Each one of the sections below details the meaning and use of a
particular attribute of this pwdPolicy
object class.
pwdAttribute
This attribute contains the name of the attribute to which the
password policy is applied. For example, the password policy may
be applied to the userPassword
attribute.
Note: in this implementation, the only value accepted for
pwdAttribute
is userPassword .
( 1.3.6.1.4.1.42.2.27.8.1.1
NAME 'pwdAttribute'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
pwdMinAge
This attribute contains the number of seconds that must elapse
between modifications allowed to the password. If this attribute
is not present, zero seconds is assumed (i.e. the password may be
modified whenever and however often is desired).
( 1.3.6.1.4.1.42.2.27.8.1.2
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxAge
This attribute contains the number of seconds after which a
modified password will expire. If this attribute is not present,
or if its value is zero (0), then passwords will not expire.
( 1.3.6.1.4.1.42.2.27.8.1.3
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdInHistory
This attribute is used to specify the maximum number of used
passwords that will be stored in the pwdHistory
attribute. If
the pwdInHistory
attribute is not present, or if its value is
zero (0), used passwords will not be stored in pwdHistory
and
thus any previously-used password may be reused. No history
checking occurs if the password is being modified by the rootdn
,
although the password is saved in the history.
( 1.3.6.1.4.1.42.2.27.8.1.4
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdCheckQuality
This attribute indicates if and how password syntax will be
checked while a password is being modified or added. If this
attribute is not present, or its value is zero (0), no syntax
checking will be done. If its value is one (1), the server will
check the syntax, and if the server is unable to check the
syntax, whether due to a client-side hashed password or some
other reason, it will be accepted. If its value is two (2), the
server will check the syntax, and if the server is unable to
check the syntax it will return an error refusing the password.
( 1.3.6.1.4.1.42.2.27.8.1.5
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMinLength
When syntax checking is enabled (see also the pwdCheckQuality
attribute), this attribute contains the minimum length in bytes
that will be accepted in a password. If this attribute is not
present, minimum password length is not enforced. If the server
is unable to check the length of the password, whether due to a
client-side hashed password or some other reason, the server
will, depending on the value of pwdCheckQuality
, either accept
the password without checking it (if pwdCheckQuality
is zero (0)
or one (1)) or refuse it (if pwdCheckQuality
is two (2)). If the
number of characters should be enforced with regards to a
particular encoding, the use of an appropriate
ppolicy_check_module
is required.
( 1.3.6.1.4.1.42.2.27.8.1.6
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxLength
When syntax checking is enabled (see also the pwdCheckQuality
attribute), this attribute contains the maximum length in bytes
that will be accepted in a password. If this attribute is not
present, maximum password length is not enforced. If the server
is unable to check the length of the password, whether due to a
client-side hashed password or some other reason, the server
will, depending on the value of pwdCheckQuality
, either accept
the password without checking it (if pwdCheckQuality
is zero (0)
or one (1)) or refuse it (if pwdCheckQuality
is two (2)). If the
number of characters should be enforced with regards to a
particular encoding, the use of an appropriate
ppolicy_check_module
is required.
( 1.3.6.1.4.1.42.2.27.8.1.31
NAME 'pwdMaxLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdExpireWarning
This attribute contains the maximum number of seconds before a
password is due to expire that expiration warning messages will
be returned to a user who is authenticating to the directory. If
this attribute is not present, or if the value is zero (0), no
warnings will be sent.
( 1.3.6.1.4.1.42.2.27.8.1.7
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdGraceAuthnLimit
This attribute contains the number of times that an expired
password may be used to authenticate a user to the directory. If
this attribute is not present or if its value is zero (0), users
with expired passwords will not be allowed to authenticate to the
directory.
( 1.3.6.1.4.1.42.2.27.8.1.8
NAME 'pwdGraceAuthnLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdGraceExpiry
This attribute specifies the number of seconds the grace
authentications are valid. If this attribute is not present or
if the value is zero (0), there is no time limit on the grace
authentications.
( 1.3.6.1.4.1.42.2.27.8.1.30
NAME 'pwdGraceExpiry'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdLockout
This attribute specifies the action that should be taken by the
directory when a user has made a number of failed attempts to
authenticate to the directory. If pwdLockout
is set (its value
is "TRUE"), the user will not be allowed to attempt to
authenticate to the directory after there have been a specified
number of consecutive failed bind attempts. The maximum number
of consecutive failed bind attempts allowed is specified by the
pwdMaxFailure
attribute. If pwdLockout
is not present, or if its
value is "FALSE", the password may be used to authenticate no
matter how many consecutive failed bind attempts have been made.
( 1.3.6.1.4.1.42.2.27.8.1.9
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdLockoutDuration
This attribute contains the number of seconds during which the
password cannot be used to authenticate the user to the directory
due to too many consecutive failed bind attempts. (See also
pwdLockout
and pwdMaxFailure
.) If pwdLockoutDuration
is not
present, or if its value is zero (0), the password cannot be used
to authenticate the user to the directory again until it is reset
by an administrator.
( 1.3.6.1.4.1.42.2.27.8.1.10
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxFailure
This attribute contains the number of consecutive failed bind
attempts after which the password may not be used to authenticate
a user to the directory. If pwdMaxFailure
is not present, or its
value is zero (0), then a user will be allowed to continue to
attempt to authenticate to the directory, no matter how many
consecutive failed bind attempts have occurred with that user's
DN. (See also pwdLockout
and pwdLockoutDuration
.)
( 1.3.6.1.4.1.42.2.27.8.1.11
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxRecordedFailure
This attribute contains the maximum number of failed bind
attempts to store in a user's entry. If pwdMaxRecordedFailure
is
not present, or its value is zero (0), then it defaults to the
value of pwdMaxFailure
. If that value is also 0, the default is
5.
( 1.3.6.1.4.1.42.2.27.8.1.32
NAME 'pwdMaxRecordedFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdFailureCountInterval
This attribute contains the number of seconds after which old
consecutive failed bind attempts are purged from the failure
counter, even though no successful authentication has occurred.
If pwdFailureCountInterval
is not present, or its value is zero
(0), the failure counter will only be reset by a successful
authentication.
( 1.3.6.1.4.1.42.2.27.8.1.12
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMustChange
This attribute specifies whether users must change their
passwords when they first bind to the directory after a password
is set or reset by the administrator, or not. If pwdMustChange
has a value of "TRUE", users must change their passwords when
they first bind to the directory after a password is set or reset
by the administrator. If pwdMustChange
is not present, or its
value is "FALSE", users are not required to change their password
upon binding after the administrator sets or resets the password.
( 1.3.6.1.4.1.42.2.27.8.1.13
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdAllowUserChange
This attribute specifies whether users are allowed to change
their own passwords or not. If pwdAllowUserChange
is set to
"TRUE", or if the attribute is not present, users will be allowed
to change their own passwords. If its value is "FALSE", users
will not be allowed to change their own passwords.
Note: this implies that when pwdAllowUserChange
is set to "TRUE",
users will still be able to change the password of another user,
subjected to access control. This restriction only applies to
modifications of ones's own password. It should also be noted
that pwdAllowUserChange
was defined in the specification to
provide rough access control to the password attribute in
implementations that do not allow fine-grain access control.
Since OpenLDAP provides fine-grain access control, the use of
this attribute is discouraged; ACLs should be used instead (see
slapd.access(5) for details).
( 1.3.6.1.4.1.42.2.27.8.1.14
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdSafeModify
This attribute denotes whether the user's existing password must
be sent along with their new password when changing a password.
If pwdSafeModify
is set to "TRUE", the existing password must be
sent along with the new password. If the attribute is not
present, or its value is "FALSE", the existing password need not
be sent along with the new password.
( 1.3.6.1.4.1.42.2.27.8.1.15
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdMinDelay
This attribute specifies the number of seconds to delay
responding to the first failed authentication attempt. If this
attribute is not set or is zero (0), no delays will be used.
pwdMaxDelay
must also be specified if pwdMinDelay
is set.
Note that this implementation uses a variable lockout instead of
delaying the bind response.
( 1.3.6.1.4.1.42.2.27.8.1.24
NAME 'pwdMinDelay'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxDelay
This attribute specifies the maximum number of seconds to delay
when responding to a failed authentication attempt. The time
specified in pwdMinDelay
is used as the starting time and is then
doubled on each failure until the delay time is greater than or
equal to pwdMaxDelay
(or a successful authentication occurs,
which resets the failure counter). pwdMinDelay
must also be
specified if pwdMaxDelay
is set.
Note that this implementation uses a variable lockout instead of
delaying the bind response.
( 1.3.6.1.4.1.42.2.27.8.1.25
NAME 'pwdMaxDelay'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxIdle
This attribute specifies the number of seconds an account may
remain unused before it becomes locked. If this attribute is not
set or is zero (0), no check is performed. For this to be
enforced, lastbind
functionality needs to be enabled on the
database, that is olcLastBind
is set to TRUE
.
( 1.3.6.1.4.1.42.2.27.8.1.26
NAME 'pwdMaxIdle'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdUseCheckModule
/pwdCheckModuleArg
The pwdUseCheckModule
attribute enables use of a loadable module
previously configured with ppolicy_check_module
for the current
policy. The module must instantiate the check_password()
function. This function will be called to further check a new
password if pwdCheckQuality
is set to one (1) or two (2), after
all of the built-in password compliance checks have been passed.
This function will be called according to this function
prototype:
int check_password (char *pPasswd, struct berval *pErrmsg,
Entry *pEntry, struct berval *pArg);
The pPasswd
parameter contains the clear-text user password, the
pErrmsg
parameter points to a struct berval
containing space to
return human-readable details about any error it encounters. The
bv_len
field must contain the size of the space provided by the
bv_val
field.
The pEntry
parameter is optional, if non-NULL, carries a pointer
to the entry whose password is being checked.
The optional pArg
parameter points to a struct berval
containing
the value of pwdCheckModuleArg
in the effective password policy,
if set, otherwise NULL.
If pErrmsg
is NULL, then funcName must NOT attempt to use it. A
return value of LDAP_SUCCESS from the called function indicates
that the password is ok, any other value indicates that the
password is unacceptable. If the password is unacceptable, the
server will return an error to the client, and pErrmsg
may be
used to return a human-readable textual explanation of the error.
If the space passed in by the caller is too small, the function
may replace it with a dynamically allocated buffer, which will be
free()'d by slapd.
The pwdCheckModule
attribute is now obsolete and is ignored.
( 1.3.6.1.4.1.4754.1.99.1
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
OBSOLETE
SINGLE-VALUE )
( 1.3.6.1.4.1.4754.1.99.2
NAME 'pwdCheckModuleArg'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
DESC 'Argument to pass to check_password() function'
SINGLE-VALUE )
( 1.3.6.1.4.1.4754.1.99.3
NAME 'pwdUseCheckModule'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )