slapo-ppolicy.5

ldap服务器源码

.\" $OpenLDAP: pkg/ldap/doc/man/man5/slapo-ppolicy.5,v 1.4.2.7 2007/01/02 21:43:45 kurt Exp $
.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.SH NAME
slapo-ppolicy \- Password Policy overlay
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.LP
The 
.B ppolicy
overlay
is an implementation of the most recent IETF Password
Policy proposal for LDAP.   When instantiated, it intercepts,
decodes and applies specific password policy controls to overall
use of a backend database, changes to user password fields, etc.
.P
The overlay provides a variety of password control mechanisms.  They
include password aging--both minimum and maximum ages, password
reuse and duplication control, account time-outs, mandatory password
resets, acceptable password content, and even grace logins.
Different groups of users may be associated with different password
policies, and there is no limit to the number of password policies
that may be created.
.P
Note that some of the policies do not take effect when the operation
is performed with the
.B rootdn
identity; all the operations, when performed with any other identity,
may be subjected to constraints, like access control.

.SH CONFIGURATION
These 
.B slapd.conf
configuration options apply to the ppolicy overlay. They should appear
after the
.B overlay
directive.
.TP
.B ppolicy_default <policyDN>
Specify the DN of the pwdPolicy object to use when no specific policy is
set on a given user's entry. If there is no specific policy for an entry
and no default is given, then no policies will be enforced.
.TP
.B ppolicy_hash_cleartext
Specify that cleartext passwords present in Add and Modify requests should
be hashed before being stored in the database. This violates the X.500/LDAP
information model, but may be needed to compensate for LDAP clients that
don't use the Password Modify extended operation to manage passwords.  It
is recommended that when this option is used that compare, search, and
read access be denied to all directory users. 
.TP
.B ppolicy_use_lockout
A client will always receive an LDAP
.B InvalidCredentials
response when
Binding to a locked account. By default, when a Password Policy control
was provided on the Bind request, a Password Policy response will be
included with no special error code set. This option changes the
Password Policy response to include the
.B AccountLocked
error code. Note
that sending the
.B AccountLocked
error code provides useful information
to an attacker; sites that are sensitive to security issues should not
enable this option.

.SH OBJECT CLASS
The 
.B ppolicy
overlay depends on the
.B pwdPolicy
object class.  The definition of that class is as follows:
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.2.1
    NAME 'pwdPolicy'
    AUXILIARY
    SUP top
    MUST ( pwdAttribute )
    MAY (
        pwdMinAge $ pwdMaxAge $ pwdInHistory $
        pwdCheckQuality $ pwdMinLength $
        pwdExpireWarning $ pwdGraceAuthnLimit $
        pwdLockout $ pwdLockoutDuration $
        pwdMaxFailure $ pwdFailureCountInterval $
        pwdMustChange $ pwdAllowUserChange $
        pwdSafeModify ) )
.RE

This implementation also provides an additional
.B pwdPolicyChecker
objectclass, used for password quality checking (see below).
.LP
.RS 4
(  1.3.6.1.4.1.4754.2.99.1
    NAME 'pwdPolicyChecker'
    AUXILIARY
    SUP top
    MAY ( pwdCheckModule ) )
.RE
.P
Every account that should be subject to password policy control should
have a
.B
pwdPolicySubentry
attribute containing the DN of a valid
.B pwdPolicy
entry, or they can simply use the configured default.
In this way different users may be managed according to
different policies.

.SH OBJECT CLASS ATTRIBUTES
.P
Each one of the sections below details the meaning and use of a particular
attribute of this
.B pwdPolicy
object class.
.P

.B pwdAttribute
.P
This attribute contains the name of the attribute to which the password
policy is applied. For example, the password policy may be applied
to the
.B userPassword
attribute.
.P
Note: in this implementation, the only
value accepted for
.B pwdAttribute
is
.IR " userPassword ".
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.1
   NAME 'pwdAttribute'
   EQUALITY objectIdentifierMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
.RE

.B pwdMinAge
.P
This attribute contains the number of seconds that must elapse
between modifications allowed to the password. If this attribute
is not present, zero seconds is assumed (i.e. the password may be
modified whenever and however often is desired).
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.2
   NAME 'pwdMinAge'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )
.RE

.B pwdMaxAge
.P
This attribute contains the number of seconds after which a modified
password will expire.  If this attribute is not present, or if its
value is zero (0), then passwords will not expire.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.3
   NAME 'pwdMaxAge'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )
.RE

.B pwdInHistory
.P
This attribute is used to specify the maximum number of used
passwords that will be stored in the
.B pwdHistory
attribute.  If the
.B pwdInHistory
attribute is not present, or if its value is
zero (0), used passwords will not be stored in
.B pwdHistory
and thus any previously-used password may be reused.
No history checking occurs if the password is being modified by the
.BR rootdn ,
although the password is saved in the history.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.4
   NAME 'pwdInHistory'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )
.RE

.B pwdCheckQuality
.P
This attribute indicates if and how password syntax will be checked
while a password is being modified or added. If this attribute is
not present, or its value is zero (0), no syntax checking will be
done. If its value is one (1), the server will check the syntax,
and if the server is unable to check the syntax,
whether due to a client-side hashed password or some other reason,
it will be
accepted. If its value is two (2), the server will check the syntax,
and if the server is unable to check the syntax it will return an
error refusing the password.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.5
   NAME 'pwdCheckQuality'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )
.RE

.B pwdMinLength
.P
When syntax checking is enabled
(see also the
.B pwdCheckQuality
attribute), this attribute contains the minimum
number of characters that will be accepted in a password. If this
attribute is not present, minimum password length is not
enforced. If the server is unable to check the length of the password,
whether due to a client-side hashed password or some other reason,
the server will, depending on the
value of
.BR pwdCheckQuality ,
either accept the password
without checking it (if
.B pwdCheckQuality
is zero (0) or one (1)) or refuse it (if
.B pwdCheckQuality
is two (2)).
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.6
   NAME 'pwdMinLength'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )
.RE

.B pwdExpireWarning
.P
This attribute contains the maximum number of seconds before a
password is due to expire that expiration warning messages will be
returned to a user who is authenticating to the directory.
If this attribute is not
present, or if the value is zero (0), no warnings will be sent.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.7
   NAME 'pwdExpireWarning'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )
.RE

.B pwdGraceAuthnLimit
.P
This attribute contains the number of times that an expired password
may be used to authenticate a user to the directory. If this
attribute is not present or if its value is zero (0), users with
expired passwords will not be allowed to authenticate to the
directory.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.8
   NAME 'pwdGraceAuthnLimit'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )
.RE

.B pwdLockout
.P
This attribute specifies the action that should be taken
by the directory when a user has made a number of failed attempts
to authenticate to the directory.  If
.B pwdLockout
is set (its value is "TRUE"), the user will not be allowed to
attempt to authenticate to the directory after there have been a
specified number of consecutive failed bind attempts.  The maximum
number of consecutive failed bind attempts allowed is specified by
the
.B pwdMaxFailure
attribute.  If
.B pwdLockout
is not present, or if its value is "FALSE", the password may be
used to authenticate no matter how many consecutive failed bind
attempts have been made.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.9
   NAME 'pwdLockout'
   EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
   SINGLE-VALUE )
.RE

.B pwdLockoutDuration
.P
This attribute contains the number of seconds during
which the password cannot be used to authenticate the
user to the directory due to too many consecutive failed
bind attempts.
(See also
.B pwdLockout
and
.BR pwdMaxFailure .)
If
.B pwdLockoutDuration
is not present, or if its value is zero (0), the password
cannot be used to authenticate the user to the directory
again until it is reset by an administrator.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.10
   NAME 'pwdLockoutDuration'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )
.RE

.B pwdMaxFailure
.P
This attribute contains the number of consecutive failed bind
attempts after which the password may not be used to authenticate
a user to the directory.
If
.B pwdMaxFailure
is not present, or its value is zero (0), then a user will
be allowed to continue to attempt to authenticate to
the directory, no matter how many consecutive failed 
bind attempts have occurred with that user's DN.
(See also
.B pwdLockout
and
.BR pwdLockoutDuration .)
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.11
   NAME 'pwdMaxFailure'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )
.RE

.B pwdFailureCountInterval
.P
This attribute contains the number of seconds after which old
consecutive failed bind attempts are purged from the failure counter,
even though no successful authentication has occurred.
If
.B pwdFailureCountInterval
is not present, or its value is zero (0), the failure
counter will only be reset by a successful authentication.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.12
   NAME 'pwdFailureCountInterval'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
   SINGLE-VALUE )
.RE

.B pwdMustChange
.P
This attribute specifies whether users must change their passwords
when they first bind to the directory after a password is set or
reset by the administrator, or not.  If
.B pwdMustChange
has a value of "TRUE", users must change their passwords when they
first bind to the directory after a password is set or reset by
the administrator.  If
.B pwdMustChange
is not present, or its value is "FALSE",