Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

   1
   2
   3
   4
   5
   6
   7
   8
   9
  10
  11
  12
  13
  14
  15
  16
  17
  18
  19
  20
  21
  22
  23
  24
  25
  26
  27
  28
  29
  30
  31
  32
  33
  34
  35
  36
  37
  38
  39
  40
  41
  42
  43
  44
  45
  46
  47
  48
  49
  50
  51
  52
  53
  54
  55
  56
  57
  58
  59
  60
  61
  62
  63
  64
  65
  66
  67
  68
  69
  70
  71
  72
  73
  74
  75
  76
  77
  78
  79
  80
  81
  82
  83
  84
  85
  86
  87
  88
  89
  90
  91
  92
  93
  94
  95
  96
  97
  98
  99
 100
 101
 102
 103
 104
 105
 106
 107
 108
 109
 110
 111
 112
 113
 114
 115
 116
 117
 118
 119
 120
 121
 122
 123
 124
 125
 126
 127
 128
 129
 130
 131
 132
 133
 134
 135
 136
 137
 138
 139
 140
 141
 142
 143
 144
 145
 146
 147
 148
 149
 150
 151
 152
 153
 154
 155
 156
 157
 158
 159
 160
 161
 162
 163
 164
 165
 166
 167
 168
 169
 170
 171
 172
 173
 174
 175
 176
 177
 178
 179
 180
 181
 182
 183
 184
 185
 186
 187
 188
 189
 190
 191
 192
 193
 194
 195
 196
 197
 198
 199
 200
 201
 202
 203
 204
 205
 206
 207
 208
 209
 210
 211
 212
 213
 214
 215
 216
 217
 218
 219
 220
 221
 222
 223
 224
 225
 226
 227
 228
 229
 230
 231
 232
 233
 234
 235
 236
 237
 238
 239
 240
 241
 242
 243
 244
 245
 246
 247
 248
 249
 250
 251
 252
 253
 254
 255
 256
 257
 258
 259
 260
 261
 262
 263
 264
 265
 266
 267
 268
 269
 270
 271
 272
 273
 274
 275
 276
 277
 278
 279
 280
 281
 282
 283
 284
 285
 286
 287
 288
 289
 290
 291
 292
 293
 294
 295
 296
 297
 298
 299
 300
 301
 302
 303
 304
 305
 306
 307
 308
 309
 310
 311
 312
 313
 314
 315
 316
 317
 318
 319
 320
 321
 322
 323
 324
 325
 326
 327
 328
 329
 330
 331
 332
 333
 334
 335
 336
 337
 338
 339
 340
 341
 342
 343
 344
 345
 346
 347
 348
 349
 350
 351
 352
 353
 354
 355
 356
 357
 358
 359
 360
 361
 362
 363
 364
 365
 366
 367
 368
 369
 370
 371
 372
 373
 374
 375
 376
 377
 378
 379
 380
 381
 382
 383
 384
 385
 386
 387
 388
 389
 390
 391
 392
 393
 394
 395
 396
 397
 398
 399
 400
 401
 402
 403
 404
 405
 406
 407
 408
 409
 410
 411
 412
 413
 414
 415
 416
 417
 418
 419
 420
 421
 422
 423
 424
 425
 426
 427
 428
 429
 430
 431
 432
 433
 434
 435
 436
 437
 438
 439
 440
 441
 442
 443
 444
 445
 446
 447
 448
 449
 450
 451
 452
 453
 454
 455
 456
 457
 458
 459
 460
 461
 462
 463
 464
 465
 466
 467
 468
 469
 470
 471
 472
 473
 474
 475
 476
 477
 478
 479
 480
 481
 482
 483
 484
 485
 486
 487
 488
 489
 490
 491
 492
 493
 494
 495
 496
 497
 498
 499
 500
 501
 502
 503
 504
 505
 506
 507
 508
 509
 510
 511
 512
 513
 514
 515
 516
 517
 518
 519
 520
 521
 522
 523
 524
 525
 526
 527
 528
 529
 530
 531
 532
 533
 534
 535
 536
 537
 538
 539
 540
 541
 542
 543
 544
 545
 546
 547
 548
 549
 550
 551
 552
 553
 554
 555
 556
 557
 558
 559
 560
 561
 562
 563
 564
 565
 566
 567
 568
 569
 570
 571
 572
 573
 574
 575
 576
 577
 578
 579
 580
 581
 582
 583
 584
 585
 586
 587
 588
 589
 590
 591
 592
 593
 594
 595
 596
 597
 598
 599
 600
 601
 602
 603
 604
 605
 606
 607
 608
 609
 610
 611
 612
 613
 614
 615
 616
 617
 618
 619
 620
 621
 622
 623
 624
 625
 626
 627
 628
 629
 630
 631
 632
 633
 634
 635
 636
 637
 638
 639
 640
 641
 642
 643
 644
 645
 646
 647
 648
 649
 650
 651
 652
 653
 654
 655
 656
 657
 658
 659
 660
 661
 662
 663
 664
 665
 666
 667
 668
 669
 670
 671
 672
 673
 674
 675
 676
 677
 678
 679
 680
 681
 682
 683
 684
 685
 686
 687
 688
 689
 690
 691
 692
 693
 694
 695
 696
 697
 698
 699
 700
 701
 702
 703
 704
 705
 706
 707
 708
 709
 710
 711
 712
 713
 714
 715
 716
 717
 718
 719
 720
 721
 722
 723
 724
 725
 726
 727
 728
 729
 730
 731
 732
 733
 734
 735
 736
 737
 738
 739
 740
 741
 742
 743
 744
 745
 746
 747
 748
 749
 750
 751
 752
 753
 754
 755
 756
 757
 758
 759
 760
 761
 762
 763
 764
 765
 766
 767
 768
 769
 770
 771
 772
 773
 774
 775
 776
 777
 778
 779
 780
 781
 782
 783
 784
 785
 786
 787
 788
 789
 790
 791
 792
 793
 794
 795
 796
 797
 798
 799
 800
 801
 802
 803
 804
 805
 806
 807
 808
 809
 810
 811
 812
 813
 814
 815
 816
 817
 818
 819
 820
 821
 822
 823
 824
 825
 826
 827
 828
 829
 830
 831
 832
 833
 834
 835
 836
 837
 838
 839
 840
 841
 842
 843
 844
 845
 846
 847
 848
 849
 850
 851
 852
 853
 854
 855
 856
 857
 858
 859
 860
 861
 862
 863
 864
 865
 866
 867
 868
 869
 870
 871
 872
 873
 874
 875
 876
 877
 878
 879
 880
 881
 882
 883
 884
 885
 886
 887
 888
 889
 890
 891
 892
 893
 894
 895
 896
 897
 898
 899
 900
 901
 902
 903
 904
 905
 906
 907
 908
 909
 910
 911
 912
 913
 914
 915
 916
 917
 918
 919
 920
 921
 922
 923
 924
 925
 926
 927
 928
 929
 930
 931
 932
 933
 934
 935
 936
 937
 938
 939
 940
 941
 942
 943
 944
 945
 946
 947
 948
 949
 950
 951
 952
 953
 954
 955
 956
 957
 958
 959
 960
 961
 962
 963
 964
 965
 966
 967
 968
 969
 970
 971
 972
 973
 974
 975
 976
 977
 978
 979
 980
 981
 982
 983
 984
 985
 986
 987
 988
 989
 990
 991
 992
 993
 994
 995
 996
 997
 998
 999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688



Network Working Group                                     J. Sermersheim
Internet-Draft                                               Novell, Inc
Intended status: Standards Track                               L. Poitou
Expires: January 19, 2015                               Sun Microsystems
                                                             H. Chu, Ed.
                                                             Symas Corp.
                                                           July 18, 2014


                  Password Policy for LDAP Directories
                  draft-behera-ldap-password-policy-11

Abstract

   Password policy as described in this document is a set of rules that
   controls how passwords are used and administered in Lightweight
   Directory Access Protocol (LDAP) based directories.  In order to
   improve the security of LDAP directories and make it difficult for
   password cracking programs to break into directories, it is desirable
   to enforce a set of rules on password usage.  These rules are made to
   ensure that users change their passwords periodically, passwords meet
   construction requirements, the re-use of old password is restricted,
   and to deter password guessing attacks.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 19, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents



Sermersheim, et al.     Expires January 19, 2015                [Page 1]

Internet-Draft    Password Policy for LDAP Directories         July 2014


   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.












































Sermersheim, et al.     Expires January 19, 2015                [Page 2]

Internet-Draft    Password Policy for LDAP Directories         July 2014


Table of Contents

   1.    Overview . . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.    Conventions  . . . . . . . . . . . . . . . . . . . . . . . .  5
   3.    Application of Password Policy . . . . . . . . . . . . . . .  6
   4.    Articles of Password Policy  . . . . . . . . . . . . . . . .  7
   4.1.  Password Usage Policy  . . . . . . . . . . . . . . . . . . .  7
   4.2.  Password Modification Policy . . . . . . . . . . . . . . . .  8
   4.3.  Restriction of the Password Policy . . . . . . . . . . . . . 10
   5.    Schema used for Password Policy  . . . . . . . . . . . . . . 12
   5.1.  The pwdPolicy Object Class . . . . . . . . . . . . . . . . . 12
   5.2.  Attribute Types used in the pwdPolicy ObjectClass  . . . . . 12
   5.3.  Attribute Types for Password Policy State Information  . . . 19
   6.    Controls used for Password Policy  . . . . . . . . . . . . . 24
   6.1.  Request Control  . . . . . . . . . . . . . . . . . . . . . . 24
   6.2.  Response Control . . . . . . . . . . . . . . . . . . . . . . 24
   7.    Policy Decision Points . . . . . . . . . . . . . . . . . . . 26
   7.1.  Locked Account Check . . . . . . . . . . . . . . . . . . . . 26
   7.2.  Password Must be Changed Now Check . . . . . . . . . . . . . 26
   7.3.  Password Expiration Check  . . . . . . . . . . . . . . . . . 27
   7.4.  Remaining Grace AuthN Check  . . . . . . . . . . . . . . . . 27
   7.5.  Time Before Expiration Check . . . . . . . . . . . . . . . . 27
   7.6.  Intruder Lockout Check . . . . . . . . . . . . . . . . . . . 27
   7.7.  Intruder Delay Check . . . . . . . . . . . . . . . . . . . . 28
   7.8.  Password Too Young Check . . . . . . . . . . . . . . . . . . 28
   8.    Server Policy Enforcement Points . . . . . . . . . . . . . . 29
   8.1.  Password-based Authentication  . . . . . . . . . . . . . . . 29
   8.2.  Password Update Operations . . . . . . . . . . . . . . . . . 31
   8.3.  Other Operations . . . . . . . . . . . . . . . . . . . . . . 34
   9.    Client Policy Enforcement Points . . . . . . . . . . . . . . 35
   9.1.  Bind Operation . . . . . . . . . . . . . . . . . . . . . . . 35
   9.2.  Modify Operations  . . . . . . . . . . . . . . . . . . . . . 36
   9.3.  Add Operation  . . . . . . . . . . . . . . . . . . . . . . . 37
   9.4.  Compare Operation  . . . . . . . . . . . . . . . . . . . . . 37
   9.5.  Other Operations . . . . . . . . . . . . . . . . . . . . . . 38
   10.   Administration of the Password Policy  . . . . . . . . . . . 39
   11.   Password Policy and Replication  . . . . . . . . . . . . . . 40
   12.   Security Considerations  . . . . . . . . . . . . . . . . . . 42
   13.   IANA Considerations  . . . . . . . . . . . . . . . . . . . . 43
   13.1. Object Identifiers . . . . . . . . . . . . . . . . . . . . . 43
   13.2. LDAP Protocol Mechanisms . . . . . . . . . . . . . . . . . . 43
   13.3. LDAP Descriptors . . . . . . . . . . . . . . . . . . . . . . 43
   13.4. LDAP AttributeDescription Options  . . . . . . . . . . . . . 45
   14.   Acknowledgement  . . . . . . . . . . . . . . . . . . . . . . 46
   15.   Normative References . . . . . . . . . . . . . . . . . . . . 47
         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 48





Sermersheim, et al.     Expires January 19, 2015                [Page 3]

Internet-Draft    Password Policy for LDAP Directories         July 2014


1.  Overview

   LDAP-based directory services are currently accepted by many
   organizations as the access protocol for directories.  The ability to
   ensure the secure read and update access to directory information
   throughout the network is essential to the successful deployment.
   Most LDAP implementations support many authentication schemes - the
   most basic and widely used is the simple authentication i.e., user DN
   and password.  In this case, many LDAP servers have implemented some
   kind of policy related to the password used to authenticate.  Among
   other things, this policy includes:

   o  Whether and when passwords expire.

   o  Whether failed bind attempts cause the account to be locked.

   o  If and how users are able to change their passwords.

   In order to achieve greater security protection and ensure
   interoperability in a heterogeneous environment, LDAP needs to
   standardize on a common password policy model.  This is critical to
   the successful deployment of LDAP directories.





























Sermersheim, et al.     Expires January 19, 2015                [Page 4]

Internet-Draft    Password Policy for LDAP Directories         July 2014


2.  Conventions

   Imperative keywords defined in [RFC2119] are used in this document,
   and carry the meanings described there.

   All ASN.1 [X.680] Basic Encoding Rules (BER) [X.690] encodings follow
   the conventions found in Section 5.1 of [RFC4511].

   The term "password administrator" refers to a user that has
   sufficient access control privileges to modify users' passwords.  The
   term "password policy administrator" refers to a user that has
   sufficient access control privileges to modify the pwdPolicy object
   defined in this document.  The access control that is used to
   determine whether an identity is a password administrator or password
   policy administrator is beyond the scope of this document, but
   typically implies that the password administrator has 'write'
   privileges to the password attribute.


































Sermersheim, et al.     Expires January 19, 2015                [Page 5]

Internet-Draft    Password Policy for LDAP Directories         July 2014


3.  Application of Password Policy

   The password policy defined in this document can be applied to any
   attribute holding a user's password used for an authenticated LDAP
   bind operation.  In this document, the term "user" represents any
   LDAP client application that has an identity in the directory.

   This policy is typically applied to the userPassword attribute in the
   case of the LDAP simple authentication method [RFC4511] or the case
   of password based SASL [RFC4422] authentication such as CRAM-MD5
   [RFC2195] and DIGEST-MD5 [RFC2831].

   The policy described in this document assumes that the password
   attribute holds a single value.  No considerations are made for
   directories or systems that allow a user to maintain multi-valued
   password attributes.

   Server implementations MAY institute internal policy whereby certain
   identities (such as directory administrators) are not forced to
   comply with any of password policy.  In this case, the password for a
   directory administrator never expires; the account is never locked,
   etc.





























Sermersheim, et al.     Expires January 19, 2015                [Page 6]

Internet-Draft    Password Policy for LDAP Directories         July 2014


4.  Articles of Password Policy

   The following sections explain in general terms each aspect of the
   password policy defined in this document as well as the need for
   each.  These policies are subdivided into the general groups of
   password usage and password modification.  Implementation details are
   presented in Section 8 and Section 9.

4.1.  Password Usage Policy

   This section describes policy enforced when a password is used to
   authenticate.  The general focus of this policy is to minimize the
   threat of intruders once a password is in use.

4.1.1.  Password Validity Policy

   These mechanisms allow account usage to be controlled independent of
   any password expiration policies.  The policy defines the absolute
   period of time for which an account may be used.  This allows an
   administrator to define an absolute starting time after which a
   password becomes valid, and an absolute ending time after which the
   password is disabled.

   A mechanism is also provided to define the period of time for which
   an account may remain unused before being disabled.

4.1.2.  Password Guessing Limit

   In order to prevent intruders from guessing a user's password, a
   mechanism exists to track the number of consecutive failed
   authentication attempts, and take action when a limit is reached.
   This policy consists of several parts:

   o  A counter to track the number of failed authentication attempts.

   o  The amount of time to delay on the first authentication failure.

   o  The maximum amount of time to delay on subsequent failures.

   o  A timeframe in which the limit of consecutive failed
      authentication attempts must happen before action is taken.

   o  A configurable limit on failed authentication attempts.

   o  The action to be taken when the limit is reached.  The action will
      either be nothing, or the account will be locked.





Sermersheim, et al.     Expires January 19, 2015                [Page 7]

Internet-Draft    Password Policy for LDAP Directories         July 2014


   o  An amount of time the account is locked (if it is to be locked).
      This can be indefinite.

   Note that using the account lock feature provides an easy avenue for
   Denial-of-Service (DoS) attacks on user accounts.  While some sites'
   policies require accounts to be locked, this feature is discouraged
   in favor of delaying each failed login attempt.

   The delay time will be doubled on each subsequent failure, until it
   reaches the maximum time configured.

   [TBD: we could also provide a syntax for configuring a backoff
   algorithm.  E.g. "+<int>" for linearly incrementing delay, "x<int>"
   for constant multiplier, "^<int> for geometric.  But it's probably
   overkill to add a calculator language to the server.]

4.2.  Password Modification Policy

   This section describes policy enforced while users are modifying
   passwords.  The general focus of this policy is to ensure that when
   users add or change their passwords, the security and effectiveness
   of their passwords is maximized.  In this document, the term "modify
   password operation" refers to any operation that is used to add or
   modify a password attribute.  Often this is done by updating the
   password attribute during an add or modify operation, but MAY be done
   by other means such as an extended operation.

4.2.1.  Password Expiration, Expiration Warning, and Grace
        Authentications

   One of the key properties of a password is the fact that it is not
   well known.  If a password is frequently changed, the chances of that
   user's account being broken into are minimized.

   Password policy administrators may deploy a password policy that
   causes passwords to expire after a given amount of time - thus
   forcing users to change their passwords periodically.

   As a side effect, there needs to be a way in which users are made
   aware of this need to change their password before actually being
   locked out of their accounts.  One or both of the following methods
   handle this:

   o  A warning may be returned to the user sometime before his password
      is due to expire.  If the user fails to heed this warning before
      the expiration time, his account will be locked.





Sermersheim, et al.     Expires January 19, 2015                [Page 8]

Internet-Draft    Password Policy for LDAP Directories         July 2014


   o  The user may bind to the directory a preset number of times after
      her password has expired.  If she fails to change her password
      during one of her 'grace' authentications, her account will be
      locked.

4.2.2.  Password History

   When the Password Expiration policy is used, an additional mechanism
   may be employed to prevent users from simply re-using a previous
   password (as this would effectively circumvent the expiration
   policy).

   In order to do this; a history of used passwords is kept.  The
   password policy administrator sets the number of passwords to be
   stored at any given time.  Passwords are stored in this history
   whenever the password is changed.  Users aren't allowed to specify
   any passwords that are in the history list while changing passwords.

4.2.3.  Password Minimum Age

   Users may circumvent the Password History mechanism by quickly
   performing a series of password changes.  If they change their
   password enough times, their 'favorite' password will be pushed out
   of the history list.

   This process may be made less attractive to users by employing a
   minimum age for passwords.  If users are forced to wait 24 hours
   between password changes, they may be less likely to cycle through a
   history of 10 passwords.

4.2.4.  Password Quality and Minimum length

   In order to prevent users from creating or updating passwords that
   are easy to guess, a password quality policy may be employed.  This
   policy consists of two general mechanisms - ensuring that passwords
   conform to a defined quality criterion and ensuring that they are of
   a minimum length.

   Forcing a password to comply with the quality policy may imply a
   variety of things including:

   o  Disallowing trivial or well-known words make up the password.

   o  Forcing a certain number of digits be used.

   o  Disallowing anagrams of the user's name.

   The implementation of this policy meets with the following problems:



Sermersheim, et al.     Expires January 19, 2015                [Page 9]

Internet-Draft    Password Policy for LDAP Directories         July 2014


   o  If the password to be added or updated is encrypted by the client
      before being sent, the server has no way of enforcing this policy.
      Therefore, the onus of enforcing this policy falls upon client
      implementations.

   o  There are no specific definitions of what 'quality checking'
      means.  This can lead to unexpected behavior in a heterogeneous
      environment.

4.2.5.  User Defined Passwords

   In some cases, it is desirable to disallow users from adding and
   updating their own passwords.  This policy makes this functionality
   possible.

4.2.6.  Password Change after Reset

   This policy forces the user to update her password after it has been
   set for the first time, or has been reset by a password
   administrator.

   This is needed in scenarios where a password administrator has set or
   reset the password to a well-known value.

4.2.7.  Safe Modification

   As directories become more commonly used, it will not be unusual for
   clients to connect to a directory and leave the connection open for
   an extended period.  This opens up the possibility for an intruder to
   make modifications to a user's password while that user's computer is
   connected but unattended.

   This policy forces the user to prove his identity by specifying the
   old password during a password modify operation.

   {TODO: This allows a dictionary attack unless we specify that this is
   also subject to intruder detection.  One solution is to require users
   to authN prior to changing password.  Another solution is to perform
   intruder detection checks when the password for a non-authenticated
   identity is being updated}

4.3.  Restriction of the Password Policy

   The password policy defined in this document can apply to any
   attribute containing a password.  Password policy state information
   is held in the user's entry, and applies to a password attribute, not
   a particular password attribute value.  Thus the server SHOULD
   enforce that the password attribute subject to password policy,



Sermersheim, et al.     Expires January 19, 2015               [Page 10]

Internet-Draft    Password Policy for LDAP Directories         July 2014


   contains one and only one password value.


















































Sermersheim, et al.     Expires January 19, 2015               [Page 11]

Internet-Draft    Password Policy for LDAP Directories         July 2014


5.  Schema used for Password Policy

   The schema elements defined here fall into two general categories.  A
   password policy object class is defined which contains a set of
   administrative password policy attributes, and a set of operational
   attributes are defined that hold general password policy state
   information for each user.

5.1.  The pwdPolicy Object Class

   This object class contains the attributes defining a password policy
   in effect for a set of users.  Section 10 describes the
   administration of this object, and the relationship between it and
   particular objects.

         ( 1.3.6.1.4.1.42.2.27.8.2.1
         NAME 'pwdPolicy'
         SUP top
         AUXILIARY
         MUST ( pwdAttribute )
         MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
         pwdMinLength $ pwdMaxLength $ pwdExpireWarning $
         pwdGraceAuthNLimit $ pwdGraceExpiry $ pwdLockout $
         pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
         pwdMustChange $ pwdAllowUserChange $ pwdSafeModify $
         pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )

5.2.  Attribute Types used in the pwdPolicy ObjectClass

   Following are the attribute types used by the pwdPolicy object class.

5.2.1.  pwdAttribute

   This holds the name of the attribute to which the password policy is
   applied.  For example, the password policy may be applied to the
   userPassword attribute.

         ( 1.3.6.1.4.1.42.2.27.8.1.1
         NAME 'pwdAttribute'
         EQUALITY objectIdentifierMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )

5.2.2.  pwdMinAge

   This attribute holds the number of seconds that must elapse between
   modifications to the password.  If this attribute is not present, 0
   seconds is assumed.




Sermersheim, et al.     Expires January 19, 2015               [Page 12]

Internet-Draft    Password Policy for LDAP Directories         July 2014


         ( 1.3.6.1.4.1.42.2.27.8.1.2
         NAME 'pwdMinAge'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.3.  pwdMaxAge

   This attribute holds the number of seconds after which a modified
   password will expire.

   If this attribute is not present, or if the value is 0 the password
   does not expire.  If not 0, the value must be greater than or equal
   to the value of the pwdMinAge.

         ( 1.3.6.1.4.1.42.2.27.8.1.3
         NAME 'pwdMaxAge'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.4.  pwdInHistory

   This attribute specifies the maximum number of used passwords stored
   in the pwdHistory attribute.

   If this attribute is not present, or if the value is 0, used
   passwords are not stored in the pwdHistory attribute and thus may be
   reused.

         ( 1.3.6.1.4.1.42.2.27.8.1.4
         NAME 'pwdInHistory'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.5.  pwdCheckQuality

   {TODO: Consider changing the syntax to OID.  Each OID will list a
   quality rule (like min len, # of special characters, etc).  These
   rules can be specified outside this document.}

   {TODO: Note that even though this is meant to be a check that happens
   during password modification, it may also be allowed to happen during
   authN.  This is useful for situations where the password is encrypted



Sermersheim, et al.     Expires January 19, 2015               [Page 13]

Internet-Draft    Password Policy for LDAP Directories         July 2014


   when modified, but decrypted when used to authN.}

   This attribute indicates how the password quality will be verified
   while being modified or added.  If this attribute is not present, or
   if the value is '0', quality checking will not be enforced.  A value
   of '1' indicates that the server will check the quality, and if the
   server is unable to check it (due to a hashed password or other
   reasons) it will be accepted.  A value of '2' indicates that the
   server will check the quality, and if the server is unable to verify
   it, it will return an error refusing the password.

         ( 1.3.6.1.4.1.42.2.27.8.1.5
         NAME 'pwdCheckQuality'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.6.  pwdMinLength

   When quality checking is enabled, this attribute holds the minimum
   number of characters that must be used in a password.  If this
   attribute is not present, no minimum password length will be
   enforced.  If the server is unable to check the length (due to a
   hashed password or otherwise), the server will, depending on the
   value of the pwdCheckQuality attribute, either accept the password
   without checking it ('0' or '1') or refuse it ('2').

         ( 1.3.6.1.4.1.42.2.27.8.1.6
         NAME 'pwdMinLength'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.7.  pwdMaxLength

   When quality checking is enabled, this attribute holds the maximum
   number of characters that may be used in a password.  If this
   attribute is not present, no maximum password length will be
   enforced.  If the server is unable to check the length (due to a
   hashed password or otherwise), the server will, depending on the
   value of the pwdCheckQuality attribute, either accept the password
   without checking it ('0' or '1') or refuse it ('2').







Sermersheim, et al.     Expires January 19, 2015               [Page 14]

Internet-Draft    Password Policy for LDAP Directories         July 2014


         ( 1.3.6.1.4.1.42.2.27.8.1.31
         NAME 'pwdMaxLength'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.8.  pwdExpireWarning

   This attribute specifies the maximum number of seconds before a
   password is due to expire that expiration warning messages will be
   returned to an authenticating user.

   If this attribute is not present, or if the value is 0 no warnings
   will be returned.  If not 0, the value must be smaller than the value
   of the pwdMaxAge attribute.

         ( 1.3.6.1.4.1.42.2.27.8.1.7
         NAME 'pwdExpireWarning'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.9.  pwdGraceAuthNLimit

   This attribute specifies the number of times an expired password can
   be used to authenticate.  If this attribute is not present or if the
   value is 0, authentication will fail.

         ( 1.3.6.1.4.1.42.2.27.8.1.8
         NAME 'pwdGraceAuthNLimit'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.10.  pwdGraceExpiry

   This attribute specifies the number of seconds the grace
   authentications are valid.  If this attribute is not present or if
   the value is 0, there is no time limit on the grace authentications.

         ( 1.3.6.1.4.1.42.2.27.8.1.30
         NAME 'pwdGraceExpire'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27



Sermersheim, et al.     Expires January 19, 2015               [Page 15]

Internet-Draft    Password Policy for LDAP Directories         July 2014


         SINGLE-VALUE )

5.2.11.  pwdLockout

   This attribute indicates, when its value is "TRUE", that the password
   may not be used to authenticate after a specified number of
   consecutive failed bind attempts.  The maximum number of consecutive
   failed bind attempts is specified in pwdMaxFailure.

   If this attribute is not present, or if the value is "FALSE", the
   password may be used to authenticate when the number of failed bind
   attempts has been reached.

         ( 1.3.6.1.4.1.42.2.27.8.1.9
         NAME 'pwdLockout'
         EQUALITY booleanMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
         SINGLE-VALUE )

5.2.12.  pwdLockoutDuration

   This attribute holds the number of seconds that the password cannot
   be used to authenticate due to too many failed bind attempts.  If
   this attribute is not present, or if the value is 0 the password
   cannot be used to authenticate until reset by a password
   administrator.

         ( 1.3.6.1.4.1.42.2.27.8.1.10
         NAME 'pwdLockoutDuration'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.13.  pwdMaxFailure

   This attribute specifies the number of consecutive failed bind
   attempts after which the password may not be used to authenticate.
   If this attribute is not present, or if the value is 0, this policy
   is not checked, and the value of pwdLockout will be ignored.

         ( 1.3.6.1.4.1.42.2.27.8.1.11
         NAME 'pwdMaxFailure'
         EQUALITY integerMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         ORDERING integerOrderingMatch
         SINGLE-VALUE )




Sermersheim, et al.     Expires January 19, 2015               [Page 16]

Internet-Draft    Password Policy for LDAP Directories         July 2014


5.2.14.  pwdFailureCountInterval

   This attribute holds the number of seconds after which the password
   failures are purged from the failure counter, even though no
   successful authentication occurred.

   If this attribute is not present, or if its value is 0, the failure
   counter is only reset by a successful authentication.

         ( 1.3.6.1.4.1.42.2.27.8.1.12
         NAME 'pwdFailureCountInterval'
         EQUALITY integerMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         ORDERING integerOrderingMatch
         SINGLE-VALUE )

5.2.15.  pwdMustChange

   This attribute specifies with a value of "TRUE" that users must
   change their passwords when they first bind to the directory after a
   password is set or reset by a password administrator.  If this
   attribute is not present, or if the value is "FALSE", users are not
   required to change their password upon binding after the password
   administrator sets or resets the password.  This attribute is not set
   due to any actions specified by this document, it is typically set by
   a password administrator after resetting a user's password.

         ( 1.3.6.1.4.1.42.2.27.8.1.13
         NAME 'pwdMustChange'
         EQUALITY booleanMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
         SINGLE-VALUE )

5.2.16.  pwdAllowUserChange

   This attribute indicates whether users can change their own
   passwords, although the change operation is still subject to access
   control.  If this attribute is not present, a value of "TRUE" is
   assumed.  This attribute is intended to be used in the absence of an
   access control mechanism.

         ( 1.3.6.1.4.1.42.2.27.8.1.14
         NAME 'pwdAllowUserChange'
         EQUALITY booleanMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
         SINGLE-VALUE )





Sermersheim, et al.     Expires January 19, 2015               [Page 17]

Internet-Draft    Password Policy for LDAP Directories         July 2014


5.2.17.  pwdSafeModify

   This attribute specifies whether or not the existing password must be
   sent along with the new password when being changed.  If this
   attribute is not present, a "FALSE" value is assumed.

         ( 1.3.6.1.4.1.42.2.27.8.1.15
         NAME 'pwdSafeModify'
         EQUALITY booleanMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
         SINGLE-VALUE )

5.2.18.  pwdMinDelay

   This attribute specifies the number of seconds to delay responding to
   the first failed authentication attempt.  If this attribute is not
   set or is 0, no delays will be used. pwdMaxDelay must also be
   specified if pwdMinDelay is set.

         ( 1.3.6.1.4.1.42.2.27.8.1.24
         NAME 'pwdMinDelay'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.19.  pwdMaxDelay

   This attribute specifies the maximum number of seconds to delay when
   responding to a failed authentication attempt.  The time specified in
   pwdMinDelay is used as the starting time and is then doubled on each
   failure until the delay time is greater than or equal to pwdMaxDelay
   (or a successful authentication occurs, which resets the failure
   counter). pwdMinDelay must be specified if pwdMaxDelay is set.

         ( 1.3.6.1.4.1.42.2.27.8.1.25
         NAME 'pwdMaxDelay'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.2.20.  pwdMaxIdle

   This attribute specifies the number of seconds an account may remain
   unused before it becomes locked.  If this attribute is not set or is
   0, no check is performed.




Sermersheim, et al.     Expires January 19, 2015               [Page 18]

Internet-Draft    Password Policy for LDAP Directories         July 2014


         ( 1.3.6.1.4.1.42.2.27.8.1.26
         NAME 'pwdMaxIdle'
         EQUALITY integerMatch
         ORDERING integerOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
         SINGLE-VALUE )

5.3.  Attribute Types for Password Policy State Information

   Password policy state information must be maintained for each user.
   The information is located in each user entry as a set of operational
   attributes.  These operational attributes are: pwdChangedTime,
   pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
   pwdReset, pwdPolicySubEntry, pwdStartTime, pwdEndTime,
   pwdLastSuccess.

5.3.1.  Password Policy State Attribute Option

   Since the password policy could apply to several attributes used to
   store passwords, each of the above operational attributes must have
   an option to specify which pwdAttribute it applies to.  The password
   policy option is defined as the following:

   pwd-<passwordAttribute>

   where passwordAttribute is a string following the OID syntax
   (1.3.6.1.4.1.1466.115.121.1.38).  The attribute type descriptor
   (short name) MUST be used.

   For example, if the pwdPolicy object has for pwdAttribute
   "userPassword" then the pwdChangedTime operational attribute, in a
   user entry, will be:

   pwdChangedTime;pwd-userPassword: 20000103121520Z

   This attribute option follows sub-typing semantics.  If a client
   requests a password policy state attribute to be returned in a search
   operation, and does not specify an option, all subtypes of that
   policy state attribute are returned.

5.3.2.  pwdChangedTime

   This attribute specifies the last time the entry's password was
   changed.  This is used by the password expiration policy.  If this
   attribute does not exist, the password will never expire.






Sermersheim, et al.     Expires January 19, 2015               [Page 19]

Internet-Draft    Password Policy for LDAP Directories         July 2014


         ( 1.3.6.1.4.1.42.2.27.8.1.16
         NAME 'pwdChangedTime'
         DESC 'The time the password was last changed'
         EQUALITY generalizedTimeMatch
         ORDERING generalizedTimeOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
         SINGLE-VALUE
         NO-USER-MODIFICATION
         USAGE directoryOperation )

5.3.3.  pwdAccountLockedTime

   This attribute holds the time that the user's account was locked.  A
   locked account means that the password may no longer be used to
   authenticate.  A 000001010000Z value means that the account has been
   locked permanently, and that only a password administrator can unlock
   the account.

         ( 1.3.6.1.4.1.42.2.27.8.1.17
         NAME 'pwdAccountLockedTime'
         DESC 'The time an user account was locked'
         EQUALITY generalizedTimeMatch
         ORDERING generalizedTimeOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
         SINGLE-VALUE
         NO-USER-MODIFICATION
         USAGE directoryOperation )

5.3.4.  pwdFailureTime

   This attribute holds the timestamps of the consecutive authentication
   failures.

         ( 1.3.6.1.4.1.42.2.27.8.1.19
         NAME 'pwdFailureTime'
         DESC 'The timestamps of the last consecutive authentication
         failures'
         EQUALITY generalizedTimeMatch
         ORDERING generalizedTimeOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
         NO-USER-MODIFICATION
         USAGE directoryOperation )

5.3.5.  pwdHistory

   This attribute holds a history of previously used passwords.  Values
   of this attribute are transmitted in string format as given by the
   following ABNF:



Sermersheim, et al.     Expires January 19, 2015               [Page 20]

Internet-Draft    Password Policy for LDAP Directories         July 2014


      pwdHistory = time "#" syntaxOID "#" length "#" data

      time       = GeneralizedTime

      syntaxOID  = numericoid    ; the string representation of the
                                 ; dotted-decimal OID that defines the
                                 ; syntax used to store the password.

      length     = number        ; the number of octets in data.

      data       = <octets representing the password in the format
                    specified by syntaxOID>.

   GeneralizedTime is specified in 3.3.13 of [RFC4517]. numericoid and
   number are specified in 1.4 of [RFC4512].

   This format allows the server to store, and transmit a history of
   passwords that have been used.  In order for equality matching to
   function properly, the time field needs to adhere to a consistent
   format.  For this purpose, the time field MUST be in GMT format.

         ( 1.3.6.1.4.1.42.2.27.8.1.20
         NAME 'pwdHistory'
         DESC 'The history of user s passwords'
         EQUALITY octetStringMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
         NO-USER-MODIFICATION
         USAGE directoryOperation )

5.3.6.  pwdGraceUseTime

   This attribute holds the timestamps of grace authentications after a
   password has expired.

         ( 1.3.6.1.4.1.42.2.27.8.1.21
         NAME 'pwdGraceUseTime'
         DESC 'The timestamps of the grace authentication after the
         password has expired'
         EQUALITY generalizedTimeMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
         NO-USER-MODIFICATION
         USAGE directoryOperation )

5.3.7.  pwdReset

   This attribute holds a flag to indicate (when TRUE) that the password
   has been updated by the password administrator and must be changed by
   the user.



Sermersheim, et al.     Expires January 19, 2015               [Page 21]

Internet-Draft    Password Policy for LDAP Directories         July 2014


         ( 1.3.6.1.4.1.42.2.27.8.1.22
         NAME 'pwdReset'
         DESC 'The indication that the password has been reset'
         EQUALITY booleanMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
         SINGLE-VALUE
         USAGE directoryOperation )

5.3.8.  pwdPolicySubentry

   This attribute points to the pwdPolicy subentry in effect for this
   object.

         ( 1.3.6.1.4.1.42.2.27.8.1.23
         NAME 'pwdPolicySubentry'
         DESC 'The pwdPolicy subentry in effect for this object'
         EQUALITY distinguishedNameMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
         SINGLE-VALUE
         NO-USER-MODIFICATION
         USAGE directoryOperation )

5.3.9.  pwdStartTime

   This attribute specifies the time the entry's password becomes valid
   for authentication.  Authentication attempts made before this time
   will fail.  If this attribute does not exist, then no restriction
   applies.

         ( 1.3.6.1.4.1.42.2.27.8.1.27
         NAME 'pwdStartTime'
         DESC 'The time the password becomes enabled'
         EQUALITY generalizedTimeMatch
         ORDERING generalizedTimeOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
         SINGLE-VALUE
         NO-USER-MODIFICATION
         USAGE directoryOperation )

5.3.10.  pwdEndTime

   This attribute specifies the time the entry's password becomes
   invalid for authentication.  Authentication attempts made after this
   time will fail, regardless of expiration or grace settings.  If this
   attribute does not exist, then this restriction does not apply.






Sermersheim, et al.     Expires January 19, 2015               [Page 22]

Internet-Draft    Password Policy for LDAP Directories         July 2014


         ( 1.3.6.1.4.1.42.2.27.8.1.28
         NAME 'pwdEndTime'
         DESC 'The time the password becomes disabled'
         EQUALITY generalizedTimeMatch
         ORDERING generalizedTimeOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
         SINGLE-VALUE
         NO-USER-MODIFICATION
         USAGE directoryOperation )

   Note that pwdStartTime may be set to a time greater than or equal to
   pwdEndTime; this simply disables the account.

5.3.11.  pwdLastSuccess

   This attribute holds the timestamp of the last successful
   authentication.

         ( 1.3.6.1.4.1.42.2.27.8.1.29
         NAME 'pwdLastSuccess'
         DESC 'The timestamp of the last successful authentication'
         EQUALITY generalizedTimeMatch
         ORDERING generalizedTimeOrderingMatch
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
         SINGLE-VALUE
         NO-USER-MODIFICATION
         USAGE directoryOperation )
























Sermersheim, et al.     Expires January 19, 2015               [Page 23]

Internet-Draft    Password Policy for LDAP Directories         July 2014


6.  Controls used for Password Policy

   This section details the controls used while enforcing password
   policy.  A request control is defined that is sent by a client with a
   request operation in order to elicit a response control.  The
   response control contains various warnings and errors associated with
   password policy.

   {TODO: add a note about advertisement and discovery}

6.1.  Request Control

   This control MAY be sent with any LDAP request message in order to
   convey to the server that this client is aware of, and can process
   the response control described in this document.  When a server
   receives this control, it will return the response control when
   appropriate and with the proper data.

   The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the criticality may
   be TRUE or FALSE.  There is no controlValue.

6.2.  Response Control

   If the client has sent a passwordPolicyRequest control, the server
   (when solicited by the inclusion of the request control) sends this
   control with the following operation responses: bindResponse,
   modifyResponse, addResponse, compareResponse and possibly
   extendedResponse, to inform of various conditions, and MAY be sent
   with other operations (in the case of the changeAfterReset error).
   The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the controlValue is
   the BER encoding of the following type:

      PasswordPolicyResponseValue ::= SEQUENCE {
         warning [0] CHOICE {
            timeBeforeExpiration [0] INTEGER (0 .. maxInt),
            graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
         error   [1] ENUMERATED {
            passwordExpired             (0),
            accountLocked               (1),
            changeAfterReset            (2),
            passwordModNotAllowed       (3),
            mustSupplyOldPassword       (4),
            insufficientPasswordQuality (5),
            passwordTooShort            (6),
            passwordTooYoung            (7),
            passwordInHistory           (8) } OPTIONAL }

   The timeBeforeExpiration warning specifies the number of seconds



Sermersheim, et al.     Expires January 19, 2015               [Page 24]

Internet-Draft    Password Policy for LDAP Directories         July 2014


   before a password will expire.  The graceAuthNsRemaining warning
   specifies the remaining number of times a user will be allowed to
   authenticate with an expired password.  The passwordExpired error
   signifies that the password has expired and must be reset.  The
   changeAfterReset error signifies that the password must be changed
   before the user will be allowed to perform any operation other than
   bind and modify.  The passwordModNotAllowed error is set when a user
   is restricted from changing her password.  The
   insufficientPasswordQuality error is set when a password doesn't pass
   quality checking.  The passwordTooYoung error is set if the age of
   the password to be modified is not yet old enough.

   Typically, only either a warning or an error will be encoded though
   there may be exceptions.  For example, if the user is required to
   change a password after the password administrator set it, and the
   password will expire in a short amount of time, the control may
   include the timeBeforeExpiration warning and the changeAfterReset
   error.

































Sermersheim, et al.     Expires January 19, 2015               [Page 25]

Internet-Draft    Password Policy for LDAP Directories         July 2014


7.  Policy Decision Points

   Following are a number of procedures used to make policy decisions.
   These procedures are typically performed by the server while
   processing an operation.

   The following sections contain detailed instructions that refer to
   attributes of the pwdPolicy object class.  When doing so, the
   attribute of the pwdPolicy object that governs the entry being
   discussed is implied.

7.1.  Locked Account Check

   A status of true is returned to indicate that the account is locked
   if any of these conditions are met:

   o  The value of the pwdAccountLockedTime attribute is 000001010000Z.

   o  The current time is less than the value of the pwdStartTime
      attribute.

   o  The current time is greater than or equal to the value of the
      pwdEndTime attribute.

   o  The current time is greater than or equal to the value of the
      pwdLastSuccess attribute added to the value of the pwdMaxIdle
      attribute.

   o  The current time is less than the value of the
      pwdAccountLockedTime attribute added to the value of the
      pwdLockoutDuration.

   Otherwise a status of false is returned.

7.2.  Password Must be Changed Now Check

   A status of true is returned to indicate that the password must be
   changed if all of these conditions are met:

   o  The pwdMustChange attribute is set to TRUE.

   o  The pwdReset attribute is set to TRUE.

   Otherwise a status of false is returned.







Sermersheim, et al.     Expires January 19, 2015               [Page 26]

Internet-Draft    Password Policy for LDAP Directories         July 2014


7.3.  Password Expiration Check

   A status of true is returned indicating that the password has expired
   if the current time minus the value of pwdChangedTime is greater than
   the value of the pwdMaxAge.

   Otherwise, a status of false is returned.

7.4.  Remaining Grace AuthN Check

   If the pwdGraceExpiry attribute is present, and the current time is
   greater than the password expiration time plus the pwdGraceExpiry
   value, zero is returned.

   If the pwdGraceUseTime attribute is present, the number of values in
   that attribute subtracted from the value of pwdGraceAuthNLimit is
   returned.  Otherwise zero is returned.  A positive result specifies
   the number of remaining grace authentications.

7.5.  Time Before Expiration Check

   If the pwdExpireWarning attribute is not present a zero status is
   returned.  Otherwise the following steps are followed:

   Subtract the time stored in pwdChangedTime from the current time to
   arrive at the password's age.  If the password's age is greater than
   than the value of the pwdMaxAge attribute, a zero status is returned.
   Subtract the value of the pwdExpireWarning attribute from the value
   of the pwdMaxAge attribute to arrive at the warning age.  If the
   password's age is equal to or greater than the warning age, the value
   of pwdMaxAge minus the password's age is returned.

7.6.  Intruder Lockout Check

   A status of true indicating that an intruder has been detected is
   returned if the following conditions are met:

   o  The pwdLockout attribute is TRUE.

   o  The number of values in the pwdFailureTime attribute that are
      younger than pwdFailureCountInterval is greater or equal to the
      pwdMaxFailure attribute.

   Otherwise a status of false is returned.

   While performing this check, values of pwdFailureTime that are old by
   more than pwdFailureCountInterval are purged and not counted.




Sermersheim, et al.     Expires January 19, 2015               [Page 27]

Internet-Draft    Password Policy for LDAP Directories         July 2014


7.7.  Intruder Delay Check

   If the pwdMinDelay attribute is 0 or not set, zero is returned.

   Otherwise, a delay time is computed based on the number of values in
   the pwdFailureTime attribute.  If the computed value is greater than
   the pwdMaxDelay attribute, the pwdMaxDelay value is returned.

   While performing this check, values of pwdFailureTime that are old by
   more than pwdFailureCountInterval are purged and not counted.

7.8.  Password Too Young Check

   If the Section 7.2 check returned true then this check will return
   false, to allow the password to be changed.

   A status of true indicating that not enough time has passed since the
   password was last updated is returned if:

   o  The value of pwdMinAge is non-zero and pwdChangedTime is present.

   o  The value of pwdMinAge is greater than the current time minus the
      value of pwdChangedTime.

   Otherwise a false status is returned.


























Sermersheim, et al.     Expires January 19, 2015               [Page 28]

Internet-Draft    Password Policy for LDAP Directories         July 2014


8.  Server Policy Enforcement Points

   The server SHOULD enforce that the password attribute subject to a
   password policy as defined in this document, contains one and only
   one password value.

   Note: The case where a single password value is stored in multiple
   formats simultaneously is still considered to be only one password
   value.

   The scenarios in the following operations assume that the client has
   attached a passwordPolicyRequest control to the request message of
   the operation.  In the event that the passwordPolicyRequest control
   was not sent, no passwordPolicyResponse control is returned.  All
   other instructions remain the same.

   For successfully completed operations, unless otherwise stated, no
   passwordPolicyResponse control is returned.

8.1.  Password-based Authentication

   This section contains the policy enforcement rules and policy data
   updates used while validating a password.  Operations that validate
   passwords include, but are not limited to, the Bind operation where
   the simple choice specifies a password, and the Compare operation
   where the attribute being compared holds a password.  Note that while
   the Compare operation does not authenticate a user to the LDAP
   server, it may be used by an external application for purposes of
   authentication.

8.1.1.  Fail if the account is locked

   If the account is locked as specified in Section 7.1, the server
   fails the operation with an appropriate resultCode (i.e.
   invalidCredentials (49) in the case of a bind operation, compareFalse
   (5) in the case of a compare operation, etc.).  The server MAY set
   the error: accountLocked (1) in the passwordPolicyResponse in the
   controls field of the message.

8.1.2.  Validated Password Procedures

   If the validation operation indicates that the password validated,
   these procedures are followed in order:

8.1.2.1.  Policy state updates

   Delete the pwdFailureTime and pwdAccountLockedTime attributes.




Sermersheim, et al.     Expires January 19, 2015               [Page 29]

Internet-Draft    Password Policy for LDAP Directories         July 2014


   Set the value of the pwdLastSuccess attribute to the current time.

   Note: setting pwdLastSuccess is optional, but it is required if the
   policy has pwdMaxIdle defined.

8.1.2.2.  Password must be changed now

   If the decision in Section 7.2 returns true, the server sends to the
   client a response with an appropriate successful resultCode (i.e.
   success (0), compareTrue (6), etc.), and includes the
   passwordPolicyResponse in the controls field of the bindResponse
   message with the warning: changeAfterReset specified.

   For bind, the server MUST then disallow all operations issued by this
   user except modify password, bind, unbind, abandon and StartTLS
   extended operation.

8.1.2.3.  Expired password

   If the password has expired as per Section 7.3, the server either
   returns a success or failure based on the state of grace
   authentications.

8.1.2.3.1.  Remaining Grace Authentications

   If there are remaining grace authentications as per Section 7.4, the
   server adds a new value with the current time in pwdGraceUseTime.
   Then it sends to the client a response with an appropriate successful
   resultCode (i.e. success (0), compareTrue (6), etc.), and includes
   the passwordPolicyResponse in the controls field of the response
   message with the warning: graceAuthNsRemaining choice set to the
   number of grace authentications left.

   Implementor's note: The system time of the host machine may be more
   granular than is needed to ensure unique values of this attribute.
   It is recommended that a mechanism is used to ensure unique
   generalized time values.  The fractional seconds field may be used
   for this purpose.

8.1.2.3.2.  No Remaining Grace Authentications

   If there are no remaining grace authentications, the server fails the
   operation with an appropriate resultCode (invalidCredentials (49),
   compareFalse (5), etc.), and includes the passwordPolicyResponse in
   the controls field of the bindResponse message with the error:
   passwordExpired (0) set.





Sermersheim, et al.     Expires January 19, 2015               [Page 30]

Internet-Draft    Password Policy for LDAP Directories         July 2014


8.1.2.4.  Expiration Warning

   If the result of Section 7.5 is a positive number, the server sends
   to the client a response with an appropriate successful resultCode
   (i.e. success (0), compareTrue (6), etc.), and includes the
   passwordPolicyResponse in the controls field of the bindResponse
   message with the warning: timeBeforeExiration set to the value as
   described above.  Otherwise, the server sends a successful response,
   and omits the passwordPolicyResponse.

8.1.3.  AuthN Failed Procedures

   If the authentication process indicates that the password failed
   validation due to invalid credentials, these procedures are followed:

8.1.3.1.  Policy state update

   Add the current time as a value of the pwdFailureTime attribute.

   Implementor's note: The system time of the host machine may be more
   granular than is needed to ensure unique values of this attribute.
   It is recommended that a mechanism is used to ensure unique
   generalized time values.  The fractional seconds field may be used
   for this purpose.

8.1.3.2.  Handle Intruder Detection

   If the check in Section 7.6 returns a true state, the server locks
   the account by setting the value of the pwdAccountLockedTime
   attribute to the current time.  After locking the account, the server
   fails the operation with an appropriate resultCode
   (invalidCredentials (49), compareFalse (5), etc.), and includes the
   passwordPolicyResponse in the controls field of the message with the
   error: accountLocked (1).

   If the check in Section 7.7 returns a non-zero value, the server
   waits that number of seconds before sending the authentication
   response back to the client.

8.2.  Password Update Operations

   Because the password is stored in an attribute, various operations
   (like add and modify) may be used to create or update a password.
   But some alternate mechanisms have been defined or may be defined,
   such as the LDAP Password Modify Extended Operation [RFC3062].

   While processing a password update, the server performs the following
   steps:



Sermersheim, et al.     Expires January 19, 2015               [Page 31]

Internet-Draft    Password Policy for LDAP Directories         July 2014


8.2.1.  Safe Modification

   If pwdSafeModify is set to TRUE and if there is an existing password
   value, the server ensures that the password update operation includes
   the user's existing password.

   When the LDAP modify operation is used to modify a password, this is
   done by specifying both a delete action and an add or replace action,
   where the delete action specifies the existing password, and the add
   or replace action specifies the new password.  Other password update
   operations SHOULD employ a similar mechanism.  Otherwise this policy
   will fail.

   If the existing password is not specified, the server does not
   process the operation and sends the appropriate response message to
   the client with the resultCode: insufficientAccessRights (50), and
   includes the passwordPolicyResponse in the controls field of the
   response message with the error: mustSupplyOldPassword (4).

8.2.2.  Change After Reset

   If the decision in Section 7.2 returns true, the server ensures that
   the password update operation contains no modifications other than
   the modification of the password attribute.  If other modifications
   exist, the server sends a response message to the client with the
   resultCode: insufficientAccessRights (50), and includes the
   passwordPolicyResponse in the controls field of the response message
   with the error: changeAfterReset (2).

8.2.3.  Rights Check

   Check to see whether the bound identity has sufficient rights to
   update the password.  If the bound identity is a user changing its
   own password, this MAY be done by checking the pwdAllowUserChange
   attribute or using an access control mechanism.  The determination of
   this is implementation specific.  If the user is not allowed to
   update her password, the server sends a response message to the
   client with the resultCode: insufficientAccessRights (50), and
   includes the passwordPolicyResponse in the controls field of the
   response message with the error: passwordModNotAllowed (3).

8.2.4.  Too Early to Update

   If the check in Section 7.8 results in a true status The server sends
   a response message to the client with the resultCode:
   constraintViolation (19), and includes the passwordPolicyResponse in
   the controls field of the response message with the error:
   passwordTooYoung (7).



Sermersheim, et al.     Expires January 19, 2015               [Page 32]

Internet-Draft    Password Policy for LDAP Directories         July 2014


8.2.5.  Password Quality

   Check the value of the pwdCheckQuality attribute.  If the value is
   non-zero, the server:

   o  Ensure that the password meets the quality criteria enforced by
      the server.  This enforcement is implementation specific.  If the
      server is unable to check the quality (due to a hashed password or
      otherwise), the value of pwdCheckQuality is evaluated.  If the
      value is 1, operation continues.  If the value is 2, the server
      sends a response message to the client with the resultCode:
      constraintViolation (19), and includes the passwordPolicyResponse
      in the controls field of the response message with the error:
      insufficientPasswordQuality (5).

      If the server is able to check the password quality, and the check
      fails, the server sends a response message to the client with the
      resultCode: constraintViolation (19), and includes the
      passwordPolicyResponse in the controls field of the response
      message with the error: insufficientPasswordQuality (5).

   o  checks the value of the pwdMinLength attribute.  If the value is
      non-zero, it ensures that the new password is of at least the
      minimum length.

      If the server is unable to check the length (due to a hashed
      password or otherwise), the value of pwdCheckQuality is evaluated.
      If the value is 1, operation continues.  If the value is 2, the
      server sends a response message to the client with the resultCode:
      constraintViolation (19), and includes the passwordPolicyResponse
      in the controls field of the response message with the error:
      passwordTooShort (6).

      If the server is able to check the password length, and the check
      fails, the server sends a response message to the client with the
      resultCode: constraintViolation (19), and includes the
      passwordPolicyResponse in the controls field of the response
      message with the error: passwordTooShort (6).

8.2.6.  Invalid Reuse

   If pwdInHistory is present and its value is non-zero, the server
   checks whether this password exists in the entry's pwdHistory
   attribute or in the current password attribute.  If the password does
   exist in the pwdHistory attribute or in the current password
   attribute, the server sends a response message to the client with the
   resultCode: constraintViolation (19), and includes the
   passwordPolicyResponse in the controls field of the response message



Sermersheim, et al.     Expires January 19, 2015               [Page 33]

Internet-Draft    Password Policy for LDAP Directories         July 2014


   with the error: passwordInHistory (8).

8.2.7.  Policy State Updates

   If the steps have completed without causing an error condition, the
   server performs the following steps in order to update the necessary
   password policy state attributes:

   If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
   updates the pwdChangedTime attribute on the entry to the current
   time.

   If the value of pwdInHistory is non-zero, the server adds the
   previous password (if one existed) to the pwdHistory attribute.  If
   the number of attributes held in the pwdHistory attribute exceeds the
   value of pwdInHistory, the server removes the oldest excess
   passwords.

   If the value the pwdMustChange is TRUE and the modification is
   performed by a password administrator, then the pwdReset attribute is
   set to TRUE.  Otherwise, the pwdReset is removed from the user's
   entry if it exists.

   The pwdFailureTime and pwdGraceUseTime attributes is removed from the
   user's entry if they exist.

8.3.  Other Operations

   For operations other than bind, password update, unbind, abandon or
   StartTLS, if the decision in Section 7.2 returns true, the server
   sends a response message to the client with the resultCode:
   insufficientAccessRights (50), and includes the
   passwordPolicyResponse in the controls field of the response message
   with the error: changeAfterReset (2).

















Sermersheim, et al.     Expires January 19, 2015               [Page 34]

Internet-Draft    Password Policy for LDAP Directories         July 2014


9.  Client Policy Enforcement Points

   These sections illustrate possible scenarios for each LDAP operation
   and define the types of responses that identify those scenarios.

   The scenarios in the following operations assume that the client
   attached a passwordPolicyRequest control to the request message of
   the operation, and thus may receive a passwordPolicyResponse control
   in the response message.  In the event that the passwordPolicyRequest
   control was not sent, no passwordPolicyResponse control is returned.
   All other instructions remain the same.

9.1.  Bind Operation

   For every bind response received, the client checks the resultCode of
   the bindResponse and checks for a passwordPolicyResponse control to
   determine if any of the following conditions are true and MAY prompt
   the user accordingly.

   o  bindResponse.resultCode = insufficientAccessRights (50),
      passwordPolicyResponse.error = accountLocked (1): The password
      failure limit has been reached and the account is locked.  The
      user needs to retry later or contact the password administrator to
      reset the password.

   o  bindResponse.resultCode = success (0),
      passwordPolicyResponse.error = changeAfterReset (2): The user is
      binding for the first time after the password administrator set
      the password.  In this scenario, the client SHOULD prompt the user
      to change his password immediately.

   o  bindResponse.resultCode = success (0),
      passwordPolicyResponse.warning = graceAuthNsRemaining: The
      password has expired but there are remaining grace
      authentications.  The user needs to change it.

   o  bindResponse.resultCode = invalidCredentials (49),
      passwordPolicyResponse.error = passwordExpired (0): The password
      has expired and there are no more grace authentications.  The user
      contacts the password administrator in order to have its password
      reset.

   o  bindResponse.resultCode = success (0),
      passwordPolicyResponse.warning = timeBeforeExpiration: The user's
      password will expire in n number of seconds.






Sermersheim, et al.     Expires January 19, 2015               [Page 35]

Internet-Draft    Password Policy for LDAP Directories         July 2014


9.2.  Modify Operations

9.2.1.  Modify Request

   If the application or client encrypts the password prior to sending
   it in a password modification operation (whether done through
   modifyRequest or another password modification mechanism), it SHOULD
   check the values of the pwdMinLength, and pwdCheckQuality attributes
   and SHOULD enforce these policies.

9.2.2.  Modify Response

   If the modifyRequest operation was used to change the password, or if
   another mechanism is used --such as an extendedRequest-- the
   modifyResponse or other appropriate response MAY contain information
   pertinent to password policy.  The client checks the resultCode of
   the response and checks for a passwordPolicyResponse control to
   determine if any of the following conditions are true and optionally
   notify the user of the condition.

   o  pwdModResponse.resultCode = insufficientAccessRights (50),
      passwordPolicyResponse.error = mustSupplyOldPassword (4): The user
      attempted to change her password without specifying the old
      password but the password policy requires this.

   o  pwdModResponse.resultCode = insufficientAccessRights (50),
      passwordPolicyResponse.error = changeAfterReset (2): The user must
      change her password before submitting any other LDAP requests.

   o  pwdModResponse.resultCode = insufficientAccessRights (50),
      passwordPolicyResponse.error = passwordModNotAllowed (3): The user
      doesn't have sufficient rights to change his password.

   o  pwdModResponse.resultCode = constraintViolation (19),
      passwordPolicyResponse.error = passwordTooYoung (7): It is too
      soon after the last password modification to change the password.

   o  pwdModResponse.resultCode = constraintViolation (19),
      passwordPolicyResponse.error = insufficientPasswordQuality (5):
      The password failed quality checking.

   o  pwdModResponse.resultCode = constraintViolation (19),
      passwordPolicyResponse.error = passwordTooShort (6): The length of
      the password is too short.

   o  pwdModResponse.resultCode = constraintViolation (19),
      passwordPolicyResponse.error = passwordInHistory (8): The password
      has already been used; the user must choose a different one.



Sermersheim, et al.     Expires January 19, 2015               [Page 36]

Internet-Draft    Password Policy for LDAP Directories         July 2014


9.3.  Add Operation

   If a password is specified in an addRequest, the client checks the
   resultCode of the addResponse and checks for a passwordPolicyResponse
   control to determine if any of the following conditions are true and
   may prompt the user accordingly.

   o  addResponse.resultCode = insufficientAccessRights (50),
      passwordPolicyResponse.error = passwordModNotAllowed (3): The user
      doesn't have sufficient rights to add this password.

   o  addResponse.resultCode = constraintViolation (19),
      passwordPolicyResponse.error = insufficientPasswordQuality (5):
      The password failed quality checking.

   o  addResponse.resultCode = constraintViolation (19),
      passwordPolicyResponse.error = passwordTooShort (6): The length of
      the password is too short.

9.4.  Compare Operation

   When a compare operation is used to compare a password, the client
   checks the resultCode of the compareResponse and checks for a
   passwordPolicyResponse to determine if any of the following
   conditions are true and MAY prompt the user accordingly.  These
   conditions assume that the result of the comparison was true.

   o  compareResponse.resultCode = compareFalse (5),
      passwordPolicyResponse.error = accountLocked (1): The password
      failure limit has been reached and the account is locked.  The
      user needs to retry later or contact the password administrator to
      reset the password.

   o  compareResponse.resultCode = compareTrue (6),
      passwordPolicyResponse.warning = graceAuthNsRemaining: The
      password has expired but there are remaining grace
      authentications.  The user needs to change it.

   o  compareResponse.resultCode = compareFalse (5),
      passwordPolicyResponse.error = passwordExpired (0): The password
      has expired and there are no more grace authentications.  The user
      must contact the password administrator to reset the password.

   o  compareResponse.resultCode = compareTrue (6),
      passwordPolicyResponse.warning = timeBeforeExpiration: The user's
      password will expire in n number of seconds.





Sermersheim, et al.     Expires January 19, 2015               [Page 37]

Internet-Draft    Password Policy for LDAP Directories         July 2014


9.5.  Other Operations

   For operations other than bind, unbind, abandon or StartTLS, the
   client checks the result code and control to determine if the user
   needs to change the password immediately.

   o  <Response>.resultCode = insufficientAccessRights (50),
      passwordPolicyResponse.error = changeAfterReset (2) : The user
      needs to change the password immediately.










































Sermersheim, et al.     Expires January 19, 2015               [Page 38]

Internet-Draft    Password Policy for LDAP Directories         July 2014


10.  Administration of the Password Policy

   {TODO: Need to define an administrativeRole (need OID).  Need to
   describe whether pwdPolicy admin areas can overlap}

   A password policy is defined for a particular subtree of the DIT by
   adding to an LDAP subentry whose immediate superior is the root of
   the subtree, the pwdPolicy auxiliary object class.  The scope of the
   password policy is defined by the SubtreeSpecification attribute of
   the LDAP subentry as specified in [RFC3672].

   It is possible to define password policies for different password
   attributes within the same pwdPolicy entry, by specifying multiple
   values of the pwdAttribute.  But password policies could also be in
   separate sub entries as long as they are contained under the same
   LDAP subentry.

   Only one policy may be in effect for a given password attribute in
   any entry.  If multiple policies exist which overlap in the range of
   entries affected, the resulting behavior is undefined.

   Modifying the password policy MUST NOT result in any change in users'
   entries to which the policy applies.

   It SHOULD be possible to overwrite the password policy for one user
   by defining a new policy in a subentry of the user entry.

   Each object that is controlled by password policy advertises the
   subentry that is being used to control its policy in its
   pwdPolicySubentry attribute.  Clients wishing to examine or manage
   password policy for an object may interrogate the pwdPolicySubentry
   for that object in order to arrive at the proper pwdPolicy subentry.



















Sermersheim, et al.     Expires January 19, 2015               [Page 39]

Internet-Draft    Password Policy for LDAP Directories         July 2014


11.  Password Policy and Replication

   {TODO: This section needs to be changed to highlight the pitfalls of
   replication, suggest some implementation choices to overcome those
   pitfalls, but remove prescriptive language relating to the update of
   state information}

   The pwdPolicy object defines the password policy for a portion of the
   DIT and MUST be replicated on all the replicas of this subtree, as
   any subentry would be, in order to have a consistent policy among all
   replicated servers.

   The elements of the password policy that are related to the users are
   stored in the entry themselves as operational attributes.  As these
   attributes are subject to modifications even on a read-only replica,
   replicating them must be carefully considered.

   The pwdChangedTime attribute MUST be replicated on all replicas, to
   allow expiration of the password.

   The pwdReset attribute MUST be replicated on all replicas, to deny
   access to operations other than bind and modify password.

   The pwdHistory attribute MUST be replicated to writable replicas.  It
   doesn't have to be replicated to a read-only replica, since the
   password will never be directly modified on this server.

   The pwdAccountLockedTime, pwdFailureTime and pwdGraceUseTime
   attributes SHOULD be replicated to writable replicas, making the
   password policy global for all servers.  When the user entry is
   replicated to a read-only replica, these attributes SHOULD NOT be
   replicated.  This means that the number of failures, of grace
   authentications and the locking will take place on each replicated
   server.  For example, the effective number of failed attempts on a
   user password will be N x M (where N is the number of servers and M
   the value of pwdMaxFailure attribute).  Replicating these attributes
   to a read-only replica MAY reduce the number of tries globally but
   MAY also introduce some inconstancies in the way the password policy
   is applied.

   Note: there are some situations where global replication of these
   state attributes may not be desired.  For example, if two clusters of
   replicas are geographically remote and joined by a slow network link,
   and their users only login from one of the two locations, it may be
   unnecessary to propagate all of the state changes from one cluster to
   the other.  Servers SHOULD allow administrators to control which
   attributes are replicated on a case-by-case basis.




Sermersheim, et al.     Expires January 19, 2015               [Page 40]

Internet-Draft    Password Policy for LDAP Directories         July 2014


   Servers participating in a loosely consistent multi-master
   replication agreement SHOULD employ a mechanism which ensures
   uniqueness of values when populating the attributes pwdFailureTime
   and pwdGraceUseTime.  The method of achieving this is a local matter
   and may consist of using a single authoritative source for the
   generation of unique time values, or may consist of the use of the
   fractional seconds part to hold a replica identifier.












































Sermersheim, et al.     Expires January 19, 2015               [Page 41]

Internet-Draft    Password Policy for LDAP Directories         July 2014


12.  Security Considerations

   This document defines a set of rules to implement in an LDAP server,
   in order to mitigate some of the security risks associated with the
   use of passwords and to make it difficult for password cracking
   programs to break into directories.

   Authentication with a password MUST follow the recommendations made
   in [RFC4513].

   Modifications of passwords SHOULD only occur when the connection is
   protected with confidentiality and secure authentication.

   Access controls SHOULD be used to restrict access to the password
   policy attributes.  The attributes defined to maintain the password
   policy state information SHOULD only be modifiable by the password
   administrator or higher authority.  The pwdHistory attribute MUST be
   subject to the same level of access control as the attrbute holding
   the password.

   As it is possible to define a password policy for one specific user
   by adding a subentry immediately under the user's entry, Access
   Controls SHOULD be used to restrict the use of the pwdPolicy object
   class or the LDAP subentry object class.

   When the intruder detection password policy is enforced, the LDAP
   directory is subject to a denial of service attack.  A malicious user
   could deliberately lock out one specific user's account (or all of
   them) by sending bind requests with wrong passwords.  There is no way
   to protect against this kind of attack.  The LDAP directory server
   SHOULD log as much information as it can (such as client IP address)
   whenever an account is locked, in order to be able to identify the
   origin of the attack.  Denying anonymous access to the LDAP directory
   is also a way to restrict this kind of attack.  Using the login delay
   instead of the lockout mechanism will also help avoid this denial of
   service.

   Returning certain status codes (such as passwordPolicyResponse.error
   = accountLocked) allows a denial of service attacker to know that it
   has successfully denied service to an account.  Servers SHOULD
   implement additional checks which return the same status when it is
   sensed that some number of failed authentication requests has occured
   on a single connection, or from a client address.  Server
   implementors are encouraged to invent other checks similar to this in
   order to thwart this type of DoS attack.






Sermersheim, et al.     Expires January 19, 2015               [Page 42]

Internet-Draft    Password Policy for LDAP Directories         July 2014


13.  IANA Considerations

   In accordance with [RFC4520] the following registrations are
   requested.

13.1.  Object Identifiers

   The OIDs used in this specification are derived from iso(1)
   identified-organization(3) dod(6) internet(1) private(4)
   enterprise(1) Sun(42) products(2) LDAP(27) ppolicy(8).  These OIDs
   have been in use since at least July 2001 when version 04 of this
   draft was published.  No additional OID assignment is being
   requested.

13.2.  LDAP Protocol Mechanisms

   Registration of the protocol mechanisms specified in this document is
   requested.

      Subject: Request for LDAP Protocol Mechanism Registration

      Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

      Description: Password Policy Request and Response Control

      Person & email address to contact for further information:

         Howard Chu <hyc@symas.com>

      Usage: Control

      Specification: (I-D) draft-behera-ldap-password-policy

      Author/Change Controller: IESG

      Comments:

13.3.  LDAP Descriptors

   Registration of the descriptors specified in this document is
   requested.

      Subject: Request for LDAP Descriptor Registration

      Descriptor (short name): see table

      Object Identifier: see table




Sermersheim, et al.     Expires January 19, 2015               [Page 43]

Internet-Draft    Password Policy for LDAP Directories         July 2014


      Description: see table

      Person & email address to contact for further information:

         Howard Chu <hyc@symas.com>

      Specification: (I-D) draft-behera-ldap-password-policy

      Author/Change Controller: IESG

      Comments:

      Name                    Type  OID
      ----------------------- ----  ------------------------------
      pwdPolicy               O     1.3.6.1.4.1.42.2.27.8.2.1
      pwdAttribute            A     1.3.6.1.4.1.42.2.27.8.1.1
      pwdMinAge               A     1.3.6.1.4.1.42.2.27.8.1.2
      pwdMaxAge               A     1.3.6.1.4.1.42.2.27.8.1.3
      pwdInHistory            A     1.3.6.1.4.1.42.2.27.8.1.4
      pwdCheckQuality         A     1.3.6.1.4.1.42.2.27.8.1.5
      pwdMinLength            A     1.3.6.1.4.1.42.2.27.8.1.6
      pwdMaxLength            A     1.3.6.1.4.1.42.2.27.8.1.31
      pwdExpireWarning        A     1.3.6.1.4.1.42.2.27.8.1.7
      pwdGraceAuthNLimit      A     1.3.6.1.4.1.42.2.27.8.1.8
      pwdGraceExpiry          A     1.3.6.1.4.1.42.2.27.8.1.30
      pwdLockout              A     1.3.6.1.4.1.42.2.27.8.1.9
      pwdLockoutDuration      A     1.3.6.1.4.1.42.2.27.8.1.10
      pwdMaxFailure           A     1.3.6.1.4.1.42.2.27.8.1.11
      pwdFailureCountInterval A     1.3.6.1.4.1.42.2.27.8.1.12
      pwdMustChange           A     1.3.6.1.4.1.42.2.27.8.1.13
      pwdAllowUserChange      A     1.3.6.1.4.1.42.2.27.8.1.14
      pwdSafeModify           A     1.3.6.1.4.1.42.2.27.8.1.15
      pwdMinDelay             A     1.3.6.1.4.1.42.2.27.8.1.24
      pwdMaxDelay             A     1.3.6.1.4.1.42.2.27.8.1.25
      pwdMaxIdle              A     1.3.6.1.4.1.42.2.27.8.1.26
      pwdChangedTime          A     1.3.6.1.4.1.42.2.27.8.1.16
      pwdAccountLockedTime    A     1.3.6.1.4.1.42.2.27.8.1.17
      pwdFailureTime          A     1.3.6.1.4.1.42.2.27.8.1.19
      pwdHistory              A     1.3.6.1.4.1.42.2.27.8.1.20
      pwdGraceUseTime         A     1.3.6.1.4.1.42.2.27.8.1.21
      pwdReset                A     1.3.6.1.4.1.42.2.27.8.1.22
      pwdPolicySubEntry       A     1.3.6.1.4.1.42.2.27.8.1.23
      pwdStartTime            A     1.3.6.1.4.1.42.2.27.8.1.27
      pwdEndTime              A     1.3.6.1.4.1.42.2.27.8.1.28
      pwdLastSuccess          A     1.3.6.1.4.1.42.2.27.8.1.29






Sermersheim, et al.     Expires January 19, 2015               [Page 44]

Internet-Draft    Password Policy for LDAP Directories         July 2014


      Legend
      --------------------
      A => Attribute Type
      O => Object Class

13.4.  LDAP AttributeDescription Options

   Registration of the AttributeDescription option specified in this
   document is requested.

      Subject: Request for LDAP Attribute Description Option
      Registration

      Option Name: pwd-

      Family of Options: YES

      Person & email address to contact for further information:

         Howard Chu <hyc@symas.com>

      Specification: (I-D) draft-behera-ldap-password-policy

      Author/Change Controller: IESG

      Comments:

         Used with policy state attributes to specify to which password
         attribute the state belongs.






















Sermersheim, et al.     Expires January 19, 2015               [Page 45]

Internet-Draft    Password Policy for LDAP Directories         July 2014


14.  Acknowledgement

   This document is based in part on prior work done by Valerie Chu from
   Netscape Communications Corp, published as
   draft-vchu-ldap-pwd-policy-00.txt (December 1998).  Prasanta Behera
   participated in early revisions of this document.













































Sermersheim, et al.     Expires January 19, 2015               [Page 46]

Internet-Draft    Password Policy for LDAP Directories         July 2014


15.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2195]  Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP
              AUTHorize Extension for Simple Challenge/Response",
              RFC 2195, September 1997.

   [RFC2831]  Leach, P. and C. Newman, "Using Digest Authentication as a
              SASL Mechanism", RFC 2831, May 2000.

   [RFC3062]  Zeilenga, K., "LDAP Password Modify Extended Operation",
              RFC 3062, February 2001.

   [RFC3672]  Zeilenga, K., "Subentries in the Lightweight Directory
              Access Protocol (LDAP)", RFC 3672, December 2003.

   [RFC4422]  Melnikov, A. and K. Zeilenga, "Simple Authentication and
              Security Layer (SASL)", RFC 4422, June 2006.

   [RFC4511]  Sermersheim, J., "Lightweight Directory Access Protocol
              (LDAP): The Protocol", RFC 4511, June 2006.

   [RFC4512]  Zeilenga, K., "Lightweight Directory Access Protocol
              (LDAP): Directory Information Models", RFC 4512,
              June 2006.

   [RFC4513]  Harrison, R., "Lightweight Directory Access Protocol
              (LDAP): Authentication Methods and Security Mechanisms",
              RFC 4513, June 2006.

   [RFC4517]  Legg, S., "Lightweight Directory Access Protocol (LDAP):
              Syntaxes and Matching Rules", RFC 4517, June 2006.

   [RFC4520]  Zeilenga, K., "Internet Assigned Numbers Authority (IANA)
              Considerations for the Lightweight Directory Access
              Protocol (LDAP)", BCP 64, RFC 4520, June 2006.

   [X.680]    International Telecommunications Union, "Abstract Syntax
              Notation One (ASN.1): Specification of basic notation",
              ITU-T Recommendation X.680, July 2002.

   [X.690]    International Telecommunications Union, "Information
              Technology - ASN.1 encoding rules: Specification of Basic
              Encoding Rules (BER),  Canonical Encoding Rules (CER) and
              Distinguished Encoding Rules (DER)", ITU-T
              Recommendation X.690, July 2002.



Sermersheim, et al.     Expires January 19, 2015               [Page 47]

Internet-Draft    Password Policy for LDAP Directories         July 2014


Authors' Addresses

   Jim Sermersheim
   Novell, Inc
   1800 South Novell Place
   Provo, Utah  84606
   US

   Phone: +1 801 861-3088
   Email: jimse@novell.com


   Ludovic Poitou
   Sun Microsystems
   180, Avenue de l'Europe
   Zirst de Montbonnot, Saint Ismier cedex  38334
   FR

   Phone: +33 476 188 212
   Email: ludovic.poitou@sun.com


   Howard Chu (editor)
   Symas Corp.
   18740 Oxnard Street, Suite 313A
   Tarzana, California  91356
   US

   Phone: +1 818 757-7087
   Email: hyc@symas.com





















Sermersheim, et al.     Expires January 19, 2015               [Page 48]