ppolicy.schema

来自「ldap服务器源码」· SCHEMA 代码 · 共 532 行 · 第 1/2 页

# $OpenLDAP: pkg/ldap/servers/slapd/schema/ppolicy.schema,v 1.2.2.4 2007/01/02 21:44:09 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 2004-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#
## Portions Copyright (C) The Internet Society (2004).
## Please see full copyright statement below.

# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
#	Password Policy for LDAP Directories
# With extensions from Hewlett-Packard:
#	pwdCheckModule etc.

# Contents of this file are subject to change (including deletion)
# without notice.
#
# Not recommended for production use!
# Use with extreme caution!

#Network Working Group                                     J. Sermersheim
#Internet-Draft                                               Novell, Inc
#Expires: April 24, 2005                                        L. Poitou
#                                                        Sun Microsystems
#                                                        October 24, 2004
#
#
#                  Password Policy for LDAP Directories
#                draft-behera-ldap-password-policy-08.txt
#
#Status of this Memo
#
#   This document is an Internet-Draft and is subject to all provisions
#   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
#   author represents that any applicable patent or other IPR claims of
#   which he or she is aware have been or will be disclosed, and any of
#   which he or she become aware will be disclosed, in accordance with
#   RFC 3668.
#
#   Internet-Drafts are working documents of the Internet Engineering
#   Task Force (IETF), its areas, and its working groups.  Note that
#   other groups may also distribute working documents as
#   Internet-Drafts.
#
#   Internet-Drafts are draft documents valid for a maximum of six months
#   and may be updated, replaced, or obsoleted by other documents at any
#   time.  It is inappropriate to use Internet-Drafts as reference
#   material or to cite them other than as "work in progress."
#
#   The list of current Internet-Drafts can be accessed at
#   http://www.ietf.org/ietf/1id-abstracts.txt.
#
#   The list of Internet-Draft Shadow Directories can be accessed at
#   http://www.ietf.org/shadow.html.
#
#   This Internet-Draft will expire on April 24, 2005.
#
#Copyright Notice
#
#   Copyright (C) The Internet Society (2004).
#
#Abstract
#
#   Password policy as described in this document is a set of rules that
#   controls how passwords are used and administered in Lightweight
#   Directory Access Protocol (LDAP) based directories.  In order to
#   improve the security of LDAP directories and make it difficult for
#   password cracking programs to break into directories, it is desirable
#   to enforce a set of rules on password usage.  These rules are made to
#
#  [trimmed]
#
#5.  Schema used for Password Policy
#
#   The schema elements defined here fall into two general categories.  A
#   password policy object class is defined which contains a set of
#   administrative password policy attributes, and a set of operational
#   attributes are defined that hold general password policy state
#   information for each user.
#
#5.2  Attribute Types used in the pwdPolicy ObjectClass
#
#   Following are the attribute types used by the pwdPolicy object class.
#
#5.2.1  pwdAttribute
#
#   This holds the name of the attribute to which the password policy is
#   applied.  For example, the password policy may be applied to the
#   userPassword attribute.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
      NAME 'pwdAttribute'
      EQUALITY objectIdentifierMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

#5.2.2  pwdMinAge
#
#   This attribute holds the number of seconds that must elapse between
#   modifications to the password.  If this attribute is not present, 0
#   seconds is assumed.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
      NAME 'pwdMinAge'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

#5.2.3  pwdMaxAge
#
#   This attribute holds the number of seconds after which a modified
#   password will expire.
#
#   If this attribute is not present, or if the value is 0 the password
#   does not expire.  If not 0, the value must be greater than or equal
#   to the value of the pwdMinAge.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
      NAME 'pwdMaxAge'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

#5.2.4  pwdInHistory
#
#   This attribute specifies the maximum number of used passwords stored
#   in the pwdHistory attribute.
#
#   If this attribute is not present, or if the value is 0, used
#   passwords are not stored in the pwdHistory attribute and thus may be
#   reused.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
      NAME 'pwdInHistory'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

#5.2.5  pwdCheckQuality
#
#   {TODO: Consider changing the syntax to OID.  Each OID will list a
#   quality rule (like min len, # of special characters, etc).  These
#   rules can be specified outsid ethis document.}
#
#   {TODO: Note that even though this is meant to be a check that happens
#   during password modification, it may also be allowed to happen during
#   authN.  This is useful for situations where the password is encrypted
#   when modified, but decrypted when used to authN.}
#
#   This attribute indicates how the password quality will be verified
#   while being modified or added.  If this attribute is not present, or
#   if the value is '0', quality checking will not be enforced.  A value
#   of '1' indicates that the server will check the quality, and if the
#   server is unable to check it (due to a hashed password or other
#   reasons) it will be accepted.  A value of '2' indicates that the
#   server will check the quality, and if the server is unable to verify
#   it, it will return an error refusing the password.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
      NAME 'pwdCheckQuality'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

#5.2.6  pwdMinLength
#
#   When quality checking is enabled, this attribute holds the minimum
#   number of characters that must be used in a password.  If this
#   attribute is not present, no minimum password length will be
#   enforced.  If the server is unable to check the length (due to a
#   hashed password or otherwise), the server will, depending on the
#   value of the pwdCheckQuality attribute, either accept the password
#   without checking it ('0' or '1') or refuse it ('2').

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
      NAME 'pwdMinLength'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

#5.2.7  pwdExpireWarning
#
#   This attribute specifies the maximum number of seconds before a
#   password is due to expire that expiration warning messages will be
#   returned to an authenticating user.
#
#   If this attribute is not present, or if the value is 0 no warnings
#   will be returned.  If not 0, the value must be smaller than the value
#   of the pwdMaxAge attribute.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
      NAME 'pwdExpireWarning'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

#5.2.8  pwdGraceAuthNLimit
#
#   This attribute specifies the number of times an expired password can
#   be used to authenticate.  If this attribute is not present or if the
#   value is 0, authentication will fail.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
      NAME 'pwdGraceAuthNLimit'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

#5.2.9  pwdLockout
#
#   This attribute indicates, when its value is "TRUE", that the password
#   may not be used to authenticate after a specified number of
#   consecutive failed bind attempts.  The maximum number of consecutive
#   failed bind attempts is specified in pwdMaxFailure.
#
#   If this attribute is not present, or if the value is "FALSE", the
#   password may be used to authenticate when the number of failed bind
#   attempts has been reached.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
      NAME 'pwdLockout'
      EQUALITY booleanMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
      SINGLE-VALUE )

#5.2.10  pwdLockoutDuration
#
#   This attribute holds the number of seconds that the password cannot
#   be used to authenticate due to too many failed bind attempts.  If
#   this attribute is not present, or if the value is 0 the password
#   cannot be used to authenticate until reset by a password
#   administrator.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
      NAME 'pwdLockoutDuration'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

#5.2.11  pwdMaxFailure
#
#   This attribute specifies the number of consecutive failed bind
#   attempts after which the password may not be used to authenticate.
#   If this attribute is not present, or if the value is 0, this policy
#   is not checked, and the value of pwdLockout will be ignored.

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
      NAME 'pwdMaxFailure'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

#5.2.12  pwdFailureCountInterval
#
#   This attribute holds the number of seconds after which the password
#   failures are purged from the failure counter, even though no
#   successful authentication occurred.
#
#   If this attribute is not present, or if its value is 0, the failure