idnits 2.17.1 draft-behera-ldap-password-policy-11.txt: -(7): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There are 2 instances of lines with non-ascii characters in the document. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 2022) is 800 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 958 -- Looks like a reference, but probably isn't: '1' on line 960 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Sermersheim 3 Internet-Draft Novell, Inc 4 Intended status: Standards Track L. Poitou 5 Expires: 26 August 2022 Sun Microsystems 6 H. Chu, Ed. 7 O. Kuzník, Ed. 8 Symas Corp. 9 February 2022 11 Password Policy for LDAP Directories 12 draft-behera-ldap-password-policy-11 14 Abstract 16 Password policy as described in this document is a set of rules that 17 controls how passwords are used and administered in Lightweight 18 Directory Access Protocol (LDAP) based directories. In order to 19 improve the security of LDAP directories and make it difficult for 20 password cracking programs to break into directories, it is desirable 21 to enforce a set of rules on password usage. These rules are made to 22 ensure that users change their passwords periodically, passwords meet 23 construction requirements, the re-use of old password is restricted, 24 and to deter password guessing attacks. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on 5 August 2022. 43 Copyright Notice 45 Copyright (c) 2022 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 50 license-info) in effect on the date of publication of this document. 51 Please review these documents carefully, as they describe your rights 52 and restrictions with respect to this document. Code Components 53 extracted from this document must include Revised BSD License text as 54 described in Section 4.e of the Trust Legal Provisions and are 55 provided without warranty as described in the Revised BSD License. 57 Table of Contents 59 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. Application of Password Policy . . . . . . . . . . . . . . . 4 62 4. Articles of Password Policy . . . . . . . . . . . . . . . . . 4 63 4.1. Password Usage Policy . . . . . . . . . . . . . . . . . . 4 64 4.2. Password Modification Policy . . . . . . . . . . . . . . 6 65 4.3. Restriction of the Password Policy . . . . . . . . . . . 8 66 5. Schema used for Password Policy . . . . . . . . . . . . . . . 8 67 5.1. The pwdPolicy Object Class . . . . . . . . . . . . . . . 9 68 5.2. Attribute Types used in the pwdPolicy ObjectClass . . . . 9 69 5.3. Attribute Types for Password Policy State Information . . 16 70 6. Controls used for Password Policy . . . . . . . . . . . . . . 21 71 6.1. Request Control . . . . . . . . . . . . . . . . . . . . . 21 72 6.2. Response Control . . . . . . . . . . . . . . . . . . . . 21 73 7. Policy Decision Points . . . . . . . . . . . . . . . . . . . 22 74 7.1. Locked Account Check . . . . . . . . . . . . . . . . . . 22 75 7.2. Password Must be Changed Now Check . . . . . . . . . . . 23 76 7.3. Password Expiration Check . . . . . . . . . . . . . . . . 23 77 7.4. Remaining Grace AuthN Check . . . . . . . . . . . . . . . 23 78 7.5. Time Before Expiration Check . . . . . . . . . . . . . . 23 79 7.6. Intruder Lockout Check . . . . . . . . . . . . . . . . . 24 80 7.7. Intruder Delay Check . . . . . . . . . . . . . . . . . . 24 81 7.8. Password Too Young Check . . . . . . . . . . . . . . . . 24 82 8. Server Policy Enforcement Points . . . . . . . . . . . . . . 24 83 8.1. Password-based Authentication . . . . . . . . . . . . . . 25 84 8.2. Password Update Operations . . . . . . . . . . . . . . . 27 85 8.3. Other Operations . . . . . . . . . . . . . . . . . . . . 31 86 9. Client Policy Enforcement Points . . . . . . . . . . . . . . 31 87 9.1. Bind Operation . . . . . . . . . . . . . . . . . . . . . 31 88 9.2. Modify Operations . . . . . . . . . . . . . . . . . . . . 32 89 9.3. Add Operation . . . . . . . . . . . . . . . . . . . . . . 33 90 9.4. Compare Operation . . . . . . . . . . . . . . . . . . . . 33 91 9.5. Other Operations . . . . . . . . . . . . . . . . . . . . 34 92 10. Administration of the Password Policy . . . . . . . . . . . . 34 93 11. Password Policy and Replication . . . . . . . . . . . . . . . 35 94 12. Security Considerations . . . . . . . . . . . . . . . . . . . 36 95 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 96 13.1. Object Identifiers . . . . . . . . . . . . . . . . . . . 37 97 13.2. LDAP Protocol Mechanisms . . . . . . . . . . . . . . . . 37 98 13.3. LDAP Descriptors . . . . . . . . . . . . . . . . . . . . 38 99 13.4. LDAP AttributeDescription Options . . . . . . . . . . . 39 100 14. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 40 101 15. Normative References . . . . . . . . . . . . . . . . . . . . 40 102 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 104 1. Overview 106 LDAP-based directory services are currently accepted by many 107 organizations as the access protocol for directories. The ability to 108 ensure the secure read and update access to directory information 109 throughout the network is essential to the successful deployment. 110 Most LDAP implementations support many authentication schemes - the 111 most basic and widely used is the simple authentication i.e., user DN 112 and password. In this case, many LDAP servers have implemented some 113 kind of policy related to the password used to authenticate. Among 114 other things, this policy includes: 116 * Whether and when passwords expire. 118 * Whether failed bind attempts cause the account to be locked. 120 * If and how users are able to change their passwords. 122 In order to achieve greater security protection and ensure 123 interoperability in a heterogeneous environment, LDAP needs to 124 standardize on a common password policy model. This is critical to 125 the successful deployment of LDAP directories. 127 2. Conventions 129 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 130 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 131 document are to be interpreted as described in [RFC2119]. 133 All ASN.1 [X.680] Basic Encoding Rules (BER) [X.690] encodings follow 134 the conventions found in Section 5.1 of [RFC4511]. 136 The term "password administrator" refers to a user that has 137 sufficient access control privileges to modify users' passwords. The 138 term "password policy administrator" refers to a user that has 139 sufficient access control privileges to modify the pwdPolicy object 140 defined in this document. The access control that is used to 141 determine whether an identity is a password administrator or password 142 policy administrator is beyond the scope of this document, but 143 typically implies that the password administrator has 'write' 144 privileges to the password attribute. 146 3. Application of Password Policy 148 The password policy defined in this document can be applied to any 149 attribute holding a user's password used for an authenticated LDAP 150 bind operation. In this document, the term "user" represents any 151 LDAP client application that has an identity in the directory. 153 This policy is typically applied to the userPassword attribute in the 154 case of the LDAP simple authentication method [RFC4511] or the case 155 of password based SASL [RFC4422] authentication such as PLAIN 156 [RFC4616] and SCRAM-SHA-256 [RFC7677]. 158 The policy described in this document assumes that the password 159 attribute holds a single value. No considerations are made for 160 directories or systems that allow a user to maintain multi-valued 161 password attributes. 163 Server implementations MAY institute internal policy whereby certain 164 identities (such as directory administrators) are not forced to 165 comply with any of password policy. In this case, the password for a 166 directory administrator never expires; the account is never locked, 167 etc. 169 4. Articles of Password Policy 171 The following sections explain in general terms each aspect of the 172 password policy defined in this document as well as the need for 173 each. These policies are subdivided into the general groups of 174 password usage and password modification. Implementation details are 175 presented in Section 8 and Section 9. 177 4.1. Password Usage Policy 179 This section describes policy enforced when a password is used to 180 authenticate. The general focus of this policy is to minimize the 181 threat of intruders once a password is in use. 183 4.1.1. Password Validity Policy 185 These mechanisms allow account usage to be controlled independent of 186 any password expiration policies. The policy defines the absolute 187 period of time for which an account may be used. This allows an 188 administrator to define an absolute starting time after which a 189 password becomes valid, and an absolute ending time after which the 190 password is disabled. 192 A mechanism is also provided to define the period of time for which 193 an account may remain unused before being disabled. 195 4.1.2. Password Guessing Limit 197 In order to prevent intruders from guessing a user's password, a 198 mechanism exists to track the number of consecutive failed 199 authentication attempts, and take action when a limit is reached. 200 This policy consists of several parts: 202 * A counter to track the number of failed authentication attempts. 204 * The amount of time to delay on the first authentication failure. 206 * The maximum amount of time to delay on subsequent failures. 208 * A timeframe in which the limit of consecutive failed 209 authentication attempts must happen before action is taken. 211 * A configurable limit on failed authentication attempts. 213 * The action to be taken when the limit is reached. The action will 214 either be nothing, or the account will be locked. 216 * An amount of time the account is locked (if it is to be locked). 217 This can be indefinite. 219 Note that using the account lock feature provides an easy avenue for 220 Denial-of-Service (DoS) attacks on user accounts. While some sites' 221 policies require accounts to be locked, this feature is discouraged 222 in favor of delaying each failed login attempt. 224 The delay time will be doubled on each subsequent failure, until it 225 reaches the maximum time configured. 227 [TBD: we could also provide a syntax for configuring a backoff 228 algorithm. E.g. "+" for linearly incrementing delay, "x" 229 for constant multiplier, "^ for geometric. But it's probably 230 overkill to add a calculator language to the server.] 232 4.2. Password Modification Policy 234 This section describes policy enforced while users are modifying 235 passwords. The general focus of this policy is to ensure that when 236 users add or change their passwords, the security and effectiveness 237 of their passwords is maximized. In this document, the term "modify 238 password operation" refers to any operation that is used to add or 239 modify a password attribute. Often this is done by updating the 240 password attribute during an add or modify operation, but MAY be done 241 by other means such as an extended operation. 243 4.2.1. Password Expiration, Expiration Warning, and Grace 244 Authentications 246 One of the key properties of a password is the fact that it is not 247 well known. If a password is frequently changed, the chances of that 248 user's account being broken into are minimized. 250 Password policy administrators may deploy a password policy that 251 causes passwords to expire after a given amount of time - thus 252 forcing users to change their passwords periodically. 254 As a side effect, there needs to be a way in which users are made 255 aware of this need to change their password before actually being 256 locked out of their accounts. One or both of the following methods 257 handle this: 259 * A warning may be returned to the user sometime before his password 260 is due to expire. If the user fails to heed this warning before 261 the expiration time, his account will be locked. 263 * The user may bind to the directory a preset number of times after 264 her password has expired. If she fails to change her password 265 during one of her 'grace' authentications, her account will be 266 locked. 268 4.2.2. Password History 270 When the Password Expiration policy is used, an additional mechanism 271 may be employed to prevent users from simply re-using a previous 272 password (as this would effectively circumvent the expiration 273 policy). 275 In order to do this; a history of used passwords is kept. The 276 password policy administrator sets the number of passwords to be 277 stored at any given time. Passwords are stored in this history 278 whenever the password is changed. Users aren't allowed to specify 279 any passwords that are in the history list while changing passwords. 281 4.2.3. Password Minimum Age 283 Users may circumvent the Password History mechanism by quickly 284 performing a series of password changes. If they change their 285 password enough times, their 'favorite' password will be pushed out 286 of the history list. 288 This process may be made less attractive to users by employing a 289 minimum age for passwords. If users are forced to wait 24 hours 290 between password changes, they may be less likely to cycle through a 291 history of 10 passwords. 293 4.2.4. Password Quality and length constraints 295 In order to prevent users from creating or updating passwords that 296 are easy to guess, a password quality policy may be employed. This 297 policy consists of two general mechanisms - ensuring that passwords 298 conform to a defined quality criterion and ensuring that they are of 299 a minimum length. 301 Forcing a password to comply with the quality policy may imply a 302 variety of things including: 304 * Disallowing trivial or well-known words make up the password. 306 * Forcing a certain number of digits be used. 308 * Disallowing anagrams of the user's name. 310 The implementation of this policy meets with the following problems: 312 * If the password to be added or updated is encrypted by the client 313 before being sent, the server has no way of enforcing this policy. 314 Therefore, the onus of enforcing this policy falls upon client 315 implementations. 317 * There are no specific definitions of what 'quality checking' 318 means. This can lead to unexpected behavior in a heterogeneous 319 environment. 321 4.2.5. User Defined Passwords 323 In some cases, it is desirable to disallow users from adding and 324 updating their own passwords. This policy makes this functionality 325 possible. 327 4.2.6. Password Change after Reset 329 This policy forces the user to update her password after it has been 330 set for the first time, or has been reset by a password 331 administrator. 333 This is needed in scenarios where a password administrator has set or 334 reset the password to a well-known value. 336 4.2.7. Safe Modification 338 As directories become more commonly used, it will not be unusual for 339 clients to connect to a directory and leave the connection open for 340 an extended period. This opens up the possibility for an intruder to 341 make modifications to a user's password while that user's computer is 342 connected but unattended. 344 This policy forces the user to prove his identity by specifying the 345 old password during a password modify operation. 347 {TODO: This allows a dictionary attack unless we specify that this is 348 also subject to intruder detection. One solution is to require users 349 to authN prior to changing password. Another solution is to perform 350 intruder detection checks when the password for a non-authenticated 351 identity is being updated} 353 4.3. Restriction of the Password Policy 355 The password policy defined in this document can apply to any 356 attribute containing a password. Password policy state information 357 is held in the user's entry, and applies to a password attribute, not 358 a particular password attribute value. Thus the server SHOULD 359 enforce that the password attribute subject to password policy, 360 contains one and only one password value. 362 5. Schema used for Password Policy 364 The schema elements defined here fall into two general categories. A 365 password policy object class is defined which contains a set of 366 administrative password policy attributes, and a set of operational 367 attributes are defined that hold general password policy state 368 information for each user. 370 5.1. The pwdPolicy Object Class 372 This object class contains the attributes defining a password policy 373 in effect for a set of users. Section 10 describes the 374 administration of this object, and the relationship between it and 375 particular objects. 377 ( 1.3.6.1.4.1.42.2.27.8.2.1 378 NAME 'pwdPolicy' 379 SUP top 380 AUXILIARY 381 MUST ( pwdAttribute ) 382 MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ 383 pwdMinLength $ pwdMaxLength $ pwdExpireWarning $ 384 pwdGraceAuthNLimit $ pwdGraceExpiry $ pwdLockout $ 385 pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ 386 pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $ 387 pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) ) 389 5.2. Attribute Types used in the pwdPolicy ObjectClass 391 Following are the attribute types used by the pwdPolicy object class. 393 5.2.1. pwdAttribute 395 This holds the name of the attribute to which the password policy is 396 applied. For example, the password policy may be applied to the 397 userPassword attribute. 399 ( 1.3.6.1.4.1.42.2.27.8.1.1 400 NAME 'pwdAttribute' 401 EQUALITY objectIdentifierMatch 402 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) 404 5.2.2. pwdMinAge 406 This attribute holds the number of seconds that must elapse between 407 modifications to the password. If this attribute is not present, 0 408 seconds is assumed. 410 ( 1.3.6.1.4.1.42.2.27.8.1.2 411 NAME 'pwdMinAge' 412 EQUALITY integerMatch 413 ORDERING integerOrderingMatch 414 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 415 SINGLE-VALUE ) 417 5.2.3. pwdMaxAge 419 This attribute holds the number of seconds after which a modified 420 password will expire. 422 If this attribute is not present, or if the value is 0 the password 423 does not expire. If not 0, the value must be greater than or equal 424 to the value of the pwdMinAge. 426 ( 1.3.6.1.4.1.42.2.27.8.1.3 427 NAME 'pwdMaxAge' 428 EQUALITY integerMatch 429 ORDERING integerOrderingMatch 430 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 431 SINGLE-VALUE ) 433 5.2.4. pwdInHistory 435 This attribute specifies the maximum number of used passwords stored 436 in the pwdHistory attribute. 438 If this attribute is not present, or if the value is 0, used 439 passwords are not stored in the pwdHistory attribute and thus may be 440 reused. 442 ( 1.3.6.1.4.1.42.2.27.8.1.4 443 NAME 'pwdInHistory' 444 EQUALITY integerMatch 445 ORDERING integerOrderingMatch 446 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 447 SINGLE-VALUE ) 449 5.2.5. pwdCheckQuality 451 {TODO: Consider changing the syntax to OID. Each OID will list a 452 quality rule (like min len, # of special characters, etc). These 453 rules can be specified outside this document.} 455 {TODO: Note that even though this is meant to be a check that happens 456 during password modification, it may also be allowed to happen during 457 authN. This is useful for situations where the password is encrypted 458 when modified, but decrypted when used to authN.} 460 This attribute indicates how the password quality will be verified 461 while being modified or added. If this attribute is not present, or 462 if the value is '0', quality checking will not be enforced. A value 463 of '1' indicates that the server will check the quality, and if the 464 server is unable to check it (due to a hashed password or other 465 reasons) it will be accepted. A value of '2' indicates that the 466 server will check the quality, and if the server is unable to verify 467 it, it will return an error refusing the password. 469 ( 1.3.6.1.4.1.42.2.27.8.1.5 470 NAME 'pwdCheckQuality' 471 EQUALITY integerMatch 472 ORDERING integerOrderingMatch 473 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 474 SINGLE-VALUE ) 476 5.2.6. pwdMinLength 478 When quality checking is enabled, this attribute holds the minimum 479 number of characters that must be used in a password. If this 480 attribute is not present, no minimum password length will be 481 enforced. If the server is unable to check the length (due to a 482 hashed password or otherwise), the server will, depending on the 483 value of the pwdCheckQuality attribute, either accept the password 484 without checking it ('0' or '1') or refuse it ('2'). 486 ( 1.3.6.1.4.1.42.2.27.8.1.6 487 NAME 'pwdMinLength' 488 EQUALITY integerMatch 489 ORDERING integerOrderingMatch 490 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 491 SINGLE-VALUE ) 493 5.2.7. pwdMaxLength 495 When quality checking is enabled, this attribute holds the maximum 496 number of characters that may be used in a password. If this 497 attribute is not present, no maximum password length will be 498 enforced. If the server is unable to check the length (due to a 499 hashed password or otherwise), the server will, depending on the 500 value of the pwdCheckQuality attribute, either accept the password 501 without checking it ('0' or '1') or refuse it ('2'). 503 ( 1.3.6.1.4.1.42.2.27.8.1.31 504 NAME 'pwdMaxLength' 505 EQUALITY integerMatch 506 ORDERING integerOrderingMatch 507 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 508 SINGLE-VALUE ) 510 5.2.8. pwdExpireWarning 512 This attribute specifies the maximum number of seconds before a 513 password is due to expire that expiration warning messages will be 514 returned to an authenticating user. 516 If this attribute is not present, or if the value is 0 no warnings 517 will be returned. If not 0, the value must be smaller than the value 518 of the pwdMaxAge attribute. 520 ( 1.3.6.1.4.1.42.2.27.8.1.7 521 NAME 'pwdExpireWarning' 522 EQUALITY integerMatch 523 ORDERING integerOrderingMatch 524 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 525 SINGLE-VALUE ) 527 5.2.9. pwdGraceAuthNLimit 529 This attribute specifies the number of times an expired password can 530 be used to authenticate. If this attribute is not present or if the 531 value is 0, authentication will fail. 533 ( 1.3.6.1.4.1.42.2.27.8.1.8 534 NAME 'pwdGraceAuthNLimit' 535 EQUALITY integerMatch 536 ORDERING integerOrderingMatch 537 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 538 SINGLE-VALUE ) 540 5.2.10. pwdGraceExpiry 542 This attribute specifies the number of seconds the grace 543 authentications are valid. If this attribute is not present or if 544 the value is 0, there is no time limit on the grace authentications. 546 ( 1.3.6.1.4.1.42.2.27.8.1.30 547 NAME 'pwdGraceExpire' 548 EQUALITY integerMatch 549 ORDERING integerOrderingMatch 550 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 551 SINGLE-VALUE ) 553 5.2.11. pwdLockout 555 This attribute indicates, when its value is "TRUE", that the password 556 may not be used to authenticate after a specified number of 557 consecutive failed bind attempts. The maximum number of consecutive 558 failed bind attempts is specified in pwdMaxFailure. 560 If this attribute is not present, or if the value is "FALSE", the 561 password may be used to authenticate when the number of failed bind 562 attempts has been reached. 564 ( 1.3.6.1.4.1.42.2.27.8.1.9 565 NAME 'pwdLockout' 566 EQUALITY booleanMatch 567 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 568 SINGLE-VALUE ) 570 5.2.12. pwdLockoutDuration 572 This attribute holds the number of seconds that the password cannot 573 be used to authenticate due to too many failed bind attempts. If 574 this attribute is not present, or if the value is 0 the password 575 cannot be used to authenticate until reset by a password 576 administrator. 578 ( 1.3.6.1.4.1.42.2.27.8.1.10 579 NAME 'pwdLockoutDuration' 580 EQUALITY integerMatch 581 ORDERING integerOrderingMatch 582 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 583 SINGLE-VALUE ) 585 5.2.13. pwdMaxFailure 587 This attribute specifies the number of consecutive failed bind 588 attempts after which the password may not be used to authenticate. 589 If this attribute is not present, or if the value is 0, this policy 590 is not checked, and the value of pwdLockout will be ignored. 592 ( 1.3.6.1.4.1.42.2.27.8.1.11 593 NAME 'pwdMaxFailure' 594 EQUALITY integerMatch 595 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 596 ORDERING integerOrderingMatch 597 SINGLE-VALUE ) 599 5.2.14. pwdFailureCountInterval 601 This attribute holds the number of seconds after which the password 602 failures are purged from the failure counter, even though no 603 successful authentication occurred. 605 If this attribute is not present, or if its value is 0, the failure 606 counter is only reset by a successful authentication. 608 ( 1.3.6.1.4.1.42.2.27.8.1.12 609 NAME 'pwdFailureCountInterval' 610 EQUALITY integerMatch 611 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 612 ORDERING integerOrderingMatch 613 SINGLE-VALUE ) 615 5.2.15. pwdMustChange 617 This attribute specifies with a value of "TRUE" that users must 618 change their passwords when they first bind to the directory after a 619 password is set or reset by a password administrator. If this 620 attribute is not present, or if the value is "FALSE", users are not 621 required to change their password upon binding after the password 622 administrator sets or resets the password. This attribute is not set 623 due to any actions specified by this document, it is typically set by 624 a password administrator after resetting a user's password. 626 ( 1.3.6.1.4.1.42.2.27.8.1.13 627 NAME 'pwdMustChange' 628 EQUALITY booleanMatch 629 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 630 SINGLE-VALUE ) 632 5.2.16. pwdAllowUserChange 634 This attribute indicates whether users can change their own 635 passwords, although the change operation is still subject to access 636 control. If this attribute is not present, a value of "TRUE" is 637 assumed. This attribute is intended to be used in the absence of an 638 access control mechanism. 640 ( 1.3.6.1.4.1.42.2.27.8.1.14 641 NAME 'pwdAllowUserChange' 642 EQUALITY booleanMatch 643 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 644 SINGLE-VALUE ) 646 5.2.17. pwdSafeModify 648 This attribute specifies whether or not the existing password must be 649 sent along with the new password when being changed. If this 650 attribute is not present, a "FALSE" value is assumed. 652 ( 1.3.6.1.4.1.42.2.27.8.1.15 653 NAME 'pwdSafeModify' 654 EQUALITY booleanMatch 655 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 656 SINGLE-VALUE ) 658 5.2.18. pwdMinDelay 660 This attribute specifies the number of seconds to delay responding to 661 the first failed authentication attempt. If this attribute is not 662 set or is 0, no delays will be used. pwdMaxDelay must also be 663 specified if pwdMinDelay is set. 665 ( 1.3.6.1.4.1.42.2.27.8.1.24 666 NAME 'pwdMinDelay' 667 EQUALITY integerMatch 668 ORDERING integerOrderingMatch 669 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 670 SINGLE-VALUE ) 672 5.2.19. pwdMaxDelay 674 This attribute specifies the maximum number of seconds to delay when 675 responding to a failed authentication attempt. The time specified in 676 pwdMinDelay is used as the starting time and is then doubled on each 677 failure until the delay time is greater than or equal to pwdMaxDelay 678 (or a successful authentication occurs, which resets the failure 679 counter). pwdMinDelay must be specified if pwdMaxDelay is set. 681 ( 1.3.6.1.4.1.42.2.27.8.1.25 682 NAME 'pwdMaxDelay' 683 EQUALITY integerMatch 684 ORDERING integerOrderingMatch 685 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 686 SINGLE-VALUE ) 688 5.2.20. pwdMaxIdle 690 This attribute specifies the number of seconds an account may remain 691 unused before it becomes locked. If this attribute is not set or is 692 0, no check is performed. 694 ( 1.3.6.1.4.1.42.2.27.8.1.26 695 NAME 'pwdMaxIdle' 696 EQUALITY integerMatch 697 ORDERING integerOrderingMatch 698 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 699 SINGLE-VALUE ) 701 5.2.21. pwdMaxRecordedFailure 703 This attribute specifies the number of failures kept on record for 704 each user and should be equal to or higher than pwdMaxFailure. If 705 not set or is 0, it is deemed equal to pwdMaxFailure. 707 ( 1.3.6.1.4.1.42.2.27.8.1.32 708 NAME 'pwdMaxRecordedFailure' 709 EQUALITY integerMatch 710 ORDERING integerOrderingMatch 711 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 712 SINGLE-VALUE ) 714 5.3. Attribute Types for Password Policy State Information 716 Password policy state information must be maintained for each user. 717 The information is located in each user entry as a set of operational 718 attributes. These operational attributes are: pwdChangedTime, 719 pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime, 720 pwdReset, pwdPolicySubEntry, pwdStartTime, pwdEndTime, 721 pwdLastSuccess. 723 5.3.1. Password Policy State Attribute Option 725 Since the password policy could apply to several attributes used to 726 store passwords, each of the above operational attributes must have 727 an option to specify which pwdAttribute it applies to. The password 728 policy option is defined as the following: 730 pwd- 732 where passwordAttribute is a string following the OID syntax 733 (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor 734 (short name) MUST be used. 736 For example, if the pwdPolicy object has for pwdAttribute 737 "userPassword" then the pwdChangedTime operational attribute, in a 738 user entry, will be: 740 pwdChangedTime;pwd-userPassword: 20000103121520Z 741 This attribute option follows sub-typing semantics. If a client 742 requests a password policy state attribute to be returned in a search 743 operation, and does not specify an option, all subtypes of that 744 policy state attribute are returned. 746 5.3.2. pwdChangedTime 748 This attribute specifies the last time the entry's password was 749 changed. This is used by the password expiration policy. If this 750 attribute does not exist, the password will never expire. 752 ( 1.3.6.1.4.1.42.2.27.8.1.16 753 NAME 'pwdChangedTime' 754 DESC 'The time the password was last changed' 755 EQUALITY generalizedTimeMatch 756 ORDERING generalizedTimeOrderingMatch 757 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 758 SINGLE-VALUE 759 NO-USER-MODIFICATION 760 USAGE directoryOperation ) 762 5.3.3. pwdAccountLockedTime 764 This attribute holds the time that the user's account was locked. A 765 locked account means that the password may no longer be used to 766 authenticate. A 000001010000Z value means that the account has been 767 locked permanently, and that only a password administrator can unlock 768 the account. 770 ( 1.3.6.1.4.1.42.2.27.8.1.17 771 NAME 'pwdAccountLockedTime' 772 DESC 'The time an user account was locked' 773 EQUALITY generalizedTimeMatch 774 ORDERING generalizedTimeOrderingMatch 775 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 776 SINGLE-VALUE 777 NO-USER-MODIFICATION 778 USAGE directoryOperation ) 780 5.3.4. pwdFailureTime 782 This attribute holds the timestamps of the consecutive authentication 783 failures. 785 ( 1.3.6.1.4.1.42.2.27.8.1.19 786 NAME 'pwdFailureTime' 787 DESC 'The timestamps of the last consecutive authentication 788 failures' 789 EQUALITY generalizedTimeMatch 790 ORDERING generalizedTimeOrderingMatch 791 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 792 NO-USER-MODIFICATION 793 USAGE directoryOperation ) 795 5.3.5. pwdHistory 797 This attribute holds a history of previously used passwords. Values 798 of this attribute are transmitted in string format as given by the 799 following ABNF: 801 pwdHistory = time "#" syntaxOID "#" length "#" data 803 time = GeneralizedTime 805 syntaxOID = numericoid ; the string representation of the 806 ; dotted-decimal OID that defines the 807 ; syntax used to store the password. 809 length = number ; the number of octets in data. 811 data = . 814 GeneralizedTime is specified in 3.3.13 of [RFC4517]. numericoid and 815 number are specified in 1.4 of [RFC4512]. 817 This format allows the server to store, and transmit a history of 818 passwords that have been used. In order for equality matching to 819 function properly, the time field needs to adhere to a consistent 820 format. For this purpose, the time field MUST be in GMT format. 822 ( 1.3.6.1.4.1.42.2.27.8.1.20 823 NAME 'pwdHistory' 824 DESC 'The history of user s passwords' 825 EQUALITY octetStringMatch 826 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 827 NO-USER-MODIFICATION 828 USAGE directoryOperation ) 830 5.3.6. pwdGraceUseTime 832 This attribute holds the timestamps of grace authentications after a 833 password has expired. 835 ( 1.3.6.1.4.1.42.2.27.8.1.21 836 NAME 'pwdGraceUseTime' 837 DESC 'The timestamps of the grace authentication after the 838 password has expired' 839 EQUALITY generalizedTimeMatch 840 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 841 NO-USER-MODIFICATION 842 USAGE directoryOperation ) 844 5.3.7. pwdReset 846 This attribute holds a flag to indicate (when TRUE) that the password 847 has been updated by the password administrator and must be changed by 848 the user. 850 ( 1.3.6.1.4.1.42.2.27.8.1.22 851 NAME 'pwdReset' 852 DESC 'The indication that the password has been reset' 853 EQUALITY booleanMatch 854 SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 855 SINGLE-VALUE 856 USAGE directoryOperation ) 858 5.3.8. pwdPolicySubentry 860 This attribute points to the pwdPolicy subentry in effect for this 861 object. 863 ( 1.3.6.1.4.1.42.2.27.8.1.23 864 NAME 'pwdPolicySubentry' 865 DESC 'The pwdPolicy subentry in effect for this object' 866 EQUALITY distinguishedNameMatch 867 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 868 SINGLE-VALUE 869 NO-USER-MODIFICATION 870 USAGE directoryOperation ) 872 5.3.9. pwdStartTime 874 This attribute specifies the time the entry's password becomes valid 875 for authentication. Authentication attempts made before this time 876 will fail. If this attribute does not exist, then no restriction 877 applies. 879 ( 1.3.6.1.4.1.42.2.27.8.1.27 880 NAME 'pwdStartTime' 881 DESC 'The time the password becomes enabled' 882 EQUALITY generalizedTimeMatch 883 ORDERING generalizedTimeOrderingMatch 884 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 885 SINGLE-VALUE 886 NO-USER-MODIFICATION 887 USAGE directoryOperation ) 889 5.3.10. pwdEndTime 891 This attribute specifies the time the entry's password becomes 892 invalid for authentication. Authentication attempts made after this 893 time will fail, regardless of expiration or grace settings. If this 894 attribute does not exist, then this restriction does not apply. 896 ( 1.3.6.1.4.1.42.2.27.8.1.28 897 NAME 'pwdEndTime' 898 DESC 'The time the password becomes disabled' 899 EQUALITY generalizedTimeMatch 900 ORDERING generalizedTimeOrderingMatch 901 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 902 SINGLE-VALUE 903 NO-USER-MODIFICATION 904 USAGE directoryOperation ) 906 Note that pwdStartTime may be set to a time greater than or equal to 907 pwdEndTime; this simply disables the account. 909 5.3.11. pwdLastSuccess 911 This attribute holds the timestamp of the last successful 912 authentication. 914 ( 1.3.6.1.4.1.42.2.27.8.1.29 915 NAME 'pwdLastSuccess' 916 DESC 'The timestamp of the last successful authentication' 917 EQUALITY generalizedTimeMatch 918 ORDERING generalizedTimeOrderingMatch 919 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 920 SINGLE-VALUE 921 NO-USER-MODIFICATION 922 USAGE directoryOperation ) 924 6. Controls used for Password Policy 926 This section details the controls used while enforcing password 927 policy. A request control is defined that is sent by a client with a 928 request operation in order to elicit a response control. The 929 response control contains various warnings and errors associated with 930 password policy. 932 {TODO: add a note about advertisement and discovery} 934 6.1. Request Control 936 This control MAY be sent with any LDAP request message in order to 937 convey to the server that this client is aware of, and can process 938 the response control described in this document. When a server 939 receives this control, it will return the response control when 940 appropriate and with the proper data. 942 The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the criticality may 943 be TRUE or FALSE. There is no controlValue. 945 6.2. Response Control 947 If the client has sent a passwordPolicyRequest control, the server 948 (when solicited by the inclusion of the request control) sends this 949 control with the following operation responses: bindResponse, 950 modifyResponse, addResponse, compareResponse and possibly 951 extendedResponse, to inform of various conditions, and MAY be sent 952 with other operations (in the case of the changeAfterReset error). 953 The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the controlValue is 954 the BER encoding of the following type: 956 PasswordPolicyResponseValue ::= SEQUENCE { 957 warning [0] CHOICE { 958 timeBeforeExpiration [0] INTEGER (0 .. maxInt), 959 graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL, 960 error [1] ENUMERATED { 961 passwordExpired (0), 962 accountLocked (1), 963 changeAfterReset (2), 964 passwordModNotAllowed (3), 965 mustSupplyOldPassword (4), 966 insufficientPasswordQuality (5), 967 passwordTooShort (6), 968 passwordTooYoung (7), 969 passwordInHistory (8), 970 passwordTooLong (9) } OPTIONAL } 972 The timeBeforeExpiration warning specifies the number of seconds 973 before a password will expire. The graceAuthNsRemaining warning 974 specifies the remaining number of times a user will be allowed to 975 authenticate with an expired password. The passwordExpired error 976 signifies that the password has expired and must be reset. The 977 changeAfterReset error signifies that the password must be changed 978 before the user will be allowed to perform any operation other than 979 bind and modify. The passwordModNotAllowed error is set when a user 980 is restricted from changing her password. The 981 insufficientPasswordQuality error is set when a password doesn't pass 982 quality checking. The passwordTooYoung error is set if the age of 983 the password to be modified is not yet old enough. 985 Typically, only either a warning or an error will be encoded though 986 there may be exceptions. For example, if the user is required to 987 change a password after the password administrator set it, and the 988 password will expire in a short amount of time, the control may 989 include the timeBeforeExpiration warning and the changeAfterReset 990 error. 992 7. Policy Decision Points 994 Following are a number of procedures used to make policy decisions. 995 These procedures are typically performed by the server while 996 processing an operation. 998 The following sections contain detailed instructions that refer to 999 attributes of the pwdPolicy object class. When doing so, the 1000 attribute of the pwdPolicy object that governs the entry being 1001 discussed is implied. 1003 7.1. Locked Account Check 1005 A status of true is returned to indicate that the account is locked 1006 if any of these conditions are met: 1008 * The value of the pwdAccountLockedTime attribute is 000001010000Z. 1010 * The current time is less than the value of the pwdStartTime 1011 attribute. 1013 * The current time is greater than or equal to the value of the 1014 pwdEndTime attribute. 1016 * The current time is greater than or equal to the value of the 1017 pwdLastSuccess attribute added to the value of the pwdMaxIdle 1018 attribute. If pwdLastSuccess attribute is not present, 1019 pwdChangedTime value is used instead. 1021 * The current time is less than the value of the 1022 pwdAccountLockedTime attribute added to the value of the 1023 pwdLockoutDuration. 1025 Otherwise a status of false is returned. 1027 7.2. Password Must be Changed Now Check 1029 A status of true is returned to indicate that the password must be 1030 changed if all of these conditions are met: 1032 * The pwdMustChange attribute is set to TRUE. 1034 * The pwdReset attribute is set to TRUE. 1036 Otherwise a status of false is returned. 1038 7.3. Password Expiration Check 1040 A status of true is returned indicating that the password has expired 1041 if the current time minus the value of pwdChangedTime is greater than 1042 the value of the pwdMaxAge. 1044 Otherwise, a status of false is returned. 1046 7.4. Remaining Grace AuthN Check 1048 If the pwdGraceExpiry attribute is present, and the current time is 1049 greater than the password expiration time plus the pwdGraceExpiry 1050 value, zero is returned. 1052 If the pwdGraceUseTime attribute is present, the number of values in 1053 that attribute subtracted from the value of pwdGraceAuthNLimit is 1054 returned. Otherwise zero is returned. A positive result specifies 1055 the number of remaining grace authentications. 1057 7.5. Time Before Expiration Check 1059 If the pwdExpireWarning attribute is not present a zero status is 1060 returned. Otherwise the following steps are followed: 1062 Subtract the time stored in pwdChangedTime from the current time to 1063 arrive at the password's age. If the password's age is greater than 1064 than the value of the pwdMaxAge attribute, a zero status is returned. 1065 Subtract the value of the pwdExpireWarning attribute from the value 1066 of the pwdMaxAge attribute to arrive at the warning age. If the 1067 password's age is equal to or greater than the warning age, the value 1068 of pwdMaxAge minus the password's age is returned. 1070 7.6. Intruder Lockout Check 1072 A status of true indicating that an intruder has been detected is 1073 returned if the following conditions are met: 1075 * The pwdLockout attribute is TRUE. 1077 * The number of values in the pwdFailureTime attribute that are 1078 younger than pwdFailureCountInterval is greater or equal to the 1079 pwdMaxFailure attribute. 1081 Otherwise a status of false is returned. 1083 While performing this check, values of pwdFailureTime that are old by 1084 more than pwdFailureCountInterval are purged and not counted. 1086 7.7. Intruder Delay Check 1088 If the pwdMinDelay attribute is 0 or not set, zero is returned. 1090 Otherwise, a delay time is computed based on the number of values in 1091 the pwdFailureTime attribute. If the computed value is greater than 1092 the pwdMaxDelay attribute, the pwdMaxDelay value is returned. 1094 While performing this check, values of pwdFailureTime that are old by 1095 more than pwdFailureCountInterval are purged and not counted. 1097 7.8. Password Too Young Check 1099 If the Section 7.2 check returned true then this check will return 1100 false, to allow the password to be changed. 1102 A status of true indicating that not enough time has passed since the 1103 password was last updated is returned if: 1105 * The value of pwdMinAge is non-zero and pwdChangedTime is present. 1107 * The value of pwdMinAge is greater than the current time minus the 1108 value of pwdChangedTime. 1110 Otherwise a false status is returned. 1112 8. Server Policy Enforcement Points 1114 The server SHOULD enforce that the password attribute subject to a 1115 password policy as defined in this document, contains one and only 1116 one password value. 1118 Note: The case where a single password value is stored in multiple 1119 formats simultaneously is still considered to be only one password 1120 value. 1122 The scenarios in the following operations assume that the client has 1123 attached a passwordPolicyRequest control to the request message of 1124 the operation. In the event that the passwordPolicyRequest control 1125 was not sent, no passwordPolicyResponse control is returned. All 1126 other instructions remain the same. 1128 For successfully completed operations, unless otherwise stated, no 1129 passwordPolicyResponse control is returned. 1131 8.1. Password-based Authentication 1133 This section contains the policy enforcement rules and policy data 1134 updates used while validating a password. Operations that validate 1135 passwords include, but are not limited to, the Bind operation where 1136 the simple choice specifies a password, and the Compare operation 1137 where the attribute being compared holds a password. Note that while 1138 the Compare operation does not authenticate a user to the LDAP 1139 server, it may be used by an external application for purposes of 1140 authentication. 1142 8.1.1. Fail if the account is locked 1144 If the account is locked as specified in Section 7.1, the server 1145 fails the operation with an appropriate resultCode (i.e. 1146 invalidCredentials (49) in the case of a bind operation, compareFalse 1147 (5) in the case of a compare operation, etc.). The server MAY set 1148 the error: accountLocked (1) in the passwordPolicyResponse in the 1149 controls field of the message. 1151 8.1.2. Validated Password Procedures 1153 If the validation operation indicates that the password validated, 1154 these procedures are followed in order: 1156 8.1.2.1. Policy state updates 1158 Delete the pwdFailureTime and pwdAccountLockedTime attributes. 1160 Set the value of the pwdLastSuccess attribute to the current time. 1162 Note: setting pwdLastSuccess is optional, but it is required if the 1163 policy has pwdMaxIdle defined. 1165 8.1.2.2. Password must be changed now 1167 If the decision in Section 7.2 returns true, the server sends to the 1168 client a response with an appropriate successful resultCode (i.e. 1169 success (0), compareTrue (6), etc.), and includes the 1170 passwordPolicyResponse in the controls field of the bindResponse 1171 message with the warning: changeAfterReset specified. 1173 For bind, the server MUST then disallow all operations issued by this 1174 user except modify password, bind, unbind, abandon and StartTLS 1175 extended operation. 1177 8.1.2.3. Expired password 1179 If the password has expired as per Section 7.3, the server either 1180 returns a success or failure based on the state of grace 1181 authentications. 1183 8.1.2.3.1. Remaining Grace Authentications 1185 If there are remaining grace authentications as per Section 7.4, the 1186 server adds a new value with the current time in pwdGraceUseTime. 1187 Then it sends to the client a response with an appropriate successful 1188 resultCode (i.e. success (0), compareTrue (6), etc.), and includes 1189 the passwordPolicyResponse in the controls field of the response 1190 message with the warning: graceAuthNsRemaining choice set to the 1191 number of grace authentications left. 1193 Implementor's note: The system time of the host machine may be more 1194 granular than is needed to ensure unique values of this attribute. 1195 It is recommended that a mechanism is used to ensure unique 1196 generalized time values. The fractional seconds field may be used 1197 for this purpose. 1199 8.1.2.3.2. No Remaining Grace Authentications 1201 If there are no remaining grace authentications, the server fails the 1202 operation with an appropriate resultCode (invalidCredentials (49), 1203 compareFalse (5), etc.), and includes the passwordPolicyResponse in 1204 the controls field of the bindResponse message with the error: 1205 passwordExpired (0) set. 1207 8.1.2.4. Expiration Warning 1209 If the result of Section 7.5 is a positive number, the server sends 1210 to the client a response with an appropriate successful resultCode 1211 (i.e. success (0), compareTrue (6), etc.), and includes the 1212 passwordPolicyResponse in the controls field of the bindResponse 1213 message with the warning: timeBeforeExiration set to the value as 1214 described above. Otherwise, the server sends a successful response, 1215 and omits the passwordPolicyResponse. 1217 8.1.3. AuthN Failed Procedures 1219 If the authentication process indicates that the password failed 1220 validation due to invalid credentials, these procedures are followed: 1222 8.1.3.1. Policy state update 1224 Add the current time as a value of the pwdFailureTime attribute. 1226 Implementor's note: The system time of the host machine may be more 1227 granular than is needed to ensure unique values of this attribute. 1228 It is recommended that a mechanism is used to ensure unique 1229 generalized time values. The fractional seconds field may be used 1230 for this purpose. 1232 8.1.3.2. Handle Intruder Detection 1234 If the check in Section 7.6 returns a true state, the server locks 1235 the account by setting the value of the pwdAccountLockedTime 1236 attribute to the current time. After locking the account, the server 1237 fails the operation with an appropriate resultCode 1238 (invalidCredentials (49), compareFalse (5), etc.), and includes the 1239 passwordPolicyResponse in the controls field of the message with the 1240 error: accountLocked (1). 1242 If the check in Section 7.7 returns a non-zero value, the server 1243 waits that number of seconds before sending the authentication 1244 response back to the client. 1246 8.2. Password Update Operations 1248 Because the password is stored in an attribute, various operations 1249 (like add and modify) may be used to create or update a password. 1250 But some alternate mechanisms have been defined or may be defined, 1251 such as the LDAP Password Modify Extended Operation [RFC3062]. 1253 While processing a password update, the server performs the following 1254 steps: 1256 8.2.1. Safe Modification 1258 If pwdSafeModify is set to TRUE and if there is an existing password 1259 value, the server ensures that the password update operation includes 1260 the user's existing password. 1262 When the LDAP modify operation is used to modify a password, this is 1263 done by specifying both a delete action and an add or replace action, 1264 where the delete action specifies the existing password, and the add 1265 or replace action specifies the new password. Other password update 1266 operations SHOULD employ a similar mechanism. Otherwise this policy 1267 will fail. 1269 If the existing password is not specified, the server does not 1270 process the operation and sends the appropriate response message to 1271 the client with the resultCode: insufficientAccessRights (50), and 1272 includes the passwordPolicyResponse in the controls field of the 1273 response message with the error: mustSupplyOldPassword (4). 1275 8.2.2. Change After Reset 1277 If the decision in Section 7.2 returns true, the server ensures that 1278 the password update operation contains no modifications other than 1279 the modification of the password attribute. If other modifications 1280 exist, the server sends a response message to the client with the 1281 resultCode: insufficientAccessRights (50), and includes the 1282 passwordPolicyResponse in the controls field of the response message 1283 with the error: changeAfterReset (2). 1285 8.2.3. Rights Check 1287 Check to see whether the bound identity has sufficient rights to 1288 update the password. If the bound identity is a user changing its 1289 own password, this MAY be done by checking the pwdAllowUserChange 1290 attribute or using an access control mechanism. The determination of 1291 this is implementation specific. If the user is not allowed to 1292 update her password, the server sends a response message to the 1293 client with the resultCode: insufficientAccessRights (50), and 1294 includes the passwordPolicyResponse in the controls field of the 1295 response message with the error: passwordModNotAllowed (3). 1297 8.2.4. Too Early to Update 1299 If the check in Section 7.8 results in a true status The server sends 1300 a response message to the client with the resultCode: 1301 constraintViolation (19), and includes the passwordPolicyResponse in 1302 the controls field of the response message with the error: 1303 passwordTooYoung (7). 1305 8.2.5. Password Quality 1307 Check the value of the pwdCheckQuality attribute. If the value is 1308 non-zero, the server: 1310 * Ensure that the password meets the quality criteria enforced by 1311 the server. This enforcement is implementation specific. If the 1312 server is unable to check the quality (due to a hashed password or 1313 otherwise), the value of pwdCheckQuality is evaluated. If the 1314 value is 1, operation continues. If the value is 2, the server 1315 sends a response message to the client with the resultCode: 1316 constraintViolation (19), and includes the passwordPolicyResponse 1317 in the controls field of the response message with the error: 1318 insufficientPasswordQuality (5). 1320 If the server is able to check the password quality, and the check 1321 fails, the server sends a response message to the client with the 1322 resultCode: constraintViolation (19), and includes the 1323 passwordPolicyResponse in the controls field of the response 1324 message with the error: insufficientPasswordQuality (5). 1326 * checks the value of the pwdMinLength attribute. If the value is 1327 non-zero, it ensures that the new password is of at least the 1328 minimum length. 1330 If the server is unable to check the length (due to a hashed 1331 password or otherwise), the value of pwdCheckQuality is evaluated. 1332 If the value is 1, operation continues. If the value is 2, the 1333 server sends a response message to the client with the resultCode: 1334 constraintViolation (19), and includes the passwordPolicyResponse 1335 in the controls field of the response message with the error: 1336 passwordTooShort (6). 1338 If the server is able to check the password length, and the check 1339 fails, the server sends a response message to the client with the 1340 resultCode: constraintViolation (19), and includes the 1341 passwordPolicyResponse in the controls field of the response 1342 message with the error: passwordTooShort (6). 1344 * checks the value of the pwdMaxLength attribute. If the value is 1345 non-zero, it ensures that the new password is of at most the 1346 maximum length. 1348 If the server is unable to check the length (due to a hashed 1349 password or otherwise), the value of pwdCheckQuality is evaluated. 1350 If the value is 1, operation continues. If the value is 2, the 1351 server sends a response message to the client with the resultCode: 1352 constraintViolation (19), and includes the passwordPolicyResponse 1353 in the controls field of the response message with the error: 1354 passwordTooLong (9). 1356 If the server is able to check the password length, and the check 1357 fails, the server sends a response message to the client with the 1358 resultCode: constraintViolation (19), and includes the 1359 passwordPolicyResponse in the controls field of the response 1360 message with the error: passwordTooLong (9). 1362 8.2.6. Invalid Reuse 1364 If pwdInHistory is present and its value is non-zero, the server 1365 checks whether this password exists in the entry's pwdHistory 1366 attribute or in the current password attribute. If the password does 1367 exist in the pwdHistory attribute or in the current password 1368 attribute, the server sends a response message to the client with the 1369 resultCode: constraintViolation (19), and includes the 1370 passwordPolicyResponse in the controls field of the response message 1371 with the error: passwordInHistory (8). 1373 8.2.7. Policy State Updates 1375 If the steps have completed without causing an error condition, the 1376 server performs the following steps in order to update the necessary 1377 password policy state attributes: 1379 If the value of either pwdMaxAge or pwdMinAge is non-zero and the 1380 change does not include a pwdChangedTime update already, the server 1381 updates the pwdChangedTime attribute on the entry to the current 1382 time. 1384 If the value of pwdInHistory is non-zero, the server adds the 1385 previous password (if one existed) to the pwdHistory attribute. If 1386 the number of attributes held in the pwdHistory attribute exceeds the 1387 value of pwdInHistory, the server removes the oldest excess 1388 passwords. 1390 If the value the pwdMustChange is TRUE and the modification is 1391 performed by a password administrator, then the pwdReset attribute is 1392 set to TRUE. Otherwise, the pwdReset is removed from the user's 1393 entry if it exists. 1395 The pwdFailureTime, pwdGraceUseTime, pwdLastSuccess attributes are 1396 removed from the user's entry if they exist. 1398 8.3. Other Operations 1400 For operations other than bind, password update, unbind, abandon or 1401 StartTLS, if the decision in Section 7.2 returns true, the server 1402 sends a response message to the client with the resultCode: 1403 insufficientAccessRights (50), and includes the 1404 passwordPolicyResponse in the controls field of the response message 1405 with the error: changeAfterReset (2). 1407 9. Client Policy Enforcement Points 1409 These sections illustrate possible scenarios for each LDAP operation 1410 and define the types of responses that identify those scenarios. 1412 The scenarios in the following operations assume that the client 1413 attached a passwordPolicyRequest control to the request message of 1414 the operation, and thus may receive a passwordPolicyResponse control 1415 in the response message. In the event that the passwordPolicyRequest 1416 control was not sent, no passwordPolicyResponse control is returned. 1417 All other instructions remain the same. 1419 9.1. Bind Operation 1421 For every bind response received, the client checks the resultCode of 1422 the bindResponse and checks for a passwordPolicyResponse control to 1423 determine if any of the following conditions are true and MAY prompt 1424 the user accordingly. 1426 * bindResponse.resultCode = insufficientAccessRights (50), 1427 passwordPolicyResponse.error = accountLocked (1): The password 1428 failure limit has been reached and the account is locked. The 1429 user needs to retry later or contact the password administrator to 1430 reset the password. 1432 * bindResponse.resultCode = success (0), 1433 passwordPolicyResponse.error = changeAfterReset (2): The user is 1434 binding for the first time after the password administrator set 1435 the password. In this scenario, the client SHOULD prompt the user 1436 to change his password immediately. 1438 * bindResponse.resultCode = success (0), 1439 passwordPolicyResponse.warning = graceAuthNsRemaining: The 1440 password has expired but there are remaining grace 1441 authentications. The user needs to change it. 1443 * bindResponse.resultCode = invalidCredentials (49), 1444 passwordPolicyResponse.error = passwordExpired (0): The password 1445 has expired and there are no more grace authentications. The user 1446 contacts the password administrator in order to have its password 1447 reset. 1449 * bindResponse.resultCode = success (0), 1450 passwordPolicyResponse.warning = timeBeforeExpiration: The user's 1451 password will expire in n number of seconds. 1453 9.2. Modify Operations 1455 9.2.1. Modify Request 1457 If the application or client encrypts the password prior to sending 1458 it in a password modification operation (whether done through 1459 modifyRequest or another password modification mechanism), it SHOULD 1460 check the values of the pwdMinLength, and pwdCheckQuality attributes 1461 and SHOULD enforce these policies. 1463 9.2.2. Modify Response 1465 If the modifyRequest operation was used to change the password, or if 1466 another mechanism is used --such as an extendedRequest-- the 1467 modifyResponse or other appropriate response MAY contain information 1468 pertinent to password policy. The client checks the resultCode of 1469 the response and checks for a passwordPolicyResponse control to 1470 determine if any of the following conditions are true and optionally 1471 notify the user of the condition. 1473 * pwdModResponse.resultCode = insufficientAccessRights (50), 1474 passwordPolicyResponse.error = mustSupplyOldPassword (4): The user 1475 attempted to change her password without specifying the old 1476 password but the password policy requires this. 1478 * pwdModResponse.resultCode = insufficientAccessRights (50), 1479 passwordPolicyResponse.error = changeAfterReset (2): The user must 1480 change her password before submitting any other LDAP requests. 1482 * pwdModResponse.resultCode = insufficientAccessRights (50), 1483 passwordPolicyResponse.error = passwordModNotAllowed (3): The user 1484 doesn't have sufficient rights to change his password. 1486 * pwdModResponse.resultCode = constraintViolation (19), 1487 passwordPolicyResponse.error = passwordTooYoung (7): It is too 1488 soon after the last password modification to change the password. 1490 * pwdModResponse.resultCode = constraintViolation (19), 1491 passwordPolicyResponse.error = insufficientPasswordQuality (5): 1492 The password failed quality checking. 1494 * pwdModResponse.resultCode = constraintViolation (19), 1495 passwordPolicyResponse.error = passwordTooShort (6): The length of 1496 the password is too short. 1498 * pwdModResponse.resultCode = constraintViolation (19), 1499 passwordPolicyResponse.error = passwordInHistory (8): The password 1500 has already been used; the user must choose a different one. 1502 * pwdModResponse.resultCode = constraintViolation (19), 1503 passwordPolicyResponse.error = passwordTooLong (9): The length of 1504 the password is too long. 1506 9.3. Add Operation 1508 If a password is specified in an addRequest, the client checks the 1509 resultCode of the addResponse and checks for a passwordPolicyResponse 1510 control to determine if any of the following conditions are true and 1511 may prompt the user accordingly. 1513 * addResponse.resultCode = insufficientAccessRights (50), 1514 passwordPolicyResponse.error = passwordModNotAllowed (3): The user 1515 doesn't have sufficient rights to add this password. 1517 * addResponse.resultCode = constraintViolation (19), 1518 passwordPolicyResponse.error = insufficientPasswordQuality (5): 1519 The password failed quality checking. 1521 * addResponse.resultCode = constraintViolation (19), 1522 passwordPolicyResponse.error = passwordTooShort (6): The length of 1523 the password is too short. 1525 * addResponse.resultCode = constraintViolation (19), 1526 passwordPolicyResponse.error = passwordTooLong (9): The length of 1527 the password is too long. 1529 9.4. Compare Operation 1531 When a compare operation is used to compare a password, the client 1532 checks the resultCode of the compareResponse and checks for a 1533 passwordPolicyResponse to determine if any of the following 1534 conditions are true and MAY prompt the user accordingly. These 1535 conditions assume that the result of the comparison was true. 1537 * compareResponse.resultCode = compareFalse (5), 1538 passwordPolicyResponse.error = accountLocked (1): The password 1539 failure limit has been reached and the account is locked. The 1540 user needs to retry later or contact the password administrator to 1541 reset the password. 1543 * compareResponse.resultCode = compareTrue (6), 1544 passwordPolicyResponse.warning = graceAuthNsRemaining: The 1545 password has expired but there are remaining grace 1546 authentications. The user needs to change it. 1548 * compareResponse.resultCode = compareFalse (5), 1549 passwordPolicyResponse.error = passwordExpired (0): The password 1550 has expired and there are no more grace authentications. The user 1551 must contact the password administrator to reset the password. 1553 * compareResponse.resultCode = compareTrue (6), 1554 passwordPolicyResponse.warning = timeBeforeExpiration: The user's 1555 password will expire in n number of seconds. 1557 9.5. Other Operations 1559 For operations other than bind, unbind, abandon or StartTLS, the 1560 client checks the result code and control to determine if the user 1561 needs to change the password immediately. 1563 * .resultCode = insufficientAccessRights (50), 1564 passwordPolicyResponse.error = changeAfterReset (2) : The user 1565 needs to change the password immediately. 1567 10. Administration of the Password Policy 1569 {TODO: Need to define an administrativeRole (need OID). Need to 1570 describe whether pwdPolicy admin areas can overlap} 1572 A password policy is defined for a particular subtree of the DIT by 1573 adding to an LDAP subentry whose immediate superior is the root of 1574 the subtree, the pwdPolicy auxiliary object class. The scope of the 1575 password policy is defined by the SubtreeSpecification attribute of 1576 the LDAP subentry as specified in [RFC3672]. 1578 It is possible to define password policies for different password 1579 attributes within the same pwdPolicy entry, by specifying multiple 1580 values of the pwdAttribute. But password policies could also be in 1581 separate sub entries as long as they are contained under the same 1582 LDAP subentry. 1584 Only one policy may be in effect for a given password attribute in 1585 any entry. If multiple policies exist which overlap in the range of 1586 entries affected, the resulting behavior is undefined. 1588 Modifying the password policy MUST NOT result in any change in users' 1589 entries to which the policy applies. 1591 It SHOULD be possible to overwrite the password policy for one user 1592 by defining a new policy in a subentry of the user entry. 1594 Each object that is controlled by password policy advertises the 1595 subentry that is being used to control its policy in its 1596 pwdPolicySubentry attribute. Clients wishing to examine or manage 1597 password policy for an object may interrogate the pwdPolicySubentry 1598 for that object in order to arrive at the proper pwdPolicy subentry. 1600 11. Password Policy and Replication 1602 {TODO: This section needs to be changed to highlight the pitfalls of 1603 replication, suggest some implementation choices to overcome those 1604 pitfalls, but remove prescriptive language relating to the update of 1605 state information} 1607 The pwdPolicy object defines the password policy for a portion of the 1608 DIT and MUST be replicated on all the replicas of this subtree, as 1609 any subentry would be, in order to have a consistent policy among all 1610 replicated servers. 1612 The elements of the password policy that are related to the users are 1613 stored in the entry themselves as operational attributes. As these 1614 attributes are subject to modifications even on a read-only replica, 1615 replicating them must be carefully considered. 1617 The pwdChangedTime attribute MUST be replicated on all replicas, to 1618 allow expiration of the password. 1620 The pwdReset attribute MUST be replicated on all replicas, to deny 1621 access to operations other than bind and modify password. 1623 The pwdHistory attribute MUST be replicated to writable replicas. It 1624 doesn't have to be replicated to a read-only replica, since the 1625 password will never be directly modified on this server. 1627 The pwdAccountLockedTime, pwdFailureTime, pwdGraceUseTime and 1628 pwdLastSuccess attributes SHOULD be replicated to writable replicas, 1629 making the password policy global for all servers. When the user 1630 entry is replicated to a read-only replica, these attributes SHOULD 1631 NOT be replicated. This means that the number of failures, of grace 1632 authentications and the locking will take place on each replicated 1633 server. For example, the effective number of failed attempts on a 1634 user password will be N x M (where N is the number of servers and M 1635 the value of pwdMaxFailure attribute). Replicating these attributes 1636 to a read-only replica MAY reduce the number of tries globally but 1637 MAY also introduce some inconstancies in the way the password policy 1638 is applied. 1640 Note: there are some situations where global replication of these 1641 state attributes may not be desired. For example, if two clusters of 1642 replicas are geographically remote and joined by a slow network link, 1643 and their users only login from one of the two locations, it may be 1644 unnecessary to propagate all of the state changes from one cluster to 1645 the other. Servers SHOULD allow administrators to control which 1646 attributes are replicated on a case-by-case basis. 1648 Servers participating in a loosely consistent multi-master 1649 replication agreement SHOULD employ a mechanism which ensures 1650 uniqueness of values when populating the attributes pwdFailureTime 1651 and pwdGraceUseTime. The method of achieving this is a local matter 1652 and may consist of using a single authoritative source for the 1653 generation of unique time values, or may consist of the use of the 1654 fractional seconds part to hold a replica identifier. 1656 12. Security Considerations 1658 This document defines a set of rules to implement in an LDAP server, 1659 in order to mitigate some of the security risks associated with the 1660 use of passwords and to make it difficult for password cracking 1661 programs to break into directories. 1663 Authentication with a password MUST follow the recommendations made 1664 in [RFC4513]. 1666 Modifications of passwords SHOULD only occur when the connection is 1667 protected with confidentiality and secure authentication. 1669 Access controls SHOULD be used to restrict access to the password 1670 policy attributes. The attributes defined to maintain the password 1671 policy state information SHOULD only be modifiable by the password 1672 administrator or higher authority. The pwdHistory attribute MUST be 1673 subject to the same level of access control as the attrbute holding 1674 the password. 1676 As it is possible to define a password policy for one specific user 1677 by adding a subentry immediately under the user's entry, Access 1678 Controls SHOULD be used to restrict the use of the pwdPolicy object 1679 class or the LDAP subentry object class. 1681 When the intruder detection password policy is enforced, the LDAP 1682 directory is subject to a denial of service attack. A malicious user 1683 could deliberately lock out one specific user's account (or all of 1684 them) by sending bind requests with wrong passwords. There is no way 1685 to protect against this kind of attack. The LDAP directory server 1686 SHOULD log as much information as it can (such as client IP address) 1687 whenever an account is locked, in order to be able to identify the 1688 origin of the attack. Denying anonymous access to the LDAP directory 1689 is also a way to restrict this kind of attack. Using the login delay 1690 instead of the lockout mechanism will also help avoid this denial of 1691 service. 1693 Returning certain status codes (such as passwordPolicyResponse.error 1694 = accountLocked) allows a denial of service attacker to know that it 1695 has successfully denied service to an account. Servers SHOULD 1696 implement additional checks which return the same status when it is 1697 sensed that some number of failed authentication requests has occured 1698 on a single connection, or from a client address. Server 1699 implementors are encouraged to invent other checks similar to this in 1700 order to thwart this type of DoS attack. 1702 13. IANA Considerations 1704 In accordance with [RFC4520] the following registrations are 1705 requested. 1707 13.1. Object Identifiers 1709 The OIDs used in this specification are derived from iso(1) 1710 identified-organization(3) dod(6) internet(1) private(4) 1711 enterprise(1) Sun(42) products(2) LDAP(27) ppolicy(8). These OIDs 1712 have been in use since at least July 2001 when version 04 of this 1713 draft was published. No additional OID assignment is being 1714 requested. 1716 13.2. LDAP Protocol Mechanisms 1718 Registration of the protocol mechanisms specified in this document is 1719 requested. 1721 Subject: Request for LDAP Protocol Mechanism Registration 1723 Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1 1725 Description: Password Policy Request and Response Control 1727 Person & email address to contact for further information: 1729 Howard Chu 1731 Usage: Control 1733 Specification: (I-D) draft-behera-ldap-password-policy 1735 Author/Change Controller: IESG 1737 Comments: 1739 13.3. LDAP Descriptors 1741 Registration of the descriptors specified in this document is 1742 requested. 1744 Subject: Request for LDAP Descriptor Registration 1746 Descriptor (short name): see table 1748 Object Identifier: see table 1750 Description: see table 1752 Person & email address to contact for further information: 1754 Howard Chu 1756 Specification: (I-D) draft-behera-ldap-password-policy 1758 Author/Change Controller: IESG 1760 Comments: 1762 Name Type OID 1763 ----------------------- ---- ------------------------------ 1764 pwdPolicy O 1.3.6.1.4.1.42.2.27.8.2.1 1765 pwdAttribute A 1.3.6.1.4.1.42.2.27.8.1.1 1766 pwdMinAge A 1.3.6.1.4.1.42.2.27.8.1.2 1767 pwdMaxAge A 1.3.6.1.4.1.42.2.27.8.1.3 1768 pwdInHistory A 1.3.6.1.4.1.42.2.27.8.1.4 1769 pwdCheckQuality A 1.3.6.1.4.1.42.2.27.8.1.5 1770 pwdMinLength A 1.3.6.1.4.1.42.2.27.8.1.6 1771 pwdMaxLength A 1.3.6.1.4.1.42.2.27.8.1.31 1772 pwdExpireWarning A 1.3.6.1.4.1.42.2.27.8.1.7 1773 pwdGraceAuthNLimit A 1.3.6.1.4.1.42.2.27.8.1.8 1774 pwdGraceExpiry A 1.3.6.1.4.1.42.2.27.8.1.30 1775 pwdLockout A 1.3.6.1.4.1.42.2.27.8.1.9 1776 pwdLockoutDuration A 1.3.6.1.4.1.42.2.27.8.1.10 1777 pwdMaxFailure A 1.3.6.1.4.1.42.2.27.8.1.11 1778 pwdFailureCountInterval A 1.3.6.1.4.1.42.2.27.8.1.12 1779 pwdMustChange A 1.3.6.1.4.1.42.2.27.8.1.13 1780 pwdAllowUserChange A 1.3.6.1.4.1.42.2.27.8.1.14 1781 pwdSafeModify A 1.3.6.1.4.1.42.2.27.8.1.15 1782 pwdMinDelay A 1.3.6.1.4.1.42.2.27.8.1.24 1783 pwdMaxDelay A 1.3.6.1.4.1.42.2.27.8.1.25 1784 pwdMaxIdle A 1.3.6.1.4.1.42.2.27.8.1.26 1785 pwdChangedTime A 1.3.6.1.4.1.42.2.27.8.1.16 1786 pwdAccountLockedTime A 1.3.6.1.4.1.42.2.27.8.1.17 1787 pwdFailureTime A 1.3.6.1.4.1.42.2.27.8.1.19 1788 pwdHistory A 1.3.6.1.4.1.42.2.27.8.1.20 1789 pwdGraceUseTime A 1.3.6.1.4.1.42.2.27.8.1.21 1790 pwdReset A 1.3.6.1.4.1.42.2.27.8.1.22 1791 pwdPolicySubEntry A 1.3.6.1.4.1.42.2.27.8.1.23 1792 pwdStartTime A 1.3.6.1.4.1.42.2.27.8.1.27 1793 pwdEndTime A 1.3.6.1.4.1.42.2.27.8.1.28 1794 pwdLastSuccess A 1.3.6.1.4.1.42.2.27.8.1.29 1796 Legend 1797 -------------------- 1798 A => Attribute Type 1799 O => Object Class 1801 13.4. LDAP AttributeDescription Options 1803 Registration of the AttributeDescription option specified in this 1804 document is requested. 1806 Subject: Request for LDAP Attribute Description Option 1807 Registration 1809 Option Name: pwd- 1810 Family of Options: YES 1812 Person & email address to contact for further information: 1814 Howard Chu 1816 Specification: (I-D) draft-behera-ldap-password-policy 1818 Author/Change Controller: IESG 1820 Comments: 1822 Used with policy state attributes to specify to which password 1823 attribute the state belongs. 1825 14. Acknowledgement 1827 This document is based in part on prior work done by Valerie Chu from 1828 Netscape Communications Corp, published as draft-vchu-ldap-pwd- 1829 policy-00.txt (December 1998). Prasanta Behera participated in early 1830 revisions of this document. 1832 15. Normative References 1834 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1835 Requirement Levels", BCP 14, RFC 2119, 1836 DOI 10.17487/RFC2119, March 1997, 1837 . 1839 [RFC3062] Zeilenga, K., "LDAP Password Modify Extended Operation", 1840 RFC 3062, DOI 10.17487/RFC3062, February 2001, 1841 . 1843 [RFC3672] Zeilenga, K., "Subentries in the Lightweight Directory 1844 Access Protocol (LDAP)", RFC 3672, DOI 10.17487/RFC3672, 1845 December 2003, . 1847 [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple 1848 Authentication and Security Layer (SASL)", RFC 4422, 1849 DOI 10.17487/RFC4422, June 2006, 1850 . 1852 [RFC4511] Sermersheim, J., Ed., "Lightweight Directory Access 1853 Protocol (LDAP): The Protocol", RFC 4511, 1854 DOI 10.17487/RFC4511, June 2006, 1855 . 1857 [RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol 1858 (LDAP): Directory Information Models", RFC 4512, 1859 DOI 10.17487/RFC4512, June 2006, 1860 . 1862 [RFC4513] Harrison, R., Ed., "Lightweight Directory Access Protocol 1863 (LDAP): Authentication Methods and Security Mechanisms", 1864 RFC 4513, DOI 10.17487/RFC4513, June 2006, 1865 . 1867 [RFC4517] Legg, S., Ed., "Lightweight Directory Access Protocol 1868 (LDAP): Syntaxes and Matching Rules", RFC 4517, 1869 DOI 10.17487/RFC4517, June 2006, 1870 . 1872 [RFC4520] Zeilenga, K., "Internet Assigned Numbers Authority (IANA) 1873 Considerations for the Lightweight Directory Access 1874 Protocol (LDAP)", BCP 64, RFC 4520, DOI 10.17487/RFC4520, 1875 June 2006, . 1877 [RFC4616] Zeilenga, K., Ed., "The PLAIN Simple Authentication and 1878 Security Layer (SASL) Mechanism", RFC 4616, 1879 DOI 10.17487/RFC4616, August 2006, 1880 . 1882 [RFC7677] Hansen, T., "SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple 1883 Authentication and Security Layer (SASL) Mechanisms", 1884 RFC 7677, DOI 10.17487/RFC7677, November 2015, 1885 . 1887 [X.680] International Telecommunications Union, "Abstract Syntax 1888 Notation One (ASN.1): Specification of basic notation", 1889 ITU-T Recommendation X.680, July 2002. 1891 [X.690] International Telecommunications Union, "Information 1892 Technology - ASN.1 encoding rules: Specification of Basic 1893 Encoding Rules (BER), Canonical Encoding Rules (CER) and 1894 Distinguished Encoding Rules (DER)", ITU-T 1895 Recommendation X.690, July 2002. 1897 Authors' Addresses 1899 Jim Sermersheim 1900 Novell, Inc 1901 1800 South Novell Place 1902 Provo, Utah 84606 1903 United States of America 1904 Phone: +1 801 861-3088 1905 Email: jimse@novell.com 1907 Ludovic Poitou 1908 Sun Microsystems 1909 180, Avenue de l'Europe 1910 38334 Zirst de Montbonnot 1911 France 1912 Phone: +33 476 188 212 1913 Email: ludovic.poitou@sun.com 1915 Howard Chu (editor) 1916 Symas Corp. 1917 18740 Oxnard Street, Suite 313A 1918 Tarzana, California 91356 1919 United States of America 1920 Phone: +1 818 757-7087 1921 Email: hyc@symas.com 1923 Ondřej Kuzník (editor) 1924 Symas Corp. 1925 Email: okuznik@symas.com