idnits 2.17.1 draft-behera-ldap-password-policy-00.txt: ** The Abstract section seems to be numbered -(849): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding -(874): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document is more than 15 pages and seems to lack a Table of Contents. == There are 7 instances of lines with non-ascii characters in the document. == It seems as if not all pages are separated by form feeds - found 0 form feeds but 18 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 105: '... MAY (pwdMaxAge $ pwdMinLength ...' RFC 2119 keyword, line 269: '... MAY ( pwdExpirationTime $ pwdE...' RFC 2119 keyword, line 712: '...this behavior, it MUST comply with the...' RFC 2119 keyword, line 731: '... server MUST lock the user acc...' Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 592 has weird spacing: '...assword expir...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (20 October 1999) is 8948 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? 'RFC-2251' on line 882 looks like a reference -- Missing reference section? 'RFC-2195' on line 883 looks like a reference -- Missing reference section? 'RFC-2222' on line 884 looks like a reference -- Missing reference section? 'RFC-2307' on line 216 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 P.Behera 2 Internet Draft V. Chu 3 Expires in Six months Netscape 4 Intended Category: Proposed Standard L. Poitou 5 Expires: 20 April 2000 Sun Microsystems 6 J. Sermersheim 7 Novell 8 20 October 1999 10 Password Policy for LDAP Directories 11 13 1. Status of this Memo 15 This document is an Internet-Draft and is in full conformance 16 with all provisions of Section 10 of RFC2026. Internet-Drafts are 17 working documents of the Internet Engineering Task Force (IETF), 18 its areas, and its working groups. Note that other groups may 19 also distribute working documents as Internet-Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six 22 months and may be updated, replaced, or obsoleted by other 23 documents at any time. It is inappropriate to use Internet- 24 Drafts as reference material or to cite them other than as "work 25 in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 2. Abstract 35 Password policy is a set of rules that controls how passwords are 36 used in LDAP directories. In order to improve the security of 37 LDAP directories and make it difficult for password cracking 38 programs to break into directories, it is desirable to enforce a 39 set of rules on password usage. These rules are made to ensure 40 that users change their passwords periodically, passwords meet 41 construction requirements, the re-use of old password is 42 restricted, and users are locked out after a certain number of 43 attempts. 45 3. Overview 47 LDAP-based directory services currently are accepted by many 48 organizations as the access protocol for directories. The ability 49 to ensure the secure read and update access to directory 50 information throughout the network is essential to the successful 51 deployment. Most LDAP implementations support many 52 authentication schemes - the most basic and widely used is the 53 simple authentication i.e., user DN and password. In order to 54 achieve greater security protection and ensure interoperability 55 in a heterogeneous environment, LDAP needs to standardize on a 56 password policy model, and it is critical to the successful 57 deployment of LDAP directories. 59 Specifically, the password policy defines: 61 1. The maximum length of time that a given password is valid. 62 2. The minimum length of time required between password changes. 63 3. The amount of time before a user's password is due to expire 64 that the user will be sent a warning message. 65 4. Whether users can reuse passwords. 66 5. The minimum number of characters a password must contain. 67 6. Whether the password syntax is checked before a new password 68 is saved. 69 7. Whether users are allowed to change their own passwords. 70 8. Whether passwords must be changed after the administrator 71 resets them. 72 9. Whether users will be locked out of the directory after a 73 given number of failed bind attempts. 74 10. How long users will be locked out of the directory after a 75 given number of failed bind attempts. 76 11. The length of time before the password failure counter, which 77 keeps track of the number of failed password attempts, is 78 reset. 79 12. The number of times users are allowed to bind with an expired 80 password in order to reset their password. 81 13. Whether users can change their password without specifying 82 the old password 84 The password policy defined in this document is applied to the 85 userPassword attribute values only in case of the LDAP simple 86 authentication method [RFC-2251], the password based SASL 87 mechanisms such as CRAM-MD5 [RFC-2195] and HTTP-Digest [RFC- 88 2222], add, modify, and compare operations. In this document, the 89 term "user" represents any application which is an LDAP client 90 using the directory to retrieve or store information. 92 Directory administrators are not forced to comply with any of 93 password policy. 95 4. New Attribute Types and Object Classes 96 4.1 The pwdPolicy Object Class 98 ( 99 NAME 'pwdPolicy' 100 AUXILIARY 101 SUP top 102 DESC 'Password Policy object class to hold password policy 103 information' 105 MAY (pwdMaxAge $ pwdMinLength $ pwdInHistory $ 106 pwdAllowUserChange $ pwdCheckSyntax $ pwdExpireWarning $ 107 pwdLockout $ pwdMaxFailure $ pwdLockoutDuration $ 108 pwdMustChange $ pwdDefaultStorageScheme $ pwdMinAge $ 109 pwdFailureCountResetTime $ pwdGraceLoginLimit $ 110 pwdSafeModify ) ) 112 4.2 Attribute types used by the pwdPolicy Object Class 114 ( pwdSchema.1.0 115 NAME 'pwdMaxAge' 116 DESC'the number of seconds after which user passwords will 117 expire. A value of 0 means the password never expires.' 118 EQUALITY integerMatch 119 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 120 SINGLE-VALUE 121 USAGE directoryOperation ) 123 ( pwdSchema.1.1 124 NAME 'pwdMinLength' 125 DESC'the minimum number of characters that must be used in a 126 password� 127 EQUALITY integerMatch 128 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 129 SINGLE-VALUE 130 USAGE directoryOperation ) 132 ( pwdSchema.1.2 133 NAME 'pwdInHistory' 134 DESC'the number of passwords the directory server stores in 135 history. A value of 0 means passwords can be reused' 136 EQUALITY integerMatch 137 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 138 SINGLE-VALUE 139 USAGE directoryOperation ) 141 ( pwdSchema.1.3 142 NAME 'pwdAllowUserChange' 143 DESC'a flag which indicates whether users can change their 144 passwords' 145 EQUALITY booleanMatch 146 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 147 SINGLE-VALUE 148 USAGE directoryOperation ) 150 ( pwdSchema.1.4 151 NAME 'pwdCheckSyntax' 152 DESC'a flag which indicates whether the password syntax will be 153 checked before the password is saved' 154 EQUALITY booleanMatch 155 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 156 SINGLE-VALUE 157 USAGE directoryOperation ) 159 ( pwdSchema.1.5 160 NAME 'pwdExpireWarning' 161 DESC'the maximum number of seconds before a password is due to 162 expire that a warning message is to the user. A value of 0 163 means no warning will be sent� 164 EQUALITY integerMatch 165 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 166 SINGLE-VALUE 167 USAGE directoryOperation ) 169 ( pwdSchema.1.6 170 NAME 'pwdLockout' 171 DESC'a flag which indicates whether users will be locked out of 172 the directory after a given number of consecutive failed 173 bind attempts' 174 EQUALITY booleanMatch 175 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 176 SINGLE-VALUE 177 USAGE directoryOperation) 179 ( pwdSchema.1.7 180 NAME 'pwdMaxFailure' 181 DESC'the number of consecutive failed bind attempts after which 182 a user will be locked out of the directory' 183 EQUALITY integerMatch 184 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 185 SINGLE-VALUE 186 USAGE directoryOperation ) 188 ( pwdSchema.1.8 189 NAME 'pwdLockoutDuration' 190 DESC'the number of seconds that users will be locked out of the 191 directory after an account lockout. A value of 0 means the 192 account will be locked until reset' 193 EQUALITY integerMatch 194 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 195 SINGLE-VALUE 196 USAGE directoryOperation ) 198 ( pwdSchema.1.9 199 NAME 'pwdMustChange' 200 DESC'a flag which indicates whether users must change their 201 passwords when they first bind to the directory server' 202 EQUALITY booleanMatch 203 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 204 SINGLE-VALUE 205 USAGE directoryOperation ) 207 ( pwdSchema.1.10 208 NAME 'pwdDefaultStorageScheme' 209 DESC'the type of hash algorithm used to store directory server 210 passwords' 211 EQUALITY caseIgnoreMatch 212 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 213 SINGLE-VALUE 214 USAGE directoryOperation ) 216 The description of password storage scheme can be found in [RFC- 217 2307]. One additional storage scheme not mentioned there is 218 "CLEARTEXT". 220 ( pwdSchema.1.11 221 NAME 'pwdMinAge' 222 DESC'the number of seconds that must elapse before a user can 223 change their password again' 224 EQUALITY integerMatch 225 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 226 SINGLE-VALUE 227 USAGE directoryOperation ) 229 ( pwdSchema.1.12 230 NAME 'pwdFailureCountResetTime' 231 DESC'the number of seconds after which the password failure 232 counter will be reset.' 233 EQUALITY integerMatch 234 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 235 SINGLE-VALUE 236 USAGE directoryOperation ) 238 ( pwdSchema.1.13 239 NAME 'pwdGraceLoginLimit' 240 DESC'the number of times an expired password can be used to 241 access an account' 242 EQUALITY integerMatch 243 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 244 SINGLE-VALUE 245 USAGE directoryOperation ) 247 ( pwdSchema.1.14 248 NAME 'pwdSafeModify' 249 DESC'whether the existing password must be sent when changing a 250 password' 251 EQUALITY booleanMatch 252 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 253 SINGLE-VALUE 254 USAGE directoryOperation ) 256 4.3 The pwdInfObject Object Class 258 The pwdInfObject object class holds the password policy state 259 information for each user. For example, how many consecutive bad 260 password attempts a user made. The information is located in 261 each user entry. The description of pwdInfObject object class: 263 ( 264 NAME 'pwdInfObject' 265 AUXILIARY 266 SUP top 267 DESC'Password object class to hold password policy information 268 in each entry� 269 MAY ( pwdExpirationTime $ pwdExpWarned $ pwdRetryCount $ 270 pwdRetryCountResetTime $ pwdAccountUnlockTime $ 271 pwdHistory $ pwdAllowChangeTime $ pwdGraceLeft ) ) 273 4.4 Attribute types used by the pwdInfObject Object Class 275 ( pwdInfObject.1.1 276 NAME 'pwdExpirationTime' 277 DESC'the time the entry's password expires. A 0 means that the 278 password has expired. If this attribute does not exist, the 279 password will never expire' 280 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 281 EQUALITY generalizedTimeMatch 282 ORDERING generalizedTimeOrderingMatch 283 SINGLE-VALUE 284 USAGE directoryOperation) 286 ( pwdInfObject.1.2 287 NAME 'pwdExpWarned' 288 DESC'a flag which indicates whether a password expiration 289 warning has already been sent to the client. This prevents 290 the server from sending multiple warning messages' 291 EQUALITY caseIgnoreMatch 292 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 293 SINGLE-VALUE 294 USAGE directoryOperation) 296 ( pwdInfObject.1.3 297 NAME 'pwdRetryCount' 298 DESC 'the count of consecutive failed login attempts' 299 EQUALITY integerMatch 300 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 301 SINGLE-VALUE 302 USAGE directoryOperation) 304 ( pwdInfObject.1.4 305 NAME 'pwdRetryCountResetTime' 306 DESC 'the time to reset the pwdRetryCount' 307 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 308 EQUALITY generalizedTimeMatch 309 ORDERING generalizedTimeOrderingMatch SINGLE-VALUE 310 USAGE directoryOperation) 312 ( pwdInfObject.1.5 313 NAME 'pwdAccountUnlockTime' 314 DESC'the time that the user can bind again after an account 315 lockout. A 0 value means that an administrator must unlock 316 the account. The absence of this attribute means that the 317 account has not been locked' 318 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 319 EQUALITY generalizedTimeMatch 320 ORDERING generalizedTimeOrderingMatch SINGLE-VALUE 321 USAGE directoryOperation) 323 ( pwdInfObject.1.6 324 NAME 'pwdHistory' 325 DESC 'the history of user's passwords' 326 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 327 EQUALITY octetStringMatch 328 USAGE directoryOperation) 330 Values of this attribute are transmitted in string format as 331 given by the following BNF: 333 pwdHistory = time "{" hashMethod "}" data 335 time = 336 hashMethod = 338 data = , 382 controlValue: A BER encoding of the following ASN.1: 383 pwdExpirationTimeInSecs ::= Integer 384 criticality: false 386 If the account's password is expired, and there are remaining 387 grace logins, the server should send bindResponse with the 388 resultCode: LDAP_SUCCESS, and should include the remaining grace 389 logins control in the controls field of the bindResponse message: 391 controlType: , 392 controlValue: A BER encoding of the following ASN.1: 393 graceLoginsLeft ::= Integer 394 criticality: false 396 6. Password Minimum Age 398 This policy defines the number of seconds that must pass before a 399 user can change the password again. This policy can be used in 400 conjunction with the password history policy to prevent users 401 from quickly cycling through passwords in history so that they 402 can reuse the old password. A value of zero indicates that the 403 user can change the password immediately. 405 During modify password operation, the server should check if the 406 user is allowed to change password at this time. If not, the 407 server should send the LDAP_CONSTRAINT_VIOLATION result code back 408 to the client and an error message to indicate that the password 409 cannot be changed before the password minimum age. 411 7. Password History 413 The pwdInHistory attributes control how many passwords the 414 directory server stores in history. A value of zero indicates no 415 history of password is maintained and in that case a user can 416 reuse the same password. During modify password operation, the 417 server should check for password history. If the new password 418 matches one of the old passwords in history, the server should 419 send modifyResponse back to the client with resultCode: 420 LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the 421 new password is in history and choose another password. 423 8. Password Syntax and Minimum length 425 The pwdCheckSyntax attribute indicates whether the password 426 syntax will be checked before a new password is saved. If this 427 policy is on, the directory server should check that the new 428 password meets the password minimum length requirement and that 429 the string does not contain any trivial words such as the user's 430 name, user id and so on. The mechanisms used to determine syntax 431 are implementation dependent and not described in this document. 432 The pwdMinLength attribute defines the minimum number of 433 characters that must be used in a password. During modify or add 434 password operation, the server should check for password syntax. 435 If password check syntax is on and the new password fails the 436 syntax check, the server should send modifyResponse or 437 addResponse back to the client with resultCode: 438 LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the 439 new password failed the syntax check and the user should choose 440 another password. 442 If the client is sending an encrypted password as the new 443 password then it becomes the client responsibility to make sure 444 that the password meets the minimum length and other constraints. 446 9. User Defined Passwords 448 This policy defines whether the users can change their own 449 passwords. 450 During modify password operation, the server should check if the 451 user is allowed to change password. If not, the server should 452 send to the client the LDAP_UNWILLING_TO_PERFORM result code and 453 an error message to indicate that the user is not allowed to 454 change the password. Note that the userPassword attribute may be 455 protected via ACLs also and the user must have necessary 456 privilege to modify the userPassword attribute values. 458 10. Password Change After Reset 460 This policy forces the user to select a new password on first 461 bind or after password reset. After a bind operation succeeds 462 with authentication, the server should check if the password 463 change after reset policy is on. If so, and this is the first 464 login, the server should send bindResponse with the resultCode: 465 LDAP_SUCCESS, and should include the password expired control in 466 the controls field of the bindResponse message: 468 controlType: , 469 criticality: false 471 After that, for any operation issued by the user other than 472 modify password, bind, unbind, or abandon the server should send 473 the response message with the resultCode: 474 LDAP_UNWILLING_TO_PERFORM, and should include the password 475 expired control in the controls field of the response message: 477 controlType: , 478 criticality: false 480 11. Password Guessing limit 482 This policy enforces the limit of number of tries the client has 483 to get the password right. The user will be locked out of the 484 directory after a given number of consecutive failed bind 485 attempts to the directory. This policy protects the directory 486 from automated guessing attacks. 487 The server keeps a failure counter in the pwdRetryCount attribute 488 in each entry. The server should increment the failure counter 489 when a bind operation fails with the LDAP_INVALID_CREDENTIALS 490 error code. The server should clear the failure counter when a 491 bind operation succeeds with authentication, the account password 492 is reset by administrator, or when the failure counter reset time 493 is reached. 494 During the bind operation, the server should check for password 495 guessing limit. If password guessing limit policy is on and the 496 password guessing limit is reached, the server should send 497 bindResponse back to the client with resultCode: 498 LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the 499 password failure limit is reached. 501 12. Server Implementation 502 12.1 Password policy initialization 504 The pwdPolicy object class holds the password policy settings for 505 a set of user accounts. During the server initial startup, 506 password policy should be assigned a set of initial values. Only 507 the directory administrators should modify the settings. The 508 server should preserve the settings over server restart. An 509 example of a password policy is shown below. 511 - User may change password 512 - Do not need to change password first time logon 513 - Use SHA as the password hash algorithm 514 - No password syntax check 515 - Password minimum length: 6 516 - Password expires in 100 days 517 - No password minimum age 518 - Send warning one day before password expires 519 - Six passwords in history 520 - No account lockout 521 - Lock account for 60 minutes 522 - Reset retry count after 10 minutes 523 - Allow 1 grace login 524 - Force users to pass old password when modifying password 526 In ldif format: 527 pwdChange: TRUE 528 pwdMustChange: FALSE 529 pwdStorageScheme: SHA 530 pwdCheckSyntax: FALSE 531 pwdMinLength: 6 532 pwdMaxAge: 8640000 533 pwdMinAge: 0 534 pwdWarning: 86400 535 pwdInHistory: 6 536 pwdLockout: FALSE 537 pwdMaxFailure: 3 538 pwdLockoutDuration: 3600 539 pwdResetFailureCount: 600 540 pwdGraceLoginLimit: 1 541 pwdSafeModify: TRUE 543 12.2 Bind Operations 544 12.2.1 During bind operations 546 The server should check if the user account is locked or, if the 547 password guessing limit policy is on and the guessing limit is 548 reached. If so, the server should send bindResponse back to the 549 client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error 550 message to indicate the password failure limit is reached. 551 Otherwise the server should continue the bind operation. 553 12.2.2 After Bind Operation succeeds with authentication 555 The server should 557 1. Clear the password failure counter. 559 2. Check if the password change after reset policy is on and this 560 is the first login. If so, the server should disallow all 561 operations issued by this user except modify password, bind, 562 unbind, and abandon. The server should send a bindResponse 563 with the resultCode: LDAP_SUCCESS, and should include the 564 password expired control in the controls field of the 565 bindResponse message. 567 controlType: , 568 criticality: false 570 3. Check for password expiration. If the account's password has 571 expired, the server should check the remaining grace logins. 573 3.1. If there are remaining grace logins, the server should 574 decrement the number of grace logins and send a bindResponse 575 with the resultCode: LDAP_SUCCESS, and should include the 576 remaining grace logins control in the controls field of the 577 bindResponse message: 579 controlType: , 580 controlValue: A BER encoding of the following ASN.1 581 graceLoginsLeft ::= Integer 582 criticality: false 584 3.2. If there are no remaining grace logins, the server should 585 send bindResponse with the resultCode 586 LDAP_INVALID_CREDENTIALS long with an error message to 587 inform the client that the password has expired. 589 4. Check if the password is going to expire sooner than the 590 password warning duration, the server should send bindResponse 591 with the resultCode: LDAP_SUCCESS, and should include the 592 password expiring control in the controls field of the 593 bindResponse message: 595 controlType: , 596 controlValue: A BER encoding of the following ASN.1 597 pwdExpirationTimeInSecs ::= Integer 598 criticality: false 600 12.2.3 After bind operations fails with LDAP_INVALID_CREDENTIALS 602 The server should 604 1. Check if it is time to reset the password failure counter. If 605 so, set the failure counter to 1 and re-calculate the next 606 failure counter reset time. Otherwise, increment the failure 607 counter. 609 2. Check if failure counter exceeds the allowed maximum value. If 610 so, the server should lock the user account. 612 12.3. Add Password Operation 614 A password is added using the ldapModify request, either while 615 creating a new entry or while modifying an existing entry that has 616 no password. 618 12.3.1. During the add password operation 620 The server should 622 1. Check for password syntax. If password check syntax is on and 623 the new password fails the syntax check, the server should 624 send addResponse back to the client with resultCode: 625 LDAP_CONSTRAINT_VIOLATION, and an error message to indicate 626 the new password failed the syntax check, the user should 627 choose another password. 629 2. Evaluate the hash of the password value. If the password is 630 cleartext, check the pwdStorageScheme attribute. If the 631 passwordStorageScheme is other than "CLEARTEXT", hash the 632 password with the appropriate mechanism prior to storing. 634 3. Calculate and add pwdExpirationTime and pwdAllowChangeTime 635 attribute to the entry if password expiration policy 636 (pwdMaxAge) and password minimum age (pwdMinAge) policies are 637 on respectively. 639 12.4. Modify Password Operations 641 Passwords are changed using the ldapModify operation to modify the 642 value of the userPassword attribute. If the pwdSafeModify password 643 policy attribute is set, the server must require that the 644 ldapModify request consists of both a delete action which 645 specifies the existing password, as well as an add action which 646 specifies the new password. 648 12.4.1. During the modify password operation 650 The server should 652 1. Check if the user is allowed to change password. If not, the 653 server should send to the client the LDAP_UNWILLING_TO_PERFORM 654 result code and an error message to indicate that the user is 655 not allowed to change the password. 657 2. Check the pwdSafeModify attribute. If set, make sure that the 658 modify operation contains a delete action and that the delete 659 action specifies the existing password. 661 3. Check for password minimum age, password minimum length, 662 password history, and password syntax. If the checking fails, 663 the server should send modifyResponse back to the client with 664 resultCode: LDAP_CONSTRAINT_VIOLATION, and an appropriate 665 error message. 667 4. Evaluate the hash of the password value. If the password is 668 cleartext, check the pwdStorageScheme attribute. If the 669 pwdStorageScheme is other than "CLEARTEXT", hash the password 670 with the appropriate mechanism prior to storing. 672 5. If this is the first login and if there are any modification 673 being made other than userPassword, the server should send the 674 response message with the resultCode: 676 LDAP_UNWILLING_TO_PERFORM, and should include the password 677 expired control in the controls field of the response message 679 controlType: , 680 criticality: false 682 12.4.2. After the password modify operation succeeds 684 The server should 686 1. Update password history in the user's entry, if the 687 pwdInHistory is a positive value. 689 2. Update pwdExpirationTime in the user's entry, if the pwdMaxAge 690 is a positive value. 692 3. Update pwdAllowChangeTime in the user's entry, if the 693 pwdMinAge is on. 695 4. Reset the pwdGraceLeft attribute to the value held by the 696 pwdGraceLoginLimit attribute in the pwdPolicy object in effect 697 for this entry. 699 5. Remove the pwdRetryCount and pwdRetryCountResetTime attributes 700 from the user's entry if they exist. 702 12.5 Compare Operation 704 The compare operation may be used to compare a userPassword. This 705 might be performed when a client wishes to verify that user's 706 supplied password is correct. An example of this is an LDAP PAM 707 redirector or an LDAP HTTP authentication redirector. It is 708 desirable to use this rather than performing a bind operation in 709 order to reduce possible overhead involved in performing a bind. 710 ACLs may be used to restrict this comparison from being made. 712 If a server supports this behavior, it MUST comply with the 713 following. Otherwise the password policy described in this 714 document may be circumvented. 716 12.5.1 During a compare operation on the userPassword attribute 718 The server should 720 1. Check the pwdAccountUnlockTime attribute. If it exists, return 721 LDAP_UNWILLING_TO_PERFORM to indicate that the account is 722 locked. 724 2. If ACLs permit, compare the password. 726 3. If the password compares true, the server should clear the 727 failure counter. If it compares false, it should check to see 728 if it's time to reset the failure counter, if so, set the 729 failure counter to 1, otherwise increment the failure counter. 730 If the failure counter exceeds the allowed maximum value, the 731 server MUST lock the user account. 733 13. Client Implementation 734 13.1. Bind Response 736 For every bind response received, the client needs to parse the 737 bind result code, error message, and controls to determine if any 738 of the following conditions are true and prompt the user 739 accordingly. 741 1. The user needs to change password first time logon. The user 742 should be prompted to change the password immediately. 744 resultCode: LDAP_SUCCESS, with the control 745 controlType: , 746 criticality: false 748 2. This is a warning message that the server sends to a user to 749 indicate the time in seconds before the user's password 750 expires. 752 resultCode: LDAP_SUCCESS, with the control 753 controlType: , 754 controlValue: A BER encoding of the following ASN.1 755 pwdExpirationTimeInSecs ::= Integer 756 criticality: false 758 3. The password failure limit has been reached. The user needs 759 to retry later or contact the directory administrator to reset 760 the password. 762 resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate 763 error message. 764 For example: errorMessage: "exceed password retry limit" 766 4. The password has expired but there are remaining grace logins. 767 The user needs to change it. 769 resultCode: LDAP_SUCCESS, with the control 770 controlType: 771 controlValue: A BER encoding of the following ASN.1 772 graceLoginsLeft ::= Integer 773 criticality: false 775 5. The password has expired and there are no more grace logins. 776 The user needs to contact the directory administrator to reset 777 the password. 779 resultCode: LDAP_INVALID_CREDENTIALS, with an appropriate 780 error message. 781 For example: errorMessage: "password expired" 783 13.2 Modify Responses 785 For the modify response received for the change password request, 786 the client needs to check the result code and error message to 787 determine if it failed the password checking, and either let the 788 user retry or quit. 790 1. The user defined password policy is disabled. Either the user 791 is not allowed to change passwords, or the user must specify 792 the old password when changing passwords. 794 resultCode: LDAP_UNWILLING_TO_PERFORM, with an appropriate 795 error message. 796 For example: errorMessage: "user not allowed to change 797 password" 799 2. The new password failed the password syntax checking, or the 800 current password has not reached the minimum password age, or 801 the new password is in history. 803 resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate 804 error message. 805 For example: errorMessage: "invalid password syntax" 806 errorMessage: "password in history" 807 errorMessage: "trivial password" 808 errorMessage: "within minimum password age" 810 3. User must supply the old password if the pwdSafeModify is on. 811 The user must specify the old password when changing 812 passwords. 814 resultCode: LDAP_UNWILLING_TO_PERFORM, with an appropriate 815 error message. 816 For example: errorMessage: "must specify old password" 818 13.3 Add Responses 820 For the add response received for the add entry request, the 821 client needs to check the result code and error message to 822 determine if it failed the password checking, and either let the 823 user retry or quit. 825 1. The new password failed the password syntax checking. 827 resultCode: LDAP CONSTRAINT_VIOLATION, with an appropriate 828 error message. 829 For example: errorMessage: "invalid password syntax" 830 errorMessage: "trivial password" 832 13.4 Other Responses 834 For operations other than bind, unbind, abandon, or search, the 835 client needs to check the following result code and control to 836 determine if the user needs to change the password immediately. 838 1. The user needs to change password. The user should be prompted 839 to change the password immediately. 841 resultCode: LDAP_UNWILLING_TO_PERFORM, with the control 842 controlType: 843 criticality: false 845 14. Association between Users and Password Policy 847 We have so far described two new objectclasses; one contains the 848 password policy and the other contains password-related 849 information in a user�s entry. We need an association between the 850 password policy and users. Association via DIT or groups or any 851 other method can be used. To make this policy work in a 852 heterogeneous environment we need to describe a mechanism for the 853 association. This work is still under investigation. 855 15. Password Policy and Replication 857 The pwdPolicyObject defines the password policy for a set of 858 users of the directory and must be replicated on all the 859 replicas. 861 The pwdInfObject class holds information related to password 862 policy in the user�s entry. Some of the attributes have to be 863 replicated on all servers, for the consistency of passwords and 864 the policy. This is the case for pwdHistory, pwdExpirationTime, 865 pwdAllowChangeTime which changes along with the userPassword. 866 The other attributes may change each time the user binds to a 867 server. It is up to the administrator to decide to replicate them 868 or not. 869 If they are replicated, it means that the retry counter, the 870 grace login counter and the account locking are applied on the 871 whole set of servers, but that the replication updates will be 872 very important and may lead to conflicts in a multi-master 873 environment. 874 If they�re not replicated, it means that the limits apply on each 875 server and therefore, a user can try to bind N times on each 876 server. 877 As long as the number of retries and the number of server are 878 low, this can be an acceptable policy. 880 16. Security Considerations 881 The password policy defined in this document is applied to the 882 LDAP simple authentication method [RFC-2251] and the password 883 based SASL mechanisms such as CRAM-MD5 [RFC-2195] and HTTP-Digest 884 [RFC-2222]. 886 17. Bibliography 888 [RFC-2251]Wahl, M., Howes, T., Kille, S., "Lightweight Directory 889 Access Protocol (v3)", RFC 2251, August 1997. 891 [RFC-2252]Wahl, M., Coulbeck, A., Howes, T., Kille, S., 892 "Lightweight Directory Access Protocol (v3): Attribute Syntax 893 Definitions", RFC 2252, December 1997. 895 [RFC-2307]L. Howard, "An Approach for Using LDAP as a Network 896 Information Service", RFC 2307, March 1998. 898 [RFC-2119]S. Bradner, "Key Words for use in RFCs to Indicate 899 Requirement Levels", RFC 2119, March 1997. 901 18. Authors' Addresses 903 Prasanta Behera 904 Netscape Communications Corp. 905 501 E. Middlefield Rd. 906 Mountain View, CA 94043 907 USA 908 +1 650 937-4948 909 prasanta@netscape.com 911 Valerie Chu 912 Netscape Communications Corp. 913 501 E. Middlefield Rd. 914 Mountain View, CA 94043 915 USA 916 +1 650 937-3443 917 vchu@netscape.com 919 Ludovic Poitou 920 Sun Microsystems Inc. 921 32 Chemin du vieux ch�ne 922 38240 Meylan 923 France 924 +33 476 414 212 925 ludovic.poitou@france.sun.com 927 Jim Sermersheim 928 Novell, Inc. 929 122 East 1700 South 930 Provo, Utah 84606, USA 931 +1 801 861-3088 932 jimse@novell.com