LDAP-EXT Working Group Valerie Chu
INTERNET-DRAFT Netscape Communications Corp.
Expires in six months
Intended Category: Informational
December 1998
Password Policy for LDAP Directories
<draft-vchu-ldap-pwd-policy-00.txt>
1. Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working docu-
ments of the Internet Engineering Task Force (IETF), its areas, and its
working groups. Note that other groups may also distribute working docu-
ments as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as ``work in progress.''
To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe),
ftp.nic.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org
(US East Coast), or ftp.isi.edu (US West Coast).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
2. Abstract
This document describes the implementation of password policy in
Netscape LDAP directories, and introduces two new object classes,
twenty-three new attribute types, and two new controls in support of
password policy.
Password policy is a set of rules that control how passwords are used in
LDAP directories. In order to improve the security of LDAP directories
and make it difficult for password cracking programs to break into
directories, it is desirable to enforce a set of rules on password
usage. These rules are made to ensure that the users change their pass-
words periodically, the new password meets construction requirements,
the re-use of the old password is restricted, and lock out the users
Chu [Page 1]
Expires June 1999 INTERNET DRAFT
after a certain number of bad password attempts.
3. Overview
LDAP-based directory services currently are accepted by many organiza-
tions as the access protocol for directories. The ability to ensure the
secure read, update access to directory information throughout the net-
work is essential to the successful deployment. There are several secu-
rity mechanisms which are used in Netscape LDAP implementation to pro-
tect the directory data. For example, the access control is used to
prevent unauthorized access to information stored in directories; SASL
is used to negotiate for integrity and privacy services.[RFC-2251] The
most fundamental security mechanism in Netscape Directory is the simple
authentication using password. In many systems, in order to improve the
security of the system, the simple password-based authentication often
is used in conjunction with a set of password restrictions to control
how passwords are used in the system. For example, the passwd program
in UNIX systems, or the user account policy in WindowsNT, has a set of
rules that users need to follow to use password authentication. At the
moment, LDAP does not define a password policy model, but it is needed
to achieve greater security protection and it is critical to the suc-
cessful deployment of LDAP directories.
Specifically, the password policy defines:
- The maximum length of time that a given password is valid.
- The minimum length of time required between password changes.
- The maximum length of time before a user's password is due to
expire that the user will be sent a warning message.
- Whether users can reuse passwords.
- The minimum number of characters a password must contain.
- Whether the password syntax is checked before a new password is
saved.
- Whether users are allowed to change their own passwords.
- Whether passwords must be changed after they are reset by the
administrator.
- Whether users will be locked out of the directory after a given
number of failed bind attempts.
Chu [Page 2]
Expires June 1999 INTERNET DRAFT
- How long users will be locked out of the directory after a given
number of failed bind attempts.
- The length of time before the password failure counter which
keeps track of the number of failed password attempts is reset.
The password policy defined in this document is applied to the LDAP sim-
ple authentication method [RFC-2251] and userPassword attribute values
only.
In this document, the term "user" represents any application which is an
LDAP client using the directory to retrieve or store information.
Directory administrators are not forced to comply with any of password
policies.
4. New Attribute Types and Object Classes
4.1. The passwordPolicy Object Class
The passwordPolicy object class holds the password policy settings for a
set of user accounts. In the Netscape Directory implementation, they
are located in the "cn=config" entry.
The description of passwordPolicy object class:
( 2.16.840.1.113730.3.2.13
NAME 'passwordPolicy'
AUXILIARY
SUP top
DESC 'Password Policy object class to hold password policy information'
MAY (
passwordMaxAge $ passwordExp $ passwordMinLength $
passwordKeepHistory $ passwordInHistory $ passwordChange $
passwordCheckSyntax $ passwordWarning $ passwordLockout $
passwordMaxFailure $ passwordUnlock $ passwordLockoutDuration $
passwordMustChange $ passwordStorageScheme $ passwordMinAge $
passwordResetFailureCount
)
)
4.2. The new attribute types used in the passwordPolicy Object Class:
( 2.16.840.1.113730.3.1.97
NAME 'passwordMaxAge'
DESC 'the number of seconds after which user passwords will expire'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
Chu [Page 3]
Expires June 1999 INTERNET DRAFT
)
( 2.16.840.1.113730.3.1.98
NAME 'passwordExp'
DESC 'a flag which indicates whether passwords will expire after a
given number of seconds'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.99
NAME 'passwordMinLength'
DESC 'the minimum number of characters that must be used in a password'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.100
NAME 'passwordKeepHistory'
DESC 'a flag which indicates whether passwords can be reused"
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.101
NAME 'passwordInHistory'
DESC 'the number of passwords the directory server stores in history'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.102
NAME 'passwordChange'
DESC 'a flag which indicates whether users can change their passwords'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.103
NAME 'passwordCheckSyntax'
DESC 'a flag which indicates whether the password syntax will be checked
before the password is saved'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.104
NAME 'passwordWarning'
DESC 'the number of seconds before a user's password is due to expire that
the user will be sent a warning message'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.105
NAME 'passwordLockout'
Chu [Page 4]
Expires June 1999 INTERNET DRAFT
DESC 'a flag which indicates whether users will be locked out of the
directory after a given number of consecutive failed bind attempts'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.106
NAME 'passwordMaxFailure'
DESC 'the number of consecutive failed bind attempts after which a user
will be locked out of the directory'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.108
NAME 'passwordUnlock'
DESC 'a flag which indicates whether a user will be locked out of the
directory for a given number of seconds or until the administrator
resets the password after an account lockout'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.109
NAME 'passwordLockoutDuration'
DESC 'the number of seconds that users will be locked out of the directory
after an account lockout
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.220
NAME 'passwordMustChange'
DESC 'a flag which indicates whether users must change their passwords when
they first bind to the directory server'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.221
NAME 'passwordStorageScheme'
DESC 'the type of hash algorithm used to store directory server passwords'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
The description of password storage scheme can be found in [RFC-2307].
( 2.16.840.1.113730.3.1.222
NAME 'passwordMinAge'
DESC 'the number of seconds that must elapse before a user can change their
password again'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
Chu [Page 5]
Expires June 1999 INTERNET DRAFT
( 2.16.840.1.113730.3.1.223
NAME 'passwordResetFailureCount'
DESC 'the number of seconds after which the password failure counter will
be reset'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
Currently in Netscape Directory password policy implementation,
passwordMaxAge, passwordMinLength, passwordInHistory, passwordWarn-
ing, passwordMaxFailure, passwordLockoutDuration, passwordMinAge, and
passwordResetFailureCount attributes are defined as
1.3.6.1.4.1.1466.115.121.1.15 ('Directory String'). It is recom-
mented to change them to 1.3.6.1.4.1.1466.115.121.1.27 ('Integer') in
the future implementation.
The attributes which are used as a flag have the syntax
'1.3.6.1.4.1.1466.115.121.1.15' ('Directory String'). A value of '1'
represents 'true', while '0' represents 'false'. It is recommented
to change them to 1.3.6.1.4.1.1466.115.121.1.7 ('Boolean') in the
future implementation.
4.3. The passwordObject Object Class
The passwordObject object class holds the password policy state informa-
tion for each user. For example, how many consecutive bad password
attempts an user made. The information is located in each user entries.
The description of passwordObject object class:
( 2.16.840.1.113730.3.2.12
NAME 'passwordObject'
AUXILIARY
SUP top
DESC 'Password object class to hold password policy information for each
entry'
MAY (
passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $
retryCountResetTime $ accountUnlockTime $ passwordHistory $
passwordAllowChangeTime
)
)
4.4. The new attribute types used in the passwordObject Object Class:
( 2.16.840.1.113730.3.1.91
NAME 'passwordExpirationTime'
DESC 'the time the entry's password expires'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
Chu [Page 6]
Expires June 1999 INTERNET DRAFT
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.92
NAME 'passwordExpWarned'
DESC 'a flag which indicates whether a password expiration warning is sent
to the client'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.93
NAME 'passwordRetryCount'
DESC 'the count of consecutive failed password attempts'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.94
NAME 'retryCountResetTime'
DESC 'the time to reset the passwordRetryCount'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.95
NAME 'accountUnlockTime'
DESC 'the time that the user can bind again after an account lockout'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.96
NAME 'passwordHistory'
DESC 'the history of user's passwords'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
EQUALITY bitStringMatch
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.214
NAME 'passwordAllowChangeTime'
Chu [Page 7]
Expires June 1999 INTERNET DRAFT
DESC 'the time that the user is allowed change the password'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
USAGE directoryOperation
)
5. Password Expiration and Expiration Warning
New attributes, passwordExp, passwordMaxAge, and passwordWarning are
defined to specify whether the password will expire, when the password
expires and when a warning message will be sent to the client respec-
tively. The actual expiration time for a password will be stored in a
new attribute, passwordExpirationTime attribute in the user entry.
After bind operation succeed with authentication, the server should
check for password expiration. If the password expiration policy is on
and the account's password is expired, the server should send bin-
dResponse with the resultCode: LDAP_INVALID_CREDENTIALS along with an
error message to inform the client that the password has expired. If
the password is going to expire sooner than the password warning dura-
tion, the server should send bindResponse with the resultCode:
LDAP_SUCCESS, and should include the password expiring control in the
controls field of the bindResponse message:
controlType: 2.16.840.1.113730.3.4.5,
controlValue: an octet string to indicate the time in seconds until
the password expires.
criticality: false
The server should send at least one warning message to the client before
expiring the client's password.
6. Password Minimum Age
This policy defines the number of seconds that must pass before a user
can change the password again. This policy can be used in conjunction
with the password history policy to prevent users from quickly cycling
through passwords in history so that they can reuse the old password. A
value of zero indicates that the user can change the password immedi-
ately.
During the modify password operation, the server should check if the
user is allowed to change password at this time. If not, the server
Chu [Page 8]
Expires June 1999 INTERNET DRAFT
should send the LDAP_CONSTRAINT_VIOLATION result code back to the client
and an error message to indicate that the password cannot be changed
within password minimum age.
7. Password History
passwordHistory and passwordInHistory attributes control whether the
user can reuse passwords and how many passwords the directory server
stores in history.
During the modify password operation, the server should check for pass-
word history. If password history is on and the new password matches
one of the old passwords in history, the server should send
modifyResponse back to the client with resultCode:
LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the new
password is in history, choose another password.
8. Password Syntax and Minimum length
The passwordCheckSyntax attribute indicates whether the password syntax
will be checked before a new password is saved. If this policy is on,
the directory server should check that the new password meets the pass-
word minimum length requirement and that the string does not contain any
trivial words such as the user's name, user id and so on.
The passwordMinLength attribute defines the minimum number of characters
that must be used in a password.
During the modify or add password operation, the server should check for
password syntax. If password check syntax is on and the new password
fail the syntax checking, the server should send modifyResponse or
addResponse back to the client with resultCode:
LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the new
password failed the syntax checking, the user should choose another
password.
9. User Defined Passwords
This policy defines whether the users can change their own passwords.
During the modify password operation, the server should check if the
user is allowed to change password. If not, the server should send to
the client the LDAP_UNWILLING_TO_PERFORM result code and an error mes-
sage to indicate that the user is not allowed to change password.
10. Password Change After Reset
This policy forces the user to select a new password on first bind or
after password reset. After bind operation succeed with authentication,
Chu [Page 9]
Expires June 1999 INTERNET DRAFT
the server should check if the password change after reset policy is on
and this is the first time logon. If so, the server should send bin-
dResponse with the resultCode: LDAP_SUCCESS, and should include the
password expired control in the controls field of the bindResponse mes-
sage:
controlType: 2.16.840.1.113730.3.4.4,
controlValue: an octet string: "0",
criticality: false
After that, for any operation issued by the user other than modify pass-
word, bind, unbind, abandon, or search, the server should send the
response message with the resultCode: LDAP_UNWILLING_TO_PERFORM, and
should include the password expired control in the controls field of the
response message:
controlType: 2.16.840.1.113730.3.4.4,
controlValue: an octet string: "0",
criticality: false
11. Password Guessing limit
This policy enforces the limit of number of tries the client has to get
the password right. The user will be locked out of the directory after
a given number of consecutive failed attempts to bind to the directory.
This policy protects the directory from automated guessing attacks.
The server should keep a failure counter in the passwordRetryCount
attribute for each entry. The server should increment the failure
counter when a bind operation fails with the LDAP_INVALID_CREDENTIALS
error code. The server should clear the failure counter when a bind
operation succeeds with authentication, the account password is reset by
administrator, or when the failure counter reset time is reached.
During the bind operation, the server should check for password guessing
limit. If password guessing limit policy is on and the password guess-
ing limit is reached, the server should send bindResponse back to the
client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error message
to indicate the password failure limit is reached.
12. Server Implementation
Chu [Page 10]
Expires June 1999 INTERNET DRAFT
12.1. Password policy initialization
The passwordPolicy object class holds the password policy settings for a
set of user accounts. During the server initial startup, password pol-
icy should be assigned a set of initial values. The settings should be
modified only by the directory administrators and should be readable by
anyone. The server should preserve the settings over server restart.
Currently in the Netscape Directory implementation, the password policy
settings are stored in "cn=config" entry and an identical copy is kept
in a configuration file which is used as bootstrap. The Netscape Direc-
tory password default settings are listed below as an example.
- User may change password
- Do not need to change password first time logon
- Use SHA as the password hash algorithm
- No password syntax check
- Password minimum length: 6
- No password expiration
- Expires in 100 days
- No password minimum age
- Send warning one day before password expires
- Do not keep password history
- Six passwords in history
- No account lockout
- Lockout after 3 bind failures
- Do not lockout forever
- Lock account for 60 minutes
- Reset retry count after 10 minutes
In ldif format:
passwordchange: on
Chu [Page 11]
Expires June 1999 INTERNET DRAFT
passwordmustchange: off
passwordstoragescheme: SHA
passwordchecksyntax: off
passwordminlength: 6
passwordexp: off
passwordmaxage: 8640000
passwordminage: 0
passwordwarning: 86400
passwordkeephistory: off
passwordinhistory: 6
passwordlockout: off
passwordmaxfailure: 3
passwordunlock: on
passwordlockoutduration: 3600
passwordresetfailurecount: 600
12.2. Bind Operations
12.2.1. During bind operations, the server should check for password
guessing limit. If password guessing limit policy is on and the pass-
word guessing limit is reached, the server should send bindResponse back
to the client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error
message to indicate the password failure limit is reached. Otherwise
the server should continue the bind operation.
12.2.2. After Bind Operations succeed with authentication, the server
should
1. Clear the password failure counter.
2. Check if the password change after reset policy is on and this is
the first time logon. If so, the server should disallow all
operations issued by this user except modify password, bind ,
unbind, abandon, or search. The server should send bindResponse
Chu [Page 12]
Expires June 1999 INTERNET DRAFT
with the resultCode: LDAP_SUCCESS, and should include the pass-
word expired control in the controls field of the bindResponse
message.
controlType: 2.16.840.1.113730.3.4.4,
controlValue: an octet string: "0",
criticality: false
3. Check for password expiration. If the password expiration policy
is on and the account's password is expired, the server should
send bindResponse with the resultCode: LDAP_INVALID_CREDENTIALS
along with an error message to inform the client that the pass-
word has expired.
4. Check if the password is going to expire sooner than the password
warning duration, the server should send bindResponse with the
resultCode: LDAP_SUCCESS, and should include the password expir-
ing control in the controls field of the bindResponse message:
controlType: 2.16.840.1.113730.3.4.5,
controlValue: an octet string to indicate the time in seconds
until the password expires.
criticality: false
12.2.3. After Bind Operations fail with LDAP_INVALID_CREDENTIALS, the
server should
1. Check if it is time to reset the password failure counter. If
so, set the failure counter to 1 and re-calculate the next
failure counter reset time. Otherwise, increment the failure
counter.
2. Check if failure counter exceeds the allowed maximum value. If
so, the server should lock the user account.
12.3. Add Password Operations
12.3.1. During the add password operation, the server should
1. Check for password syntax. If password check syntax is on and
the new password fail the syntax checking, the server should send
addResponse back to the client with resultCode:
LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the
Chu [Page 13]
Expires June 1999 INTERNET DRAFT
new password failed the syntax checking, the user should choose
another password.
2. Calculate and add passwordexpirationtime and passwordallowchange-
time attributes to the entry if password expiration policy and
password minimum age policy are on respectively.
12.4. Modify Password Operations
12.4.1. During the modify password operation, the server should
1. Check if the user is allowed to change password. If not, the
server should send to the client the LDAP_UNWILLING_TO_PERFORM
result code and an error message to indicate that the user is not
allowed to change password.
2. Check for password minimum age, password minimum length, password
history, and password syntax. If the checking fails, the server
should send modifyResponse back to the client with resultCode:
LDAP_CONSTRAINT_VIOLATION, and an appropriate error message.
3. If it is the first time logon and the user needs to change pass-
word the first time logon, the server should check if the user-
password attribute is in this modify request. If so, the server
should continue the modify operation. Otherwise, the server
should send the response message with the resultCode:
LDAP_UNWILLING_TO_PERFORM, and should include the password
expired control in the controls field of the response message:
controlType: 2.16.840.1.113730.3.4.4,
controlValue: an octet string: "0",
criticality: false
12.4.2. After modify password operations succeed, the server should
1. Update password history in the user's entry, if the password his-
tory policy is on.
2. Update passwordExpirationTime in the user's entry, if the pass-
word expiration policy is on.
3. Update passwordAllowChangeTime in the user's entry, if the pass-
word minimum age policy is on.
4. Clear the password failure counter, if the password is reset by a
directory administrator.
Chu [Page 14]
Expires June 1999 INTERNET DRAFT
5. Set a flag to indicate the user is the first time logon, if the
password change after reset policy is on and the password is
reset by a directory administrator.
13. Client Implementation
13.1. Bind Response
For every bind response received, the client needs to parse the bind
result code, error message, and controls to determine if any of the fol-
lowing conditions is true and prompt the user accordingly.
1. The user needs to change password first time logon. The user
should be prompted to change the password immediately.
resultCode: LDAP_SUCCESS, with the control
controlType: 2.16.840.1.113730.3.4.4,
controlValue: "0",
criticality: false
2. This is a warning message that the server sends to a user to indi-
cate the time in seconds until the user's password expires.
resultCode: LDAP_SUCCESS, with the control
controlType: 2.16.840.1.113730.3.4.5,
controlValue: an octet string to indicate the time in seconds until
the password expires.
criticality: false
3. The password failure limit is reached. The user needs to retry
later or contact the directory administrator to reset the password.
resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message.
For example:
errorMessage: "exceed password retry limit"
4. The password is expired. The user needs to contact the directory
administrator to reset the password.
resultCode: LDAP_INVALID_CREDENTIALS, with an appropriate error message.
For example:
errorMessage: "password expired"
Chu [Page 15]
Expires June 1999 INTERNET DRAFT
13.2. Modify Responses
For the modify response received for the change password request, the
client needs to check the result code and error message to determine if
it failed the password checking, and either let the user retry or quit.
1. The user defined password policy is disabled. The user is not
allowed to change password.
resultCode: LDAP_UNWILLING_TO_PERFORM, with an appropriate error message.
For example:
errorMessage: "user is not allowed to change password"
2. The new password failed the password syntax checking, or the
current password has not reached the minimum password age, or the
new password is in history.
resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message.
For example:
errorMessage: "invalid password syntax"
errorMessage: "password in history"
errorMessage: "trivial password"
errorMessage: "within minimum password age"
13.3. Add Responses
For the add response received for the add entry request, the client
needs to check the result code and error message to determine if it
failed the password checking, and either let the user retry or quit.
1. The new password failed the password syntax checking.
resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message.
For example:
errorMessage: "invalid password syntax"
errorMessage: "trivial password"
13.4. Other Responses
For operations other than bind, unbind, abandon, or search, the client
needs to check the following result code and control to determine if the
user needs to change the password immediately.
1. The user needs to change password first time logon. The user
should be prompted to change the password immediately.
resultCode: LDAP_UNWILLING_TO_PERFORM, with the control
Chu [Page 16]
Expires June 1999 INTERNET DRAFT
controlType: 2.16.840.1.113730.3.4.4,
controlValue: "0",
criticality: false
14. Security Considerations
The password policy defined in this document is applied to the LDAP sim-
ple authentication method [RFC-2251] and userPassword attribute values
only. The simple authentication method provides minimal authentication
facilities, with the contents of the authentication field consisting
only of a cleartext password. Note that the simple authentication
method and password policy are designed for authentication where the
underlying transport service cannot guarantee confidentiality. Use of
simple authentication method and password policy may result in disclo-
sure of the password to unauthorized parties. SASL and TLS mechanisms
may be used with LDAP to provide integrity or confidentiality services.
15. Bibliography
[RFC-2251]Wahl, M., Howes, T., Kille, S., "Lightweight Directory Access
Protocol (v3)", RFC 2251, August 1997.
[RFC-2307]L. Howard, "An Approach for Using LDAP as a Network Informa-
tion Service", RFC 2307, March 1998.
[RFC-2119]S. Bradner, "Key Words for use in RFCs to Indicate Requirement
Levels", RFC 2119, March 1997.
16. Author's Addresses
Valerie Chu
Netscape Communications Corp.
501 E. Middlefield Rd.
Mountain View, CA 94043
USA
+1 650 937-3443
vchu@netscape.com
Chu [Page 17]