004-2008 The OpenLDAP Foundation.
5 ## All rights reserved.
7 ## Redistribution and use in source and binary forms, with or without
8 ## modification, are permitted only as authorized by the OpenLDAP
11 ## A copy of this license is available in the file LICENSE in the
12 ## top-level directory of the distribution or, alternatively, at
13 ## <http://www.OpenLDAP.org/license.html>.
15 ## Portions Copyright (C) The Internet Society (2004).
16 ## Please see full copyright statement below.
18 # Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
19 # Password Policy for LDAP Directories
20 # With extensions from Hewlett-Packard:
23 # Contents of this file are subject to change (including deletion)
26 # Not recommended for production use!
27 # Use with extreme caution!
29 #Network Working Group J. Sermersheim
30 #Internet-Draft Novell, Inc
31 #Expires: April 24, 2005 L. Poitou
36 # Password Policy for LDAP Directories
37 # draft-behera-ldap-password-policy-08.txt
41 # This document is an Internet-Draft and is subject to all provisions
42 # of section 3 of RFC 3667. By submitting this Internet-Draft, each
43 # author represents that any applicable patent or other IPR claims of
44 # which he or she is aware have been or will be disclosed, and any of
45 # which he or she become aware will be disclosed, in accordance with
48 # Internet-Drafts are working documents of the Internet Engineering
49 # Task Force (IETF), its areas, and its working groups. Note that
50 # other groups may also distribute working documents as
53 # Internet-Drafts are draft documents valid for a maximum of six months
54 # and may be updated, replaced, or obsoleted by other documents at any
55 # time. It is inappropriate to use Internet-Drafts as reference
56 # material or to cite them other than as "work in progress."
58 # The list of current Internet-Drafts can be accessed at
59 # http://www.ietf.org/ietf/1id-abstracts.txt.
61 # The list of Internet-Draft Shadow Directories can be accessed at
62 # http://www.ietf.org/shadow.html.
64 # This Internet-Draft will expire on April 24, 2005.
68 # Copyright (C) The Internet Society (2004).
72 # Password policy as described in this document is a set of rules that
73 # controls how passwords are used and administered in Lightweight
74 # Directory Access Protocol (LDAP) based directories. In order to
75 # improve the security of LDAP directories and make it difficult for
76 # password cracking programs to break into directories, it is desirable
77 # to enforce a set of rules on password usage. These rules are made to
81 #5. Schema used for Password Policy
83 # The schema elements defined here fall into two general categories. A
84 # password policy object class is defined which contains a set of
85 # administrative password policy attributes, and a set of operational
86 # attributes are defined that hold general password policy state
87 # information for each user.
89 #5.2 Attribute Types used in the pwdPolicy ObjectClass
91 # Following are the attribute types used by the pwdPolicy object class.
95 # This holds the name of the attribute to which the password policy is
96 # applied. For example, the password policy may be applied to the
97 # userPassword attribute.
99 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
101 EQUALITY objectIdentifierMatch
102 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
106 # This attribute holds the number of seconds that must elapse between
107 # modifications to the password. If this attribute is not present, 0
108 # seconds is assumed.
110 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
112 EQUALITY integerMatch
113 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
118 # This attribute holds the number of seconds after which a modified
119 # password will expire.
121 # If this attribute is not present, or if the value is 0 the password
122 # does not expire. If not 0, the value must be greater than or equal
123 # to the value of the pwdMinAge.
125 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
127 EQUALITY integerMatch
128 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
133 # This attribute specifies the maximum number of used passwords stored
134 # in the pwdHistory attribute.
136 # If this attribute is not present, or if the value is 0, used
137 # passwords are not stored in the pwdHistory attribute and thus may be
140 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
142 EQUALITY integerMatch
143 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
146 #5.2.5 pwdCheckQuality
148 # {TODO: Consider changing the syntax to OID. Each OID will list a
149 # quality rule (like min len, # of special characters, etc). These
150 # rules can be specified outsid ethis document.}
152 # {TODO: Note that even though this is meant to be a check that happens
153 # during password modification, it may also be allowed to happen during
154 # authN. This is useful for situations where the password is encrypted
155 # when modified, but decrypted when used to authN.}
157 # This attribute indicates how the password quality will be verified
158 # while being modified or added. If this attribute is not present, or
159 # if the value is '0', quality checking will not be enforced. A value
160 # of '1' indicates that the server will check the quality, and if the
161 # server is unable to check it (due to a hashed password or other
162 # reasons) it will be accepted. A value of '2' indicates that the
163 # server will check the quality, and if the server is unable to verify
164 # it, it will return an error refusing the password.
166 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
167 NAME 'pwdCheckQuality'
168 EQUALITY integerMatch
169 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
174 # When quality checking is enabled, this attribute holds the minimum
175 # number of characters that must be used in a password. If this
176 # attribute is not present, no minimum password length will be
177 # enforced. If the server is unable to check the length (due to a
178 # hashed password or otherwise), the server will, depending on the
179 # value of the pwdCheckQuality attribute, either accept the password
180 # without checking it ('0' or '1') or refuse it ('2').
182 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
184 EQUALITY integerMatch
185 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
188 #5.2.7 pwdExpireWarning
190 # This attribute specifies the maximum number of seconds before a
191 # password is due to expire that expiration warning messages will be
192 # returned to an authenticating user.
194 # If this attribute is not present, or if the value is 0 no warnings
195 # will be returned. If not 0, the value must be smaller than the value
196 # of the pwdMaxAge attribute.
198 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
199 NAME 'pwdExpireWarning'
200 EQUALITY integerMatch
201 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
204 #5.2.8 pwdGraceAuthNLimit
206 # This attribute specifies the number of times an expired password can
207 # be used to authenticate. If this attribute is not present or if the
208 # value is 0, authentication will fail.
210 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
211 NAME 'pwdGraceAuthNLimit'
212 EQUALITY integerMatch
213 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
218 # This attribute indicates, when its value is "TRUE", that the password
219 # may not be used to authenticate after a specified number of
220 # consecutive failed bind attempts. The maximum number of consecutive
221 # failed bind attempts is specified in pwdMaxFailure.
223 # If this attribute is not present, or if the value is "FALSE", the
224 # password may be used to authenticate when the number of failed bind
225 # attempts has been reached.
227 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
229 EQUALITY booleanMatch
230 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
233 #5.2.10 pwdLockoutDuration
235 # This attribute holds the number of seconds that the password cannot
236 # be used to authenticate due to too many failed bind attempts. If
237 # this attribute is not present, or if the value is 0 the password
238 # cannot be used to authenticate until reset by a password
241 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
242 NAME 'pwdLockoutDuration'
243 EQUALITY integerMatch
244 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
247 #5.2.11 pwdMaxFailure
249 # This attribute specifies the number of consecutive failed bind
250 # attempts after which the password may not be used to authenticate.
251 # If this attribute is not present, or if the value is 0, this policy
252 # is not checked, and the value of pwdLockout will be ignored.
254 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
256 EQUALITY integerMatch
257 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
260 #5.2.12 pwdFailureCountInterval
262 # This attribute holds the number of seconds after which the password
263 # failures are purged from the failure counter, even though no
264 # successful authentication occurred.
266 # If this attribute is not present, or if its value is 0, the failure
267 # counter is only reset by a successful authentication.
269 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
270 NAME 'pwdFailureCountInterval'
271 EQUALITY integerMatch
272 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
275 #5.2.13 pwdMustChange
277 # This attribute specifies with a value of "TRUE" that users must
278 # change their passwords when they first bind to the directory after a
279 # password is set or reset by a password administrator. If this
280 # attribute is not present, or if the value is "FALSE", users are not
281 # required to change their password upon binding after the password
282 # administrator sets or resets the password. This attribute is not set
283 # due to any actions specified by this document, it is typically set by
284 # a password administrator after resetting a user's password.
286 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
288 EQUALITY booleanMatch
289 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
292 #5.2.14 pwdAllowUserChange
294 # This attribute indicates whether users can change their own
295 # passwords, although the change operation is still subject to access
296 # control. If this attribute is not present, a value of "TRUE" is
297 # assumed. This attribute is intended to be used in the absense of an
298 # access control mechanism.
300 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
301 NAME 'pwdAllowUserChange'
302 EQUALITY booleanMatch
303 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
306 #5.2.15 pwdSafeModify
308 # This attribute specifies whether or not the existing password must be
309 # sent along with the new password when being changed. If this
310 # attribute is not present, a "FALSE" value is assumed.
312 attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
314 EQUALITY booleanMatch
315 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
322 # This attribute names a user-defined loadable module that provides
323 # a check_password() function. If pwdCheckQuality is set to '1' or '2'
324 # this function will be called after all of the internal password
325 # quality checks have been passed. The function has this prototype:
327 # int check_password( char *password, char **errormessage, void *arg )
329 # The function should return LDAP_SUCCESS for a valid password.
331 attributetype ( 1.3.6.1.4.1.4754.1.99.1
332 NAME 'pwdCheckModule'
333 EQUALITY caseExactIA5Match
334 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
335 DESC 'Loadable module that instantiates "check_password() function'
338 objectclass ( 1.3.6.1.4.1.4754.2.99.1
339 NAME 'pwdPolicyChecker'
342 MAY ( pwdCheckModule ) )
344 #5.1 The pwdPolicy Object Class
346 # This object class contains the attributes defining a password policy
347 # in effect for a set of users. Section 10 describes the
348 # administration of this object, and the relationship between it and
349 # particular objects.
351 objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
355 MUST ( pwdAttribute )
356 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
357 pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
358 $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
359 pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
361 #5.3 Attribute Types for Password Policy State Information
363 # Password policy state information must be maintained for each user.
364 # The information is located in each user entry as a set of operational
365 # attributes. These operational attributes are: pwdChangedTime,
366 # pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
367 # pwdReset, pwdPolicySubEntry.
369 #5.3.1 Password Policy State Attribute Option
371 # Since the password policy could apply to several attributes used to
372 # store passwords, each of the above operational attributes must have
373 # an option to specify which pwdAttribute it applies to. The password
374 # policy option is defined as the following:
376 # pwd-<passwordAttribute>
378 # where passwordAttribute a string following the OID syntax
379 # (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
380 # (short name) MUST be used.
382 # For example, if the pwdPolicy object has for pwdAttribute
383 # "userPassword" then the pwdChangedTime operational attribute, in a
384 # user entry, will be:
386 # pwdChangedTime;pwd-userPassword: 20000103121520Z
388 # This attribute option follows sub-typing semantics. If a client
389 # requests a password policy state attribute to be returned in a search
390 # operation, and does not specify an option, all subtypes of that
391 # policy state attribute are returned.
393 #5.3.2 pwdChangedTime
395 # This attribute specifies the last time the entry's password was
396 # changed. This is used by the password expiration policy. If this
397 # attribute does not exist, the password will never expire.
399 # ( 1.3.6.1.4.1.42.2.27.8.1.16
400 # NAME 'pwdChangedTime'
401 # DESC 'The time the password was last changed'
402 # EQUALITY generalizedTimeMatch
403 # ORDERING generalizedTimeOrderingMatch
404 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
406 # USAGE directoryOperation )
408 #5.3.3 pwdAccountLockedTime
410 # This attribute holds the time that the user's account was locked. A
411 # locked account means that the password may no longer be used to
412 # authenticate. A 000001010000Z value means that the account has been
413 # locked permanently, and that only a password administrator can unlock
416 # ( 1.3.6.1.4.1.42.2.27.8.1.17
417 # NAME 'pwdAccountLockedTime'
418 # DESC 'The time an user account was locked'
419 # EQUALITY generalizedTimeMatch
420 # ORDERING generalizedTimeOrderingMatch
421 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
423 # USAGE directoryOperation )
425 #5.3.4 pwdFailureTime
427 # This attribute holds the timestamps of the consecutive authentication
430 # ( 1.3.6.1.4.1.42.2.27.8.1.19
431 # NAME 'pwdFailureTime'
432 # DESC 'The timestamps of the last consecutive authentication
434 # EQUALITY generalizedTimeMatch
435 # ORDERING generalizedTimeOrderingMatch
436 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
437 # USAGE directoryOperation )
441 # This attribute holds a history of previously used passwords. Values
442 # of this attribute are transmitted in string format as given by the
445 # pwdHistory = time "#" syntaxOID "#" length "#" data
447 # time = <generalizedTimeString as specified in 6.14
450 # syntaxOID = numericoid ; the string representation of the
451 # ; dotted-decimal OID that defines the
452 # ; syntax used to store the password.
453 # ; numericoid is described in 4.1
456 # length = numericstring ; the number of octets in data.
457 # ; numericstring is described in 4.1
460 # data = <octets representing the password in the format
461 # specified by syntaxOID>.
463 # This format allows the server to store, and transmit a history of
464 # passwords that have been used. In order for equality matching to
465 # function properly, the time field needs to adhere to a consistent
466 # format. For this purpose, the time field MUST be in GMT format.
468 # ( 1.3.6.1.4.1.42.2.27.8.1.20
470 # DESC 'The history of user s passwords'
471 # EQUALITY octetStringMatch
472 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
473 # USAGE directoryOperation )
475 #5.3.6 pwdGraceUseTime
477 # This attribute holds the timestamps of grace authentications after a
478 # password has expired.
480 # ( 1.3.6.1.4.1.42.2.27.8.1.21
481 # NAME 'pwdGraceUseTime'
482 # DESC 'The timestamps of the grace authentication after the
483 # password has expired'
484 # EQUALITY generalizedTimeMatch
485 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
489 # This attribute holds a flag to indicate (when TRUE) that the password
490 # has been updated by the password administrator and must be changed by
491 # the user on first authentication.
493 # ( 1.3.6.1.4.1.42.2.27.8.1.22
495 # DESC 'The indication that the password has been reset'
496 # EQUALITY booleanMatch
497 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
499 # USAGE directoryOperation )
501 #5.3.8 pwdPolicySubentry
503 # This attribute points to the pwdPolicy subentry in effect for this
506 # ( 1.3.6.1.4.1.42.2.27.8.1.23
507 # NAME 'pwdPolicySubentry'
508 # DESC 'The pwdPolicy subentry in effect for this object'
509 # EQUALITY distinguishedNameMatch
510 # SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
512 # USAGE directoryOperation )
515 #Disclaimer of Validity
517 # This document and the information contained herein are provided on an
518 # "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
519 # OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
520 # ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
521 # INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
522 # INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
523 # WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
528 # Copyright (C) The Internet Society (2004). This document is subject
529 # to the rights, licenses and restrictions contained in BCP 78, and
530 # except as set forth therein, the authors retain all their rights.