The operational attributes used by the ppolicy module are stored
in the user's entry. Most of these attributes are not intended
to be changed directly by users; they are there to track user
activity. They have been detailed here so that administrators
and users can both understand the workings of the ppolicy module.
Note that the current IETF Password Policy proposal does not
define how these operational attributes are expected to behave in
a replication environment. In general, authentication attempts on
a replica server only affect the copy of the operational
attributes on that replica and will not affect any attributes for
a user's entry on the provider. Operational attribute changes
resulting from authentication attempts on a provider will usually
replicate to the replicas (and also overwrite any changes that
originated on the replica). These behaviors are not guaranteed
and are subject to change when a formal specification emerges.
userPassword
The userPassword attribute is not strictly part of the ppolicy
module. It is, however, the attribute that is tracked and
controlled by the module. Please refer to the standard OpenLDAP
schema for its definition.
pwdPolicySubentry
This attribute refers directly to the pwdPolicy subentry that is
to be used for this particular directory user. If
pwdPolicySubentry exists, it must contain the DN of a valid
pwdPolicy object. If it does not exist, the ppolicy module will
enforce the default password policy rules on the user associated
with this authenticating DN. If there is no default, or the
referenced subentry does not exist, then no policy rules will be
enforced.
( 1.3.6.1.4.1.42.2.27.8.1.23
NAME 'pwdPolicySubentry'
DESC 'The pwdPolicy subentry in effect for
this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdChangedTime
This attribute denotes the last time that the entry's password
was changed. This value is used by the password expiration
policy to determine whether the password is too old to be allowed
to be used for user authentication. If pwdChangedTime does not
exist, the user's password will not expire.
( 1.3.6.1.4.1.42.2.27.8.1.16
NAME 'pwdChangedTime'
DESC 'The time the password was last changed'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdAccountLockedTime
This attribute contains the time that the user's account was
locked. If the account has been locked, the password may no
longer be used to authenticate the user to the directory. If
pwdAccountLockedTime is set to 000001010000Z, the user's account
has been permanently locked and may only be unlocked by an
administrator. Note that account locking only takes effect when
the pwdLockout password policy attribute is set to "TRUE".
( 1.3.6.1.4.1.42.2.27.8.1.17
NAME 'pwdAccountLockedTime'
DESC 'The time an user account was locked'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdFailureTime
This attribute contains the timestamps of each of the consecutive
authentication failures made upon attempted authentication to
this DN (i.e. account). If too many timestamps accumulate here
(refer to the pwdMaxFailure password policy attribute for
details), and the pwdLockout password policy attribute is set to
"TRUE", the account may be locked. (Please also refer to the
pwdLockout password policy attribute.) Excess timestamps beyond
those allowed by pwdMaxFailure or pwdMaxRecordedFailure may also
be purged. If a successful authentication is made to this DN
(i.e. to this user account), then pwdFailureTime will be cleansed
of entries.
( 1.3.6.1.4.1.42.2.27.8.1.19
NAME 'pwdFailureTime'
DESC 'The timestamps of the last consecutive
authentication failures'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
NO-USER-MODIFICATION
USAGE directoryOperation )
pwdHistory
This attribute contains the history of previously used passwords
for this DN (i.e. for this user account). The values of this
attribute are stored in string format as follows:
pwdHistory=
time "#" syntaxOID "#" length "#" data
time=
GeneralizedTime as specified in section 3.3.13 of
[RFC4517]
syntaxOID = numericoid
This is the string representation of the dotted-decimal
OID that defines the syntax used to store the password.
numericoid is described in section 1.4 of [RFC4512].
length = NumericString
The number of octets in the data. NumericString is
described in section 3.3.23 of [RFC4517].
data =
Octets representing the password in the format specified
by syntaxOID.
This format allows the server to store and transmit a history of
passwords that have been used. In order for equality matching on
the values in this attribute to function properly, the time field
is in GMT format.
( 1.3.6.1.4.1.42.2.27.8.1.20
NAME 'pwdHistory'
DESC 'The history of user passwords'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
EQUALITY octetStringMatch
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdGraceUseTime
This attribute contains the list of timestamps of logins made
after the user password in the DN has expired. These post-
expiration logins are known as "grace logins". If too many grace
logins have been used (please refer to the pwdGraceAuthnLimit
password policy attribute), then the DN will no longer be allowed
to be used to authenticate the user to the directory until the
administrator changes the DN's userPassword attribute.
( 1.3.6.1.4.1.42.2.27.8.1.21
NAME 'pwdGraceUseTime'
DESC 'The timestamps of the grace login once the password
has expired'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdReset
This attribute indicates whether the user's password has been
reset by the administrator and thus must be changed upon first
use of this DN for authentication to the directory. If pwdReset
is set to "TRUE", then the password was reset and the user must
change it upon first authentication. If the attribute does not
exist, or is set to "FALSE", the user need not change their
password due to administrative reset.
( 1.3.6.1.4.1.42.2.27.8.1.22
NAME 'pwdReset'
DESC 'The indication that the password has
been reset'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE directoryOperation)
pwdStartTime
This attribute specifies the time the entry's password becomes
valid for authentication. Authentication attempts made before
this time will fail. If this attribute does not exist, then no
restriction applies.
( 1.3.6.1.4.1.42.2.27.8.1.27
NAME 'pwdStartTime'
DESC 'The time the password becomes enabled'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation )
pwdEndTime
This attribute specifies the time the entry's password becomes
invalid for authentication. Authentication attempts made after
this time will fail, regardless of expiration or grace settings.
If this attribute does not exist, then this restriction does not
apply.
( 1.3.6.1.4.1.42.2.27.8.1.28
NAME 'pwdEndTime'
DESC 'The time the password becomes disabled'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation )
Note that pwdStartTime may be set to a time greater than or equal
to pwdEndTime; this simply disables the account.
pwdAccountTmpLockoutEnd
This attribute that the user's password has been locked out
temporarily according to the pwdMinDelay policy option and when
the lockout ends.
( 1.3.6.1.4.1.42.2.27.8.1.33
NAME 'pwdAccountTmpLockoutEnd'
DESC 'Temporary lockout end'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation )
