slapo-ppolicy.5

ldap服务器源码

users are not required to change their password upon binding after
the administrator sets or resets the password.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.13
  NAME 'pwdMustChange'
  EQUALITY booleanMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
  SINGLE-VALUE )
.RE

.B pwdAllowUserChange
.P
This attribute specifies whether users are allowed to change their own
passwords or not.  If
.B pwdAllowUserChange
is set to "TRUE", or if the attribute is not present, users will be
allowed to change their own passwords.  If its value is "FALSE",
users will not be allowed to change their own passwords.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.14
   NAME 'pwdAllowUserChange'
   EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
   SINGLE-VALUE )
.RE

.B pwdSafeModify
.P
This attribute denotes whether the user's existing password must be sent
along with their new password when changing a password.  If
.B pwdSafeModify
is set to "TRUE", the existing password must be sent
along with the new password.  If the attribute is not present, or
its value is "FALSE", the existing password need not be sent
along with the new password.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.15
   NAME 'pwdSafeModify'
   EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
   SINGLE-VALUE )
.RE

.B pwdCheckModule
.P
This attribute names a user-defined loadable module that must
instantiate the check_password() function.  This function
will be called to further check a new password if
.B pwdCheckQuality
is set to one (1) or two (2),
after all of the built-in password compliance checks have
been passed.  This function will be called according to this
function prototype:
.RS 4
int
.I check_password
(char *pPasswd, char **ppErrStr, Entry *pEntry);
.RE
The
.B pPasswd
parameter contains the clear-text user password, the
.B ppErrStr
parameter contains a double pointer that allows the function
to return human-readable details about any error it encounters.
The optional
.B pEntry
parameter, if non-NULL, carries a pointer to the
entry whose password is being checked.
If
.B ppErrStr
is NULL, then 
.I funcName
must NOT attempt to use it/them.
A return value of LDAP_SUCCESS from the called
function indicates that the password is ok, any other value
indicates that the password is unacceptable.  If the password is
unacceptable, the server will return an error to the client, and
.B ppErrStr
may be used to return a human-readable textual explanation of the
error. The error string must be dynamically allocated as it will
be free()'d by slapd.
.LP
.RS 4
(  1.3.6.1.4.1.4754.1.99.1
   NAME 'pwdCheckModule'
   EQUALITY caseExactIA5Match
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
   SINGLE-VALUE )
.RE
.P
Note: 
The user-defined loadable module named by
.B pwdCheckModule     
must be in
.B slapd's
standard executable search PATH.
.P
Note:
.B pwdCheckModule
is a non-standard extension to the LDAP password
policy proposal.

.SH OPERATIONAL ATTRIBUTES
.P
The operational attributes used by the
.B passwd_policy
module are stored in the user's entry.  Most of these attributes
are not intended to be changed directly by users; they are there
to track user activity.  They have been detailed here so that
administrators and users can both understand the workings of
the
.B ppolicy
module.

.B userPassword
.P
The
.b userPassword
attribute is not strictly part of the
.B ppolicy
module.  It is, however, the attribute that is tracked and controlled
by the module.  Please refer to the standard OpenLDAP schema for
its definition.

.B pwdPolicySubentry
.P
This attribute refers directly to the
.B pwdPolicy
subentry that is to be used for this particular directory user.
If
.B pwdPolicySubentry
exists, it must contain the DN of a valid
.B pwdPolicy
object.  If it does not exist, the
.B ppolicy
module will enforce the default password policy rules on the
user associated with this authenticating DN. If there is no
default, or the referenced subentry does not exist, then no
policy rules will be enforced.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.23
   NAME 'pwdPolicySubentry'
   DESC 'The pwdPolicy subentry in effect for
       this object'
   EQUALITY distinguishedNameMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
   SINGLE-VALUE
   NO-USER-MODIFICATION
   USAGE directoryOperation)
.RE

.B pwdChangedTime
.P
This attribute denotes the last time that the entry's password was
changed.  This value is used by the password expiration policy to
determine whether the password is too old to be allowed to be used
for user authentication.  If
.B pwdChangedTime
does not exist, the user's password will not expire.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.16
   NAME 'pwdChangedTime'
   DESC 'The time the password was last changed'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   SINGLE-VALUE
   NO-USER-MODIFICATION
   USAGE directoryOperation)
.RE

.B pwdAccountLockedTime
.P
This attribute contains the time that the user's account was locked.
If the account has been locked, the password may no longer be used to
authenticate the user to the directory.  If
.B pwdAccountLockedTime   
is set to zero (0), the user's account has been permanently locked
and may only be unlocked by an administrator.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.17
   NAME 'pwdAccountLockedTime'
   DESC 'The time an user account was locked'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   SINGLE-VALUE
   NO-USER-MODIFICATION
   USAGE directoryOperation)
.RE

.B pwdFailureTime
.P
This attribute contains the timestamps of each of the consecutive
authentication failures made upon attempted authentication to this
DN (i.e. account).  If too many timestamps accumulate here (refer to
the
.B pwdMaxFailure
password policy attribute for details),
and the
.B pwdLockout
password policy attribute is set to "TRUE", the
account may be locked.
(Please also refer to the
.B pwdLockout
password policy attribute.)
Excess timestamps beyond those allowed by
.B pwdMaxFailure
may also be purged.  If a successful authentication is made to this
DN (i.e. to this user account), then
.B pwdFailureTime   
will be cleansed of entries.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.19
   NAME 'pwdFailureTime'
   DESC 'The timestamps of the last consecutive
       authentication failures'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   NO-USER-MODIFICATION
   USAGE directoryOperation )
.RE

.B pwdHistory
.P
This attribute contains the history of previously used passwords
for this DN (i.e. for this user account).
The values of this attribute are stored in string format as follows:

.RS 4

pwdHistory=
.RS 4
time "#" syntaxOID "#" length "#" data
.RE

time=
.RS 4
generalizedTimeString as specified in section 6.14 of [RFC2252]
.RE

.P
syntaxOID = numericoid
.RS 4
This is the string representation of the dotted-decimal OID that
defines the syntax used to store the password.  numericoid is
described in section 4.1 of [RFC2252].
.RE

length = numericstring
.RS 4
The number of octets in the data.  numericstring is described in
section 4.1 of [RFC2252].
.RE

data =
.RS 4
Octets representing the password in the format specified by syntaxOID.
.RE

.RE

This format allows the server to store and transmit a history of
passwords that have been used.  In order for equality matching
on the values in this attribute to function properly, the time
field is in GMT format.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.20
   NAME 'pwdHistory'
   DESC 'The history of user passwords'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
   EQUALITY octetStringMatch
   NO-USER-MODIFICATION
   USAGE directoryOperation)
.RE

.B pwdGraceUseTime
This attribute contains the list of timestamps of logins made after
the user password in the DN has expired.  These post-expiration
logins are known as "\fIgrace logins\fP".
If too many
.I grace logins
have been used (please refer to the
.B pwdGraceLoginLimit
password policy attribute), then the DN will no longer be allowed
to be used to authenticate the user to the directory until the
administrator changes the DN's
.B userPassword
attribute.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.21
   NAME 'pwdGraceUseTime'
   DESC 'The timestamps of the grace login once the password has expired'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   EQUALITY generalizedTimeMatch
   NO-USER-MODIFICATION
   USAGE directoryOperation)
.RE

.B pwdReset
.P
This attribute indicates whether the user's password has been reset
by the administrator and thus must be changed upon first use of this
DN for authentication to the directory.  If
.B pwdReset   
is set to "TRUE", then the password was reset and the user must change
it upon first authentication.  If the attribute does not exist, or
is set to "FALSE", the user need not change their password due to
administrative reset.
.LP
.RS 4
(  1.3.6.1.4.1.42.2.27.8.1.22
   NAME 'pwdReset'
   DESC 'The indication that the password has
       been reset'
   EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
   SINGLE-VALUE
   USAGE directoryOperation)
.RE

.SH EXAMPLES
.LP
.RS
.nf
database bdb
suffix dc=example,dc=com
\...
overlay ppolicy
ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
.fi
.RE

.SH SEE ALSO
.BR ldap (3),
.BR slapd.conf (5),
.LP
"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
.LP
IETF LDAP password policy proposal by P. Behera, L.  Poitou and J.
Sermersheim:  documented in IETF document
"draft-behera-ldap-password-policy-09.txt".

.SH BUGS
The LDAP Password Policy specification is not yet an approved standard,
and it is still evolving. This code will continue to be in flux until the
specification is finalized.

.SH ACKNOWLEDGEMENTS
.P
This module was written in 2004 by Howard Chu of Symas Corporation
with significant input from Neil Dunbar and Kartik Subbarao of Hewlett-Packard.
.P
This manual page borrows heavily and shamelessly from the specification
upon which the password policy module it describes is based.  This
source is the
IETF LDAP password policy proposal by P. Behera, L.
Poitou and J. Sermersheim.
The proposal is fully documented in
the
IETF document named draft-behera-ldap-password-policy-09.txt,
written in July of 2005.
.P
.B OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
.B OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.