Provided by: slapd_2.5.13+dfsg-1ubuntu1_amd64 
NAME
slapo-ppolicy - Password Policy overlay to slapd
SYNOPSIS
/etc/ldap/slapd.conf
DESCRIPTION
The ppolicy overlay is an implementation of the most recent IETF Password Policy proposal
for LDAP. When instantiated, it intercepts, decodes and applies specific password policy
controls to overall use of a backend database, changes to user password fields, etc.
The overlay provides a variety of password control mechanisms. They include password
aging -- both minimum and maximum ages, password reuse and duplication control, account
time-outs, mandatory password resets, acceptable password content, and even grace logins.
Different groups of users may be associated with different password policies, and there is
no limit to the number of password policies that may be created.
Note that some of the policies do not take effect when the operation is performed with the
rootdn identity; all the operations, when performed with any other identity, may be
subjected to constraints, like access control. This overlay requires a rootdn to be
configured on the database.
During password update, an identity with manage access to the userPassword attribute is
considered a password administrator where relevant to the IETF Password Policy proposal.
Note that the IETF Password Policy proposal for LDAP makes sense when considering a
single-valued password attribute, while the userPassword attribute allows multiple values.
This implementation enforces a single value for the userPassword attribute, despite its
specification.
In addition to supporting the IETF Password Policy, this module supports the SunDS Account
Usability control (1.3.6.1.4.1.42.2.27.9.5.8) on search requests and can send the Netscape
Password validity controls when configured to do so.
CONFIGURATION
These slapd.conf configuration options apply to the ppolicy overlay. They should appear
after the overlay directive.
ppolicy_default <policyDN>
Specify the DN of the pwdPolicy object to use when no specific policy is set on a
given user's entry. If there is no specific policy for an entry and no default is
given, then no policies will be enforced.
ppolicy_forward_updates
Specify that policy state changes that result from Bind operations (such as
recording failures, lockout, etc.) on a consumer should be forwarded to a provider
instead of being written directly into the consumer's local database. This setting
is only useful on a replication consumer, and also requires the updateref setting
and chain overlay to be appropriately configured.
ppolicy_hash_cleartext
Specify that cleartext passwords present in Add and Modify requests should be
hashed before being stored in the database. This violates the X.500/LDAP
information model, but may be needed to compensate for LDAP clients that don't use
the Password Modify extended operation to manage passwords. It is recommended that
when this option is used that compare, search, and read access be denied to all
directory users.
ppolicy_use_lockout
A client will always receive an LDAP InvalidCredentials response when Binding to a
locked account. By default, when a Password Policy control was provided on the Bind
request, a Password Policy response will be included with no special error code
set. This option changes the Password Policy response to include the AccountLocked
error code. Note that sending the AccountLocked error code provides useful
information to an attacker; sites that are sensitive to security issues should not
enable this option.
ppolicy_send_netscape_controls
If set, ppolicy will send the password policy expired (2.16.840.1.113730.3.4.4) and
password policy expiring (2.16.840.1.113730.3.4.5) controls when appropriate. The
controls are not sent for bind requests where the Password policy control has
already been requested. Default is not to send the controls.
OBJECT CLASS
The ppolicy overlay depends on the pwdPolicy object class. The definition of that class
is as follows:
( 1.3.6.1.4.1.42.2.27.8.2.1
NAME 'pwdPolicy'
AUXILIARY
SUP top
MUST ( pwdAttribute )
MAY (
pwdMinAge $ pwdMaxAge $ pwdInHistory $
pwdCheckQuality $ pwdMinLength $ pwdMaxLength $
pwdExpireWarning $ pwdGraceAuthnLimit $
pwdGraceExpiry $ pwdLockout $ pwdLockoutDuration $
pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $
pwdSafeModify $ pwdMaxRecordedFailure $
pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
The pwdPolicy class is not structural, and so entries using it require another,
structural, object class. The namedPolicy object class is a good choice. namedPolicy
requires a cn attribute, suitable as the policy entry's rDN.
This implementation also provides an additional pwdPolicyChecker objectclass, used for
password quality checking (see below).
( 1.3.6.1.4.1.4754.2.99.1
NAME 'pwdPolicyChecker'
AUXILIARY
SUP top
MAY ( pwdCheckModule $ pwdCheckModuleArg ) )
Every account that should be subject to password policy control should have a
pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can
simply use the configured default. In this way different users may be managed according
to different policies.
OBJECT CLASS ATTRIBUTES
Each one of the sections below details the meaning and use of a particular attribute of
this pwdPolicy object class.
pwdAttribute
This attribute contains the name of the attribute to which the password policy is applied.
For example, the password policy may be applied to the userPassword attribute.
Note: in this implementation, the only value accepted for pwdAttribute is userPassword .
( 1.3.6.1.4.1.42.2.27.8.1.1
NAME 'pwdAttribute'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
pwdMinAge
This attribute contains the number of seconds that must elapse between modifications
allowed to the password. If this attribute is not present, zero seconds is assumed (i.e.
the password may be modified whenever and however often is desired).
( 1.3.6.1.4.1.42.2.27.8.1.2
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxAge
This attribute contains the number of seconds after which a modified password will expire.
If this attribute is not present, or if its value is zero (0), then passwords will not
expire.
( 1.3.6.1.4.1.42.2.27.8.1.3
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdInHistory
This attribute is used to specify the maximum number of used passwords that will be stored
in the pwdHistory attribute. If the pwdInHistory attribute is not present, or if its
value is zero (0), used passwords will not be stored in pwdHistory and thus any
previously-used password may be reused. No history checking occurs if the password is
being modified by the rootdn, although the password is saved in the history.
( 1.3.6.1.4.1.42.2.27.8.1.4
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdCheckQuality
This attribute indicates if and how password syntax will be checked while a password is
being modified or added. If this attribute is not present, or its value is zero (0), no
syntax checking will be done. If its value is one (1), the server will check the syntax,
and if the server is unable to check the syntax, whether due to a client-side hashed
password or some other reason, it will be accepted. If its value is two (2), the server
will check the syntax, and if the server is unable to check the syntax it will return an
error refusing the password.
( 1.3.6.1.4.1.42.2.27.8.1.5
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMinLength
When syntax checking is enabled (see also the pwdCheckQuality attribute), this attribute
contains the minimum length in bytes that will be accepted in a password. If this
attribute is not present, minimum password length is not enforced. If the server is unable
to check the length of the password, whether due to a client-side hashed password or some
other reason, the server will, depending on the value of pwdCheckQuality, either accept
the password without checking it (if pwdCheckQuality is zero (0) or one (1)) or refuse it
(if pwdCheckQuality is two (2)). If the number of characters should be enforced with
regards to a particular encoding, the use of an appropriate pwdCheckModule is required.
( 1.3.6.1.4.1.42.2.27.8.1.6
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxLength
When syntax checking is enabled (see also the pwdCheckQuality attribute), this attribute
contains the maximum length in bytes that will be accepted in a password. If this
attribute is not present, maximum password length is not enforced. If the server is unable
to check the length of the password, whether due to a client-side hashed password or some
other reason, the server will, depending on the value of pwdCheckQuality, either accept
the password without checking it (if pwdCheckQuality is zero (0) or one (1)) or refuse it
(if pwdCheckQuality is two (2)). If the number of characters should be enforced with
regards to a particular encoding, the use of an appropriate pwdCheckModule is required.
( 1.3.6.1.4.1.42.2.27.8.1.31
NAME 'pwdMaxLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdExpireWarning
This attribute contains the maximum number of seconds before a password is due to expire
that expiration warning messages will be returned to a user who is authenticating to the
directory. If this attribute is not present, or if the value is zero (0), no warnings
will be sent.
( 1.3.6.1.4.1.42.2.27.8.1.7
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdGraceAuthnLimit
This attribute contains the number of times that an expired password may be used to
authenticate a user to the directory. If this attribute is not present or if its value is
zero (0), users with expired passwords will not be allowed to authenticate to the
directory.
( 1.3.6.1.4.1.42.2.27.8.1.8
NAME 'pwdGraceAuthnLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdGraceExpiry
This attribute specifies the number of seconds the grace authentications are valid. If
this attribute is not present or if the value is zero (0), there is no time limit on the
grace authentications.
( 1.3.6.1.4.1.42.2.27.8.1.30
NAME 'pwdGraceExpiry'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdLockout
This attribute specifies the action that should be taken by the directory when a user has
made a number of failed attempts to authenticate to the directory. If pwdLockout is set
(its value is "TRUE"), the user will not be allowed to attempt to authenticate to the
directory after there have been a specified number of consecutive failed bind attempts.
The maximum number of consecutive failed bind attempts allowed is specified by the
pwdMaxFailure attribute. If pwdLockout is not present, or if its value is "FALSE", the
password may be used to authenticate no matter how many consecutive failed bind attempts
have been made.
( 1.3.6.1.4.1.42.2.27.8.1.9
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdLockoutDuration
This attribute contains the number of seconds during which the password cannot be used to
authenticate the user to the directory due to too many consecutive failed bind attempts.
(See also pwdLockout and pwdMaxFailure.) If pwdLockoutDuration is not present, or if its
value is zero (0), the password cannot be used to authenticate the user to the directory
again until it is reset by an administrator.
( 1.3.6.1.4.1.42.2.27.8.1.10
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxFailure
This attribute contains the number of consecutive failed bind attempts after which the
password may not be used to authenticate a user to the directory. If pwdMaxFailure is not
present, or its value is zero (0), then a user will be allowed to continue to attempt to
authenticate to the directory, no matter how many consecutive failed bind attempts have
occurred with that user's DN. (See also pwdLockout and pwdLockoutDuration.)
( 1.3.6.1.4.1.42.2.27.8.1.11
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxRecordedFailure
This attribute contains the maximum number of failed bind attempts to store in a user's
entry. If pwdMaxRecordedFailure is not present, or its value is zero (0), then it
defaults to the value of pwdMaxFailure. If that value is also 0, the default is 5.
( 1.3.6.1.4.1.42.2.27.8.1.32
NAME 'pwdMaxRecordedFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdFailureCountInterval
This attribute contains the number of seconds after which old consecutive failed bind
attempts are purged from the failure counter, even though no successful authentication has
occurred. If pwdFailureCountInterval is not present, or its value is zero (0), the
failure counter will only be reset by a successful authentication.
( 1.3.6.1.4.1.42.2.27.8.1.12
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMustChange
This attribute specifies whether users must change their passwords when they first bind to
the directory after a password is set or reset by the administrator, or not. If
pwdMustChange has a value of "TRUE", users must change their passwords when they first
bind to the directory after a password is set or reset by the administrator. If
pwdMustChange is not present, or its value is "FALSE", users are not required to change
their password upon binding after the administrator sets or resets the password.
( 1.3.6.1.4.1.42.2.27.8.1.13
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdAllowUserChange
This attribute specifies whether users are allowed to change their own passwords or not.
If pwdAllowUserChange is set to "TRUE", or if the attribute is not present, users will be
allowed to change their own passwords. If its value is "FALSE", users will not be allowed
to change their own passwords.
Note: this implies that when pwdAllowUserChange is set to "TRUE", users will still be able
to change the password of another user, subjected to access control. This restriction
only applies to modifications of ones's own password. It should also be noted that
pwdAllowUserChange was defined in the specification to provide rough access control to the
password attribute in implementations that do not allow fine-grain access control. Since
OpenLDAP provides fine-grain access control, the use of this attribute is discouraged;
ACLs should be used instead (see slapd.access(5) for details).
( 1.3.6.1.4.1.42.2.27.8.1.14
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdSafeModify
This attribute denotes whether the user's existing password must be sent along with their
new password when changing a password. If pwdSafeModify is set to "TRUE", the existing
password must be sent along with the new password. If the attribute is not present, or
its value is "FALSE", the existing password need not be sent along with the new password.
( 1.3.6.1.4.1.42.2.27.8.1.15
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdMinDelay
This attribute specifies the number of seconds to delay responding to the first failed
authentication attempt. If this attribute is not set or is zero (0), no delays will be
used. pwdMaxDelay must also be specified if pwdMinDelay is set.
Note that this implementation uses a variable lockout instead of delaying the bind
response.
( 1.3.6.1.4.1.42.2.27.8.1.24
NAME 'pwdMinDelay'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxDelay
This attribute specifies the maximum number of seconds to delay when responding to a
failed authentication attempt. The time specified in pwdMinDelay is used as the starting
time and is then doubled on each failure until the delay time is greater than or equal to
pwdMaxDelay (or a successful authentication occurs, which resets the failure counter).
pwdMinDelay must also be specified if pwdMaxDelay is set.
Note that this implementation uses a variable lockout instead of delaying the bind
response.
( 1.3.6.1.4.1.42.2.27.8.1.25
NAME 'pwdMaxDelay'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxIdle
This attribute specifies the number of seconds an account may remain unused before it
becomes locked. If this attribute is not set or is zero (0), no check is performed. For
this to be enforced, lastbind functionality needs to be enabled on the database, that is
olcLastBind is set to TRUE.
( 1.3.6.1.4.1.42.2.27.8.1.26
NAME 'pwdMaxIdle'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdCheckModule/pwdCheckModuleArg
This attribute names a user-defined loadable module that must instantiate the
check_password() function. This function will be called to further check a new password
if pwdCheckQuality is set to one (1) or two (2), after all of the built-in password
compliance checks have been passed. This function will be called according to this
function prototype:
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry, struct berval
*pArg);
The pPasswd parameter contains the clear-text user password, the ppErrStr parameter
contains a double pointer that allows the function to return human-readable details about
any error it encounters.
The pEntry parameter is optional, if non-NULL, carries a pointer to the entry whose
password is being checked.
The optional pArg parameter points to a struct berval containing the value of
pwdCheckModuleArg in the effective password policy, if set, otherwise NULL.
If ppErrStr is NULL, then funcName must NOT attempt to use it/them. A return value of
LDAP_SUCCESS from the called function indicates that the password is ok, any other value
indicates that the password is unacceptable. If the password is unacceptable, the server
will return an error to the client, and ppErrStr may be used to return a human-readable
textual explanation of the error. The error string must be dynamically allocated as it
will be free()'d by slapd.
( 1.3.6.1.4.1.4754.1.99.1
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
( 1.3.6.1.4.1.4754.1.99.2
NAME 'pwdCheckModuleArg'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
DESC 'Argument to pass to check_password() function'
SINGLE-VALUE )
Note: The user-defined loadable module named by pwdCheckModule must be in slapd's standard
executable search PATH.
Note: pwdCheckModule is a non-standard extension to the LDAP password policy proposal.
OPERATIONAL ATTRIBUTES
The operational attributes used by the ppolicy module are stored in the user's entry.
Most of these attributes are not intended to be changed directly by users; they are there
to track user activity. They have been detailed here so that administrators and users can
both understand the workings of the ppolicy module.
Note that the current IETF Password Policy proposal does not define how these operational
attributes are expected to behave in a replication environment. In general, authentication
attempts on a replica server only affect the copy of the operational attributes on that
replica and will not affect any attributes for a user's entry on the provider. Operational
attribute changes resulting from authentication attempts on a provider will usually
replicate to the replicas (and also overwrite any changes that originated on the replica).
These behaviors are not guaranteed and are subject to change when a formal specification
emerges.
userPassword
The userPassword attribute is not strictly part of the ppolicy module. It is, however,
the attribute that is tracked and controlled by the module. Please refer to the standard
OpenLDAP schema for its definition.
pwdPolicySubentry
This attribute refers directly to the pwdPolicy subentry that is to be used for this
particular directory user. If pwdPolicySubentry exists, it must contain the DN of a valid
pwdPolicy object. If it does not exist, the ppolicy module will enforce the default
password policy rules on the user associated with this authenticating DN. If there is no
default, or the referenced subentry does not exist, then no policy rules will be enforced.
( 1.3.6.1.4.1.42.2.27.8.1.23
NAME 'pwdPolicySubentry'
DESC 'The pwdPolicy subentry in effect for
this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
USAGE directoryOperation)
pwdChangedTime
This attribute denotes the last time that the entry's password was changed. This value is
used by the password expiration policy to determine whether the password is too old to be
allowed to be used for user authentication. If pwdChangedTime does not exist, the user's
password will not expire.
( 1.3.6.1.4.1.42.2.27.8.1.16
NAME 'pwdChangedTime'
DESC 'The time the password was last changed'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdAccountLockedTime
This attribute contains the time that the user's account was locked. If the account has
been locked, the password may no longer be used to authenticate the user to the directory.
If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently
locked and may only be unlocked by an administrator. Note that account locking only takes
effect when the pwdLockout password policy attribute is set to "TRUE".
( 1.3.6.1.4.1.42.2.27.8.1.17
NAME 'pwdAccountLockedTime'
DESC 'The time an user account was locked'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
USAGE directoryOperation)
pwdFailureTime
This attribute contains the timestamps of each of the consecutive authentication failures
made upon attempted authentication to this DN (i.e. account). If too many timestamps
accumulate here (refer to the pwdMaxFailure password policy attribute for details), and
the pwdLockout password policy attribute is set to "TRUE", the account may be locked.
(Please also refer to the pwdLockout password policy attribute.) Excess timestamps beyond
those allowed by pwdMaxFailure or pwdMaxRecordedFailure may also be purged. If a
successful authentication is made to this DN (i.e. to this user account), then
pwdFailureTime will be cleansed of entries.
( 1.3.6.1.4.1.42.2.27.8.1.19
NAME 'pwdFailureTime'
DESC 'The timestamps of the last consecutive
authentication failures'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
NO-USER-MODIFICATION
USAGE directoryOperation )
pwdHistory
This attribute contains the history of previously used passwords for this DN (i.e. for
this user account). The values of this attribute are stored in string format as follows:
pwdHistory=
time "#" syntaxOID "#" length "#" data
time=
GeneralizedTime as specified in section 3.3.13 of [RFC4517]
syntaxOID = numericoid
This is the string representation of the dotted-decimal OID that defines the
syntax used to store the password. numericoid is described in section 1.4 of
[RFC4512].
length = NumericString
The number of octets in the data. NumericString is described in section 3.3.23 of
[RFC4517].
data =
Octets representing the password in the format specified by syntaxOID.
This format allows the server to store and transmit a history of passwords that have been
used. In order for equality matching on the values in this attribute to function
properly, the time field is in GMT format.
( 1.3.6.1.4.1.42.2.27.8.1.20
NAME 'pwdHistory'
DESC 'The history of user passwords'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
EQUALITY octetStringMatch
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdGraceUseTime
This attribute contains the list of timestamps of logins made after the user password in
the DN has expired. These post-expiration logins are known as "grace logins". If too
many grace logins have been used (please refer to the pwdGraceAuthnLimit password policy
attribute), then the DN will no longer be allowed to be used to authenticate the user to
the directory until the administrator changes the DN's userPassword attribute.
( 1.3.6.1.4.1.42.2.27.8.1.21
NAME 'pwdGraceUseTime'
DESC 'The timestamps of the grace login once the password has expired'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdReset
This attribute indicates whether the user's password has been reset by the administrator
and thus must be changed upon first use of this DN for authentication to the directory.
If pwdReset is set to "TRUE", then the password was reset and the user must change it upon
first authentication. If the attribute does not exist, or is set to "FALSE", the user
need not change their password due to administrative reset.
( 1.3.6.1.4.1.42.2.27.8.1.22
NAME 'pwdReset'
DESC 'The indication that the password has
been reset'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE directoryOperation)
pwdStartTime
This attribute specifies the time the entry's password becomes valid for authentication.
Authentication attempts made before this time will fail. If this attribute does not
exist, then no restriction applies.
( 1.3.6.1.4.1.42.2.27.8.1.27
NAME 'pwdStartTime'
DESC 'The time the password becomes enabled'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE directoryOperation )
pwdEndTime
This attribute specifies the time the entry's password becomes invalid for authentication.
Authentication attempts made after this time will fail, regardless of expiration or grace
settings. If this attribute does not exist, then this restriction does not apply.
( 1.3.6.1.4.1.42.2.27.8.1.28
NAME 'pwdEndTime'
DESC 'The time the password becomes disabled'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE directoryOperation )
Note that pwdStartTime may be set to a time greater than or equal to pwdEndTime; this
simply disables the account.
pwdAccountTmpLockoutEnd
This attribute that the user's password has been locked out temporarily according to the
pwdMinDelay policy option and when the lockout ends.
( 1.3.6.1.4.1.42.2.27.8.1.33
NAME 'pwdAccountTmpLockoutEnd'
DESC 'Temporary lockout end'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation )
SUNDS ACCOUNT USABILITY CONTROL
If the SunDS Account Usability control is used with a search request, the overlay will
attach validity information to each entry provided all of the following are met:
• There is a password policy that applies to the entry
• The user has compare access to the entry's password attribute.
• The configured password attribute is present in the entry
EXAMPLES
database mdb
suffix dc=example,dc=com
...
overlay ppolicy
ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
SEE ALSO
ldap(3), slapd.conf(5), slapd-config(5), slapo-chain(5).
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
IETF LDAP password policy proposal by P. Behera, L. Poitou and J. Sermersheim:
documented in IETF document "draft-behera-ldap-password-policy-10.txt".
BUGS
The LDAP Password Policy specification is not yet an approved standard, and it is still
evolving. This code will continue to be in flux until the specification is finalized.
ACKNOWLEDGEMENTS
This module was written in 2004 by Howard Chu of Symas Corporation with significant input
from Neil Dunbar and Kartik Subbarao of Hewlett-Packard.
This manual page borrows heavily and shamelessly from the specification upon which the
password policy module it describes is based. This source is the IETF LDAP password
policy proposal by P. Behera, L. Poitou and J. Sermersheim. The proposal is fully
documented in the IETF document named draft-behera-ldap-password-policy-10.txt, written in
August of 2009.
OpenLDAP Software is developed and maintained by The OpenLDAP Project
<http://www.openldap.org/>. OpenLDAP Software is derived from the University of Michigan
LDAP 3.3 Release.