idnits 2.17.1 draft-vchu-ldap-pwd-policy-00.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. ** The document is more than 15 pages and seems to lack a Table of Contents. == The page length should not exceed 58 lines per page, but there was 16 longer pages, the longest (page 2) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 17 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 147 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 23 instances of too long lines in the document, the longest one being 8 characters in excess of 72. ** There are 340 instances of lines with control characters in the document. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 130: '... MAY (...' RFC 2119 keyword, line 287: '... MAY (...' Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 13 has weird spacing: '...-Drafts are ...' == Line 14 has weird spacing: '...ments of the ...' == Line 19 has weird spacing: '...and may be ...' == Line 23 has weird spacing: '... please check...' == Line 24 has weird spacing: '...listing conta...' == (142 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 1998) is 9264 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Missing reference section? 'RFC-2251' on line 807 looks like a reference -- Missing reference section? 'RFC-2307' on line 241 looks like a reference Summary: 13 errors (**), 0 flaws (~~), 8 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 LDAP-EXT Working Group Valerie Chu 3 INTERNET-DRAFT Netscape Communications Corp. 4 Expires in six months 5 Intended Category: Informational 6 December 1998 8 Password Policy for LDAP Directories 9 11 1. Status of this Memo 13 This document is an Internet-Draft. Internet-Drafts are working docu- 14 ments of the Internet Engineering Task Force (IETF), its areas, and its 15 working groups. Note that other groups may also distribute working docu- 16 ments as Internet-Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet- Drafts as reference material 21 or to cite them other than as ``work in progress.'' 23 To view the entire list of current Internet-Drafts, please check the 24 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 25 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), 26 ftp.nic.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org 27 (US East Coast), or ftp.isi.edu (US West Coast). 29 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 30 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 31 document are to be interpreted as described in RFC 2119. 33 2. Abstract 35 This document describes the implementation of password policy in 36 Netscape LDAP directories, and introduces two new object classes, 37 twenty-three new attribute types, and two new controls in support of 38 password policy. 40 Password policy is a set of rules that control how passwords are used in 41 LDAP directories. In order to improve the security of LDAP directories 42 and make it difficult for password cracking programs to break into 43 directories, it is desirable to enforce a set of rules on password 44 usage. These rules are made to ensure that the users change their pass- 45 words periodically, the new password meets construction requirements, 46 the re-use of the old password is restricted, and lock out the users 48 Expires June 1999 INTERNET DRAFT 50 after a certain number of bad password attempts. 52 3. Overview 54 LDAP-based directory services currently are accepted by many organiza- 55 tions as the access protocol for directories. The ability to ensure the 56 secure read, update access to directory information throughout the net- 57 work is essential to the successful deployment. There are several secu- 58 rity mechanisms which are used in Netscape LDAP implementation to pro- 59 tect the directory data. For example, the access control is used to 60 prevent unauthorized access to information stored in directories; SASL 61 is used to negotiate for integrity and privacy services.[RFC-2251] The 62 most fundamental security mechanism in Netscape Directory is the simple 63 authentication using password. In many systems, in order to improve the 64 security of the system, the simple password-based authentication often 65 is used in conjunction with a set of password restrictions to control 66 how passwords are used in the system. For example, the passwd program 67 in UNIX systems, or the user account policy in WindowsNT, has a set of 68 rules that users need to follow to use password authentication. At the 69 moment, LDAP does not define a password policy model, but it is needed 70 to achieve greater security protection and it is critical to the suc- 71 cessful deployment of LDAP directories. 73 Specifically, the password policy defines: 75 - The maximum length of time that a given password is valid. 77 - The minimum length of time required between password changes. 79 - The maximum length of time before a user's password is due to 80 expire that the user will be sent a warning message. 82 - Whether users can reuse passwords. 84 - The minimum number of characters a password must contain. 86 - Whether the password syntax is checked before a new password is 87 saved. 89 - Whether users are allowed to change their own passwords. 91 - Whether passwords must be changed after they are reset by the 92 administrator. 94 - Whether users will be locked out of the directory after a given 95 number of failed bind attempts. 97 Expires June 1999 INTERNET DRAFT 99 - How long users will be locked out of the directory after a given 100 number of failed bind attempts. 102 - The length of time before the password failure counter which 103 keeps track of the number of failed password attempts is reset. 105 The password policy defined in this document is applied to the LDAP sim- 106 ple authentication method [RFC-2251] and userPassword attribute values 107 only. 109 In this document, the term "user" represents any application which is an 110 LDAP client using the directory to retrieve or store information. 112 Directory administrators are not forced to comply with any of password 113 policies. 115 4. New Attribute Types and Object Classes 117 4.1. The passwordPolicy Object Class 119 The passwordPolicy object class holds the password policy settings for a 120 set of user accounts. In the Netscape Directory implementation, they 121 are located in the "cn=config" entry. 123 The description of passwordPolicy object class: 125 ( 2.16.840.1.113730.3.2.13 126 NAME 'passwordPolicy' 127 AUXILIARY 128 SUP top 129 DESC 'Password Policy object class to hold password policy information' 130 MAY ( 131 passwordMaxAge $ passwordExp $ passwordMinLength $ 132 passwordKeepHistory $ passwordInHistory $ passwordChange $ 133 passwordCheckSyntax $ passwordWarning $ passwordLockout $ 134 passwordMaxFailure $ passwordUnlock $ passwordLockoutDuration $ 135 passwordMustChange $ passwordStorageScheme $ passwordMinAge $ 136 passwordResetFailureCount 137 ) 138 ) 140 4.2. The new attribute types used in the passwordPolicy Object Class: 142 ( 2.16.840.1.113730.3.1.97 143 NAME 'passwordMaxAge' 144 DESC 'the number of seconds after which user passwords will expire' 145 EQUALITY 'caseIgnoreMatch' 146 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 148 Expires June 1999 INTERNET DRAFT 150 ) 151 ( 2.16.840.1.113730.3.1.98 152 NAME 'passwordExp' 153 DESC 'a flag which indicates whether passwords will expire after a 154 given number of seconds' 155 EQUALITY 'caseIgnoreMatch' 156 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 157 ) 158 ( 2.16.840.1.113730.3.1.99 159 NAME 'passwordMinLength' 160 DESC 'the minimum number of characters that must be used in a password' 161 EQUALITY 'caseIgnoreMatch' 162 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 163 ) 164 ( 2.16.840.1.113730.3.1.100 165 NAME 'passwordKeepHistory' 166 DESC 'a flag which indicates whether passwords can be reused" 167 EQUALITY 'caseIgnoreMatch' 168 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 169 ) 170 ( 2.16.840.1.113730.3.1.101 171 NAME 'passwordInHistory' 172 DESC 'the number of passwords the directory server stores in history' 173 EQUALITY 'caseIgnoreMatch' 174 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 175 ) 176 ( 2.16.840.1.113730.3.1.102 177 NAME 'passwordChange' 178 DESC 'a flag which indicates whether users can change their passwords' 179 EQUALITY 'caseIgnoreMatch' 180 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 181 ) 182 ( 2.16.840.1.113730.3.1.103 183 NAME 'passwordCheckSyntax' 184 DESC 'a flag which indicates whether the password syntax will be checked 185 before the password is saved' 186 EQUALITY 'caseIgnoreMatch' 187 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 188 ) 189 ( 2.16.840.1.113730.3.1.104 190 NAME 'passwordWarning' 191 DESC 'the number of seconds before a user's password is due to expire that 192 the user will be sent a warning message' 193 EQUALITY 'caseIgnoreMatch' 194 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 195 ) 196 ( 2.16.840.1.113730.3.1.105 197 NAME 'passwordLockout' 199 Expires June 1999 INTERNET DRAFT 201 DESC 'a flag which indicates whether users will be locked out of the 202 directory after a given number of consecutive failed bind attempts' 203 EQUALITY 'caseIgnoreMatch' 204 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 205 ) 206 ( 2.16.840.1.113730.3.1.106 207 NAME 'passwordMaxFailure' 208 DESC 'the number of consecutive failed bind attempts after which a user 209 will be locked out of the directory' 210 EQUALITY 'caseIgnoreMatch' 211 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 212 ) 213 ( 2.16.840.1.113730.3.1.108 214 NAME 'passwordUnlock' 215 DESC 'a flag which indicates whether a user will be locked out of the 216 directory for a given number of seconds or until the administrator 217 resets the password after an account lockout' 218 EQUALITY 'caseIgnoreMatch' 219 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 220 ) 221 ( 2.16.840.1.113730.3.1.109 222 NAME 'passwordLockoutDuration' 223 DESC 'the number of seconds that users will be locked out of the directory 224 after an account lockout 225 EQUALITY 'caseIgnoreMatch' 226 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 227 ) 228 ( 2.16.840.1.113730.3.1.220 229 NAME 'passwordMustChange' 230 DESC 'a flag which indicates whether users must change their passwords when 231 they first bind to the directory server' 232 EQUALITY 'caseIgnoreMatch' 233 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 234 ) 235 ( 2.16.840.1.113730.3.1.221 236 NAME 'passwordStorageScheme' 237 DESC 'the type of hash algorithm used to store directory server passwords' 238 EQUALITY 'caseIgnoreMatch' 239 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 240 ) 241 The description of password storage scheme can be found in [RFC-2307]. 242 ( 2.16.840.1.113730.3.1.222 243 NAME 'passwordMinAge' 244 DESC 'the number of seconds that must elapse before a user can change their 245 password again' 246 EQUALITY 'caseIgnoreMatch' 247 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 248 ) 250 Expires June 1999 INTERNET DRAFT 252 ( 2.16.840.1.113730.3.1.223 253 NAME 'passwordResetFailureCount' 254 DESC 'the number of seconds after which the password failure counter will 255 be reset' 256 EQUALITY 'caseIgnoreMatch' 257 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 258 ) 260 Currently in Netscape Directory password policy implementation, 261 passwordMaxAge, passwordMinLength, passwordInHistory, passwordWarn- 262 ing, passwordMaxFailure, passwordLockoutDuration, passwordMinAge, and 263 passwordResetFailureCount attributes are defined as 264 1.3.6.1.4.1.1466.115.121.1.15 ('Directory String'). It is recom- 265 mented to change them to 1.3.6.1.4.1.1466.115.121.1.27 ('Integer') in 266 the future implementation. 268 The attributes which are used as a flag have the syntax 269 '1.3.6.1.4.1.1466.115.121.1.15' ('Directory String'). A value of '1' 270 represents 'true', while '0' represents 'false'. It is recommented 271 to change them to 1.3.6.1.4.1.1466.115.121.1.7 ('Boolean') in the 272 future implementation. 274 4.3. The passwordObject Object Class 276 The passwordObject object class holds the password policy state informa- 277 tion for each user. For example, how many consecutive bad password 278 attempts an user made. The information is located in each user entries. 279 The description of passwordObject object class: 281 ( 2.16.840.1.113730.3.2.12 282 NAME 'passwordObject' 283 AUXILIARY 284 SUP top 285 DESC 'Password object class to hold password policy information for each 286 entry' 287 MAY ( 288 passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $ 289 retryCountResetTime $ accountUnlockTime $ passwordHistory $ 290 passwordAllowChangeTime 291 ) 292 ) 294 4.4. The new attribute types used in the passwordObject Object Class: 295 ( 2.16.840.1.113730.3.1.91 296 NAME 'passwordExpirationTime' 297 DESC 'the time the entry's password expires' 298 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 299 EQUALITY generalizedTimeMatch 301 Expires June 1999 INTERNET DRAFT 303 ORDERING generalizedTimeOrderingMatch 304 SINGLE-VALUE 305 USAGE directoryOperation 306 ) 307 ( 2.16.840.1.113730.3.1.92 308 NAME 'passwordExpWarned' 309 DESC 'a flag which indicates whether a password expiration warning is sent 310 to the client' 311 EQUALITY 'caseIgnoreMatch' 312 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 313 SINGLE-VALUE 314 USAGE directoryOperation 315 ) 316 ( 2.16.840.1.113730.3.1.93 317 NAME 'passwordRetryCount' 318 DESC 'the count of consecutive failed password attempts' 319 EQUALITY 'caseIgnoreMatch' 320 SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' 321 SINGLE-VALUE 322 USAGE directoryOperation 323 ) 324 ( 2.16.840.1.113730.3.1.94 325 NAME 'retryCountResetTime' 326 DESC 'the time to reset the passwordRetryCount' 327 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 328 EQUALITY generalizedTimeMatch 329 ORDERING generalizedTimeOrderingMatch 330 SINGLE-VALUE 331 USAGE directoryOperation 332 ) 333 ( 2.16.840.1.113730.3.1.95 334 NAME 'accountUnlockTime' 335 DESC 'the time that the user can bind again after an account lockout' 336 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 337 EQUALITY generalizedTimeMatch 338 ORDERING generalizedTimeOrderingMatch 339 SINGLE-VALUE 340 USAGE directoryOperation 341 ) 342 ( 2.16.840.1.113730.3.1.96 343 NAME 'passwordHistory' 344 DESC 'the history of user's passwords' 345 SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 346 EQUALITY bitStringMatch 347 USAGE directoryOperation 348 ) 349 ( 2.16.840.1.113730.3.1.214 350 NAME 'passwordAllowChangeTime' 352 Expires June 1999 INTERNET DRAFT 354 DESC 'the time that the user is allowed change the password' 355 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 356 EQUALITY generalizedTimeMatch 357 ORDERING generalizedTimeOrderingMatch 358 SINGLE-VALUE 359 USAGE directoryOperation 360 ) 362 5. Password Expiration and Expiration Warning 364 New attributes, passwordExp, passwordMaxAge, and passwordWarning are 365 defined to specify whether the password will expire, when the password 366 expires and when a warning message will be sent to the client respec- 367 tively. The actual expiration time for a password will be stored in a 368 new attribute, passwordExpirationTime attribute in the user entry. 370 After bind operation succeed with authentication, the server should 371 check for password expiration. If the password expiration policy is on 372 and the account's password is expired, the server should send bin- 373 dResponse with the resultCode: LDAP_INVALID_CREDENTIALS along with an 374 error message to inform the client that the password has expired. If 375 the password is going to expire sooner than the password warning dura- 376 tion, the server should send bindResponse with the resultCode: 377 LDAP_SUCCESS, and should include the password expiring control in the 378 controls field of the bindResponse message: 380 controlType: 2.16.840.1.113730.3.4.5, 382 controlValue: an octet string to indicate the time in seconds until 383 the password expires. 385 criticality: false 387 The server should send at least one warning message to the client before 388 expiring the client's password. 390 6. Password Minimum Age 392 This policy defines the number of seconds that must pass before a user 393 can change the password again. This policy can be used in conjunction 394 with the password history policy to prevent users from quickly cycling 395 through passwords in history so that they can reuse the old password. A 396 value of zero indicates that the user can change the password immedi- 397 ately. 399 During the modify password operation, the server should check if the 400 user is allowed to change password at this time. If not, the server 402 Expires June 1999 INTERNET DRAFT 404 should send the LDAP_CONSTRAINT_VIOLATION result code back to the client 405 and an error message to indicate that the password cannot be changed 406 within password minimum age. 408 7. Password History 410 passwordHistory and passwordInHistory attributes control whether the 411 user can reuse passwords and how many passwords the directory server 412 stores in history. 414 During the modify password operation, the server should check for pass- 415 word history. If password history is on and the new password matches 416 one of the old passwords in history, the server should send 417 modifyResponse back to the client with resultCode: 418 LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the new 419 password is in history, choose another password. 421 8. Password Syntax and Minimum length 423 The passwordCheckSyntax attribute indicates whether the password syntax 424 will be checked before a new password is saved. If this policy is on, 425 the directory server should check that the new password meets the pass- 426 word minimum length requirement and that the string does not contain any 427 trivial words such as the user's name, user id and so on. 429 The passwordMinLength attribute defines the minimum number of characters 430 that must be used in a password. 432 During the modify or add password operation, the server should check for 433 password syntax. If password check syntax is on and the new password 434 fail the syntax checking, the server should send modifyResponse or 435 addResponse back to the client with resultCode: 436 LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the new 437 password failed the syntax checking, the user should choose another 438 password. 440 9. User Defined Passwords 442 This policy defines whether the users can change their own passwords. 443 During the modify password operation, the server should check if the 444 user is allowed to change password. If not, the server should send to 445 the client the LDAP_UNWILLING_TO_PERFORM result code and an error mes- 446 sage to indicate that the user is not allowed to change password. 448 10. Password Change After Reset 450 This policy forces the user to select a new password on first bind or 451 after password reset. After bind operation succeed with authentication, 453 Expires June 1999 INTERNET DRAFT 455 the server should check if the password change after reset policy is on 456 and this is the first time logon. If so, the server should send bin- 457 dResponse with the resultCode: LDAP_SUCCESS, and should include the 458 password expired control in the controls field of the bindResponse mes- 459 sage: 461 controlType: 2.16.840.1.113730.3.4.4, 463 controlValue: an octet string: "0", 465 criticality: false 467 After that, for any operation issued by the user other than modify pass- 468 word, bind, unbind, abandon, or search, the server should send the 469 response message with the resultCode: LDAP_UNWILLING_TO_PERFORM, and 470 should include the password expired control in the controls field of the 471 response message: 473 controlType: 2.16.840.1.113730.3.4.4, 475 controlValue: an octet string: "0", 477 criticality: false 479 11. Password Guessing limit 481 This policy enforces the limit of number of tries the client has to get 482 the password right. The user will be locked out of the directory after 483 a given number of consecutive failed attempts to bind to the directory. 484 This policy protects the directory from automated guessing attacks. 486 The server should keep a failure counter in the passwordRetryCount 487 attribute for each entry. The server should increment the failure 488 counter when a bind operation fails with the LDAP_INVALID_CREDENTIALS 489 error code. The server should clear the failure counter when a bind 490 operation succeeds with authentication, the account password is reset by 491 administrator, or when the failure counter reset time is reached. 493 During the bind operation, the server should check for password guessing 494 limit. If password guessing limit policy is on and the password guess- 495 ing limit is reached, the server should send bindResponse back to the 496 client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error message 497 to indicate the password failure limit is reached. 499 12. Server Implementation 501 Expires June 1999 INTERNET DRAFT 503 12.1. Password policy initialization 505 The passwordPolicy object class holds the password policy settings for a 506 set of user accounts. During the server initial startup, password pol- 507 icy should be assigned a set of initial values. The settings should be 508 modified only by the directory administrators and should be readable by 509 anyone. The server should preserve the settings over server restart. 510 Currently in the Netscape Directory implementation, the password policy 511 settings are stored in "cn=config" entry and an identical copy is kept 512 in a configuration file which is used as bootstrap. The Netscape Direc- 513 tory password default settings are listed below as an example. 515 - User may change password 517 - Do not need to change password first time logon 519 - Use SHA as the password hash algorithm 521 - No password syntax check 523 - Password minimum length: 6 525 - No password expiration 527 - Expires in 100 days 529 - No password minimum age 531 - Send warning one day before password expires 533 - Do not keep password history 535 - Six passwords in history 537 - No account lockout 539 - Lockout after 3 bind failures 541 - Do not lockout forever 543 - Lock account for 60 minutes 545 - Reset retry count after 10 minutes 547 In ldif format: 549 passwordchange: on 551 Expires June 1999 INTERNET DRAFT 553 passwordmustchange: off 555 passwordstoragescheme: SHA 557 passwordchecksyntax: off 559 passwordminlength: 6 561 passwordexp: off 563 passwordmaxage: 8640000 565 passwordminage: 0 567 passwordwarning: 86400 569 passwordkeephistory: off 571 passwordinhistory: 6 573 passwordlockout: off 575 passwordmaxfailure: 3 577 passwordunlock: on 579 passwordlockoutduration: 3600 581 passwordresetfailurecount: 600 583 12.2. Bind Operations 585 12.2.1. During bind operations, the server should check for password 586 guessing limit. If password guessing limit policy is on and the pass- 587 word guessing limit is reached, the server should send bindResponse back 588 to the client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error 589 message to indicate the password failure limit is reached. Otherwise 590 the server should continue the bind operation. 592 12.2.2. After Bind Operations succeed with authentication, the server 593 should 595 1. Clear the password failure counter. 597 2. Check if the password change after reset policy is on and this is 598 the first time logon. If so, the server should disallow all 599 operations issued by this user except modify password, bind , 600 unbind, abandon, or search. The server should send bindResponse 602 Expires June 1999 INTERNET DRAFT 604 with the resultCode: LDAP_SUCCESS, and should include the pass- 605 word expired control in the controls field of the bindResponse 606 message. 608 controlType: 2.16.840.1.113730.3.4.4, 610 controlValue: an octet string: "0", 612 criticality: false 614 3. Check for password expiration. If the password expiration policy 615 is on and the account's password is expired, the server should 616 send bindResponse with the resultCode: LDAP_INVALID_CREDENTIALS 617 along with an error message to inform the client that the pass- 618 word has expired. 620 4. Check if the password is going to expire sooner than the password 621 warning duration, the server should send bindResponse with the 622 resultCode: LDAP_SUCCESS, and should include the password expir- 623 ing control in the controls field of the bindResponse message: 625 controlType: 2.16.840.1.113730.3.4.5, 627 controlValue: an octet string to indicate the time in seconds 628 until the password expires. 630 criticality: false 632 12.2.3. After Bind Operations fail with LDAP_INVALID_CREDENTIALS, the 633 server should 635 1. Check if it is time to reset the password failure counter. If 636 so, set the failure counter to 1 and re-calculate the next 637 failure counter reset time. Otherwise, increment the failure 638 counter. 640 2. Check if failure counter exceeds the allowed maximum value. If 641 so, the server should lock the user account. 643 12.3. Add Password Operations 645 12.3.1. During the add password operation, the server should 647 1. Check for password syntax. If password check syntax is on and 648 the new password fail the syntax checking, the server should send 649 addResponse back to the client with resultCode: 650 LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the 652 Expires June 1999 INTERNET DRAFT 654 new password failed the syntax checking, the user should choose 655 another password. 657 2. Calculate and add passwordexpirationtime and passwordallowchange- 658 time attributes to the entry if password expiration policy and 659 password minimum age policy are on respectively. 661 12.4. Modify Password Operations 663 12.4.1. During the modify password operation, the server should 665 1. Check if the user is allowed to change password. If not, the 666 server should send to the client the LDAP_UNWILLING_TO_PERFORM 667 result code and an error message to indicate that the user is not 668 allowed to change password. 670 2. Check for password minimum age, password minimum length, password 671 history, and password syntax. If the checking fails, the server 672 should send modifyResponse back to the client with resultCode: 673 LDAP_CONSTRAINT_VIOLATION, and an appropriate error message. 675 3. If it is the first time logon and the user needs to change pass- 676 word the first time logon, the server should check if the user- 677 password attribute is in this modify request. If so, the server 678 should continue the modify operation. Otherwise, the server 679 should send the response message with the resultCode: 680 LDAP_UNWILLING_TO_PERFORM, and should include the password 681 expired control in the controls field of the response message: 683 controlType: 2.16.840.1.113730.3.4.4, 685 controlValue: an octet string: "0", 687 criticality: false 689 12.4.2. After modify password operations succeed, the server should 691 1. Update password history in the user's entry, if the password his- 692 tory policy is on. 694 2. Update passwordExpirationTime in the user's entry, if the pass- 695 word expiration policy is on. 697 3. Update passwordAllowChangeTime in the user's entry, if the pass- 698 word minimum age policy is on. 700 4. Clear the password failure counter, if the password is reset by a 701 directory administrator. 703 Expires June 1999 INTERNET DRAFT 705 5. Set a flag to indicate the user is the first time logon, if the 706 password change after reset policy is on and the password is 707 reset by a directory administrator. 709 13. Client Implementation 711 13.1. Bind Response 713 For every bind response received, the client needs to parse the bind 714 result code, error message, and controls to determine if any of the fol- 715 lowing conditions is true and prompt the user accordingly. 717 1. The user needs to change password first time logon. The user 718 should be prompted to change the password immediately. 720 resultCode: LDAP_SUCCESS, with the control 721 controlType: 2.16.840.1.113730.3.4.4, 722 controlValue: "0", 723 criticality: false 725 2. This is a warning message that the server sends to a user to indi- 726 cate the time in seconds until the user's password expires. 728 resultCode: LDAP_SUCCESS, with the control 729 controlType: 2.16.840.1.113730.3.4.5, 730 controlValue: an octet string to indicate the time in seconds until 731 the password expires. 732 criticality: false 734 3. The password failure limit is reached. The user needs to retry 735 later or contact the directory administrator to reset the password. 737 resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message. 738 For example: 739 errorMessage: "exceed password retry limit" 741 4. The password is expired. The user needs to contact the directory 742 administrator to reset the password. 744 resultCode: LDAP_INVALID_CREDENTIALS, with an appropriate error message. 745 For example: 746 errorMessage: "password expired" 748 Expires June 1999 INTERNET DRAFT 750 13.2. Modify Responses 752 For the modify response received for the change password request, the 753 client needs to check the result code and error message to determine if 754 it failed the password checking, and either let the user retry or quit. 756 1. The user defined password policy is disabled. The user is not 757 allowed to change password. 759 resultCode: LDAP_UNWILLING_TO_PERFORM, with an appropriate error message. 760 For example: 761 errorMessage: "user is not allowed to change password" 763 2. The new password failed the password syntax checking, or the 764 current password has not reached the minimum password age, or the 765 new password is in history. 767 resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message. 768 For example: 769 errorMessage: "invalid password syntax" 770 errorMessage: "password in history" 771 errorMessage: "trivial password" 772 errorMessage: "within minimum password age" 774 13.3. Add Responses 776 For the add response received for the add entry request, the client 777 needs to check the result code and error message to determine if it 778 failed the password checking, and either let the user retry or quit. 780 1. The new password failed the password syntax checking. 782 resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message. 783 For example: 784 errorMessage: "invalid password syntax" 785 errorMessage: "trivial password" 787 13.4. Other Responses 789 For operations other than bind, unbind, abandon, or search, the client 790 needs to check the following result code and control to determine if the 791 user needs to change the password immediately. 793 1. The user needs to change password first time logon. The user 794 should be prompted to change the password immediately. 796 resultCode: LDAP_UNWILLING_TO_PERFORM, with the control 798 Expires June 1999 INTERNET DRAFT 800 controlType: 2.16.840.1.113730.3.4.4, 801 controlValue: "0", 802 criticality: false 804 14. Security Considerations 806 The password policy defined in this document is applied to the LDAP sim- 807 ple authentication method [RFC-2251] and userPassword attribute values 808 only. The simple authentication method provides minimal authentication 809 facilities, with the contents of the authentication field consisting 810 only of a cleartext password. Note that the simple authentication 811 method and password policy are designed for authentication where the 812 underlying transport service cannot guarantee confidentiality. Use of 813 simple authentication method and password policy may result in disclo- 814 sure of the password to unauthorized parties. SASL and TLS mechanisms 815 may be used with LDAP to provide integrity or confidentiality services. 817 15. Bibliography 819 [RFC-2251]Wahl, M., Howes, T., Kille, S., "Lightweight Directory Access 820 Protocol (v3)", RFC 2251, August 1997. 822 [RFC-2307]L. Howard, "An Approach for Using LDAP as a Network Informa- 823 tion Service", RFC 2307, March 1998. 825 [RFC-2119]S. Bradner, "Key Words for use in RFCs to Indicate Requirement 826 Levels", RFC 2119, March 1997. 828 16. Author's Addresses 830 Valerie Chu 831 Netscape Communications Corp. 832 501 E. Middlefield Rd. 833 Mountain View, CA 94043 834 USA 835 +1 650 937-3443 836 vchu@netscape.com