Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   slapo-ppolicy    ( 5 )

наложение политики паролей на slapd (Password Policy overlay to slapd)

OBJECT CLASS ATTRIBUTES

Each one of the sections below details the meaning and use of a particular attribute of this pwdPolicy object class.

pwdAttribute

This attribute contains the name of the attribute to which the password policy is applied. For example, the password policy may be applied to the userPassword attribute.

Note: in this implementation, the only value accepted for pwdAttribute is userPassword .

( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

pwdMinAge

This attribute contains the number of seconds that must elapse between modifications allowed to the password. If this attribute is not present, zero seconds is assumed (i.e. the password may be modified whenever and however often is desired).

( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdMaxAge

This attribute contains the number of seconds after which a modified password will expire. If this attribute is not present, or if its value is zero (0), then passwords will not expire.

( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdInHistory

This attribute is used to specify the maximum number of used passwords that will be stored in the pwdHistory attribute. If the pwdInHistory attribute is not present, or if its value is zero (0), used passwords will not be stored in pwdHistory and thus any previously-used password may be reused. No history checking occurs if the password is being modified by the rootdn, although the password is saved in the history.

( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdCheckQuality

This attribute indicates if and how password syntax will be checked while a password is being modified or added. If this attribute is not present, or its value is zero (0), no syntax checking will be done. If its value is one (1), the server will check the syntax, and if the server is unable to check the syntax, whether due to a client-side hashed password or some other reason, it will be accepted. If its value is two (2), the server will check the syntax, and if the server is unable to check the syntax it will return an error refusing the password.

( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdMinLength

When syntax checking is enabled (see also the pwdCheckQuality attribute), this attribute contains the minimum length in bytes that will be accepted in a password. If this attribute is not present, minimum password length is not enforced. If the server is unable to check the length of the password, whether due to a client-side hashed password or some other reason, the server will, depending on the value of pwdCheckQuality, either accept the password without checking it (if pwdCheckQuality is zero (0) or one (1)) or refuse it (if pwdCheckQuality is two (2)). If the number of characters should be enforced with regards to a particular encoding, the use of an appropriate ppolicy_check_module is required.

( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdMaxLength

When syntax checking is enabled (see also the pwdCheckQuality attribute), this attribute contains the maximum length in bytes that will be accepted in a password. If this attribute is not present, maximum password length is not enforced. If the server is unable to check the length of the password, whether due to a client-side hashed password or some other reason, the server will, depending on the value of pwdCheckQuality, either accept the password without checking it (if pwdCheckQuality is zero (0) or one (1)) or refuse it (if pwdCheckQuality is two (2)). If the number of characters should be enforced with regards to a particular encoding, the use of an appropriate ppolicy_check_module is required.

( 1.3.6.1.4.1.42.2.27.8.1.31 NAME 'pwdMaxLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdExpireWarning

This attribute contains the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to a user who is authenticating to the directory. If this attribute is not present, or if the value is zero (0), no warnings will be sent.

( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdGraceAuthnLimit

This attribute contains the number of times that an expired password may be used to authenticate a user to the directory. If this attribute is not present or if its value is zero (0), users with expired passwords will not be allowed to authenticate to the directory.

( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthnLimit' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdGraceExpiry

This attribute specifies the number of seconds the grace authentications are valid. If this attribute is not present or if the value is zero (0), there is no time limit on the grace authentications.

( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdGraceExpiry' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdLockout

This attribute specifies the action that should be taken by the directory when a user has made a number of failed attempts to authenticate to the directory. If pwdLockout is set (its value is "TRUE"), the user will not be allowed to attempt to authenticate to the directory after there have been a specified number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts allowed is specified by the pwdMaxFailure attribute. If pwdLockout is not present, or if its value is "FALSE", the password may be used to authenticate no matter how many consecutive failed bind attempts have been made.

( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

pwdLockoutDuration

This attribute contains the number of seconds during which the password cannot be used to authenticate the user to the directory due to too many consecutive failed bind attempts. (See also pwdLockout and pwdMaxFailure.) If pwdLockoutDuration is not present, or if its value is zero (0), the password cannot be used to authenticate the user to the directory again until it is reset by an administrator.

( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdMaxFailure

This attribute contains the number of consecutive failed bind attempts after which the password may not be used to authenticate a user to the directory. If pwdMaxFailure is not present, or its value is zero (0), then a user will be allowed to continue to attempt to authenticate to the directory, no matter how many consecutive failed bind attempts have occurred with that user's DN. (See also pwdLockout and pwdLockoutDuration.)

( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdMaxRecordedFailure

This attribute contains the maximum number of failed bind attempts to store in a user's entry. If pwdMaxRecordedFailure is not present, or its value is zero (0), then it defaults to the value of pwdMaxFailure. If that value is also 0, the default is 5.

( 1.3.6.1.4.1.42.2.27.8.1.32 NAME 'pwdMaxRecordedFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdFailureCountInterval

This attribute contains the number of seconds after which old consecutive failed bind attempts are purged from the failure counter, even though no successful authentication has occurred. If pwdFailureCountInterval is not present, or its value is zero (0), the failure counter will only be reset by a successful authentication.

( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdMustChange

This attribute specifies whether users must change their passwords when they first bind to the directory after a password is set or reset by the administrator, or not. If pwdMustChange has a value of "TRUE", users must change their passwords when they first bind to the directory after a password is set or reset by the administrator. If pwdMustChange is not present, or its value is "FALSE", users are not required to change their password upon binding after the administrator sets or resets the password.

( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

pwdAllowUserChange

This attribute specifies whether users are allowed to change their own passwords or not. If pwdAllowUserChange is set to "TRUE", or if the attribute is not present, users will be allowed to change their own passwords. If its value is "FALSE", users will not be allowed to change their own passwords.

Note: this implies that when pwdAllowUserChange is set to "TRUE", users will still be able to change the password of another user, subjected to access control. This restriction only applies to modifications of ones's own password. It should also be noted that pwdAllowUserChange was defined in the specification to provide rough access control to the password attribute in implementations that do not allow fine-grain access control. Since OpenLDAP provides fine-grain access control, the use of this attribute is discouraged; ACLs should be used instead (see slapd.access(5) for details).

( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

pwdSafeModify

This attribute denotes whether the user's existing password must be sent along with their new password when changing a password. If pwdSafeModify is set to "TRUE", the existing password must be sent along with the new password. If the attribute is not present, or its value is "FALSE", the existing password need not be sent along with the new password.

( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

pwdMinDelay

This attribute specifies the number of seconds to delay responding to the first failed authentication attempt. If this attribute is not set or is zero (0), no delays will be used. pwdMaxDelay must also be specified if pwdMinDelay is set.

Note that this implementation uses a variable lockout instead of delaying the bind response.

( 1.3.6.1.4.1.42.2.27.8.1.24 NAME 'pwdMinDelay' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdMaxDelay

This attribute specifies the maximum number of seconds to delay when responding to a failed authentication attempt. The time specified in pwdMinDelay is used as the starting time and is then doubled on each failure until the delay time is greater than or equal to pwdMaxDelay (or a successful authentication occurs, which resets the failure counter). pwdMinDelay must also be specified if pwdMaxDelay is set.

Note that this implementation uses a variable lockout instead of delaying the bind response.

( 1.3.6.1.4.1.42.2.27.8.1.25 NAME 'pwdMaxDelay' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdMaxIdle

This attribute specifies the number of seconds an account may remain unused before it becomes locked. If this attribute is not set or is zero (0), no check is performed. For this to be enforced, lastbind functionality needs to be enabled on the database, that is olcLastBind is set to TRUE.

( 1.3.6.1.4.1.42.2.27.8.1.26 NAME 'pwdMaxIdle' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

pwdUseCheckModule/pwdCheckModuleArg

The pwdUseCheckModule attribute enables use of a loadable module previously configured with ppolicy_check_module for the current policy. The module must instantiate the check_password() function. This function will be called to further check a new password if pwdCheckQuality is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function prototype: int check_password (char *pPasswd, struct berval *pErrmsg, Entry *pEntry, struct berval *pArg); The pPasswd parameter contains the clear-text user password, the pErrmsg parameter points to a struct berval containing space to return human-readable details about any error it encounters. The bv_len field must contain the size of the space provided by the bv_val field.

The pEntry parameter is optional, if non-NULL, carries a pointer to the entry whose password is being checked.

The optional pArg parameter points to a struct berval containing the value of pwdCheckModuleArg in the effective password policy, if set, otherwise NULL.

If pErrmsg is NULL, then funcName must NOT attempt to use it. A return value of LDAP_SUCCESS from the called function indicates that the password is ok, any other value indicates that the password is unacceptable. If the password is unacceptable, the server will return an error to the client, and pErrmsg may be used to return a human-readable textual explanation of the error. If the space passed in by the caller is too small, the function may replace it with a dynamically allocated buffer, which will be free()'d by slapd.

The pwdCheckModule attribute is now obsolete and is ignored.

( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 OBSOLETE SINGLE-VALUE )

( 1.3.6.1.4.1.4754.1.99.2 NAME 'pwdCheckModuleArg' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Argument to pass to check_password() function' SINGLE-VALUE )

( 1.3.6.1.4.1.4754.1.99.3 NAME 'pwdUseCheckModule' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )