xref: /netbsd-src/external/bsd/openldap/dist/doc/drafts/draft-vchu-ldap-pwd-policy-xx.txt (revision 122b5006ee1bd67145794b4cde92f4fe4781a5ec) 
1
2
3
4
5
6
7LDAP-EXT Working Group					   Valerie Chu
8INTERNET-DRAFT				 Netscape Communications Corp.
9Expires	in six months
10Intended Category: Informational
11							 December 1998
12
13
14		  Password Policy for LDAP Directories
15		  <draft-vchu-ldap-pwd-policy-00.txt>
16
17
18
191.  Status of this Memo
20
21This document is an Internet-Draft. Internet-Drafts  are  working  docu-
22ments  of the Internet Engineering Task	Force (IETF), its areas, and its
23working	groups.	Note that other	groups may also	distribute working docu-
24ments as Internet-Drafts.
25
26Internet-Drafts	are draft documents valid for a	maximum	 of  six  months
27and  may  be  updated,	replaced, or obsoleted by other	documents at any
28time. It is inappropriate to use Internet- Drafts as reference	material
29or to cite them	other than as ``work in	progress.''
30
31To view	the entire list	of current  Internet-Drafts,  please  check  the
32"1id-abstracts.txt"  listing  contained	 in  the  Internet-Drafts Shadow
33Directories on ftp.is.co.za (Africa), ftp.nordu.net  (Northern	Europe),
34ftp.nic.it  (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org
35(US East Coast), or ftp.isi.edu	(US West Coast).
36
37The key	words "MUST", "MUST  NOT",  "REQUIRED",	 "SHALL",  "SHALL  NOT",
38"SHOULD",  "SHOULD  NOT",  "RECOMMENDED",  "MAY", and "OPTIONAL" in this
39document are to	be interpreted as described in RFC 2119.
40
412.  Abstract
42
43This  document	describes  the	implementation	of  password  policy  in
44Netscape  LDAP	directories,  and  introduces  two  new	 object	classes,
45twenty-three new attribute types, and two new  controls	 in  support  of
46password policy.
47
48Password policy	is a set of rules that control how passwords are used in
49LDAP  directories.  In order to	improve	the security of	LDAP directories
50and make it difficult for  password  cracking  programs	 to  break  into
51directories,  it  is  desirable	 to  enforce  a	set of rules on	password
52usage. These rules are made to ensure that the users change their  pass-
53words  periodically,  the  new password	meets construction requirements,
54the re-use of the old password is restricted, and  lock	 out  the  users
55
56
57
58Chu								[Page 1]
59
60
61
62
63
64Expires	June 1999					  INTERNET DRAFT
65
66
67after a	certain	number of bad password attempts.
68
693.  Overview
70
71LDAP-based directory services currently	are accepted by	 many  organiza-
72tions as the access protocol for directories.  The ability to ensure the
73secure read, update access to directory	information throughout the  net-
74work is	essential to the successful deployment.	 There are several secu-
75rity mechanisms	which are used in Netscape LDAP	implementation	to  pro-
76tect  the  directory  data.   For example, the access control is used to
77prevent	unauthorized access to information stored in  directories;  SASL
78is  used to negotiate for integrity and	privacy	services.[RFC-2251]  The
79most fundamental security mechanism in Netscape	Directory is the  simple
80authentication using password.	In many	systems, in order to improve the
81security of the	system,	the simple password-based  authentication  often
82is  used  in  conjunction with a set of	password restrictions to control
83how passwords are used in the system.  For example, the	 passwd	 program
84in  UNIX  systems, or the user account policy in WindowsNT, has	a set of
85rules that users need to follow	to use password	authentication.	 At  the
86moment,	 LDAP  does not	define a password policy model,	but it is needed
87to achieve greater security protection and it is critical  to  the  suc-
88cessful	deployment of LDAP directories.
89
90Specifically, the password policy defines:
91
92
93  -    The maximum length of time that a given password	is valid.
94
95  -    The minimum length of time required between password changes.
96
97  -    The maximum length of time before a user's  password  is	 due  to
98       expire that the user will be sent a warning message.
99
100  -    Whether users can reuse passwords.
101
102  -    The minimum number of characters	a password must	contain.
103
104  -    Whether the password syntax is checked before a new  password  is
105       saved.
106
107  -    Whether users are allowed to change their own passwords.
108
109  -    Whether passwords must be changed after they  are  reset	 by  the
110       administrator.
111
112  -    Whether users will be locked out	of the directory after	a  given
113       number of failed	bind attempts.
114
115
116
117
118Chu								[Page 2]
119
120
121
122
123
124Expires	June 1999					  INTERNET DRAFT
125
126
127  -    How long	users will be locked out of the	directory after	a  given
128       number of failed	bind attempts.
129
130  -    The length of time before  the  password	 failure  counter  which
131       keeps track of the number of failed password attempts is	reset.
132
133The password policy defined in this document is	applied	to the LDAP sim-
134ple  authentication  method [RFC-2251] and userPassword	attribute values
135only.
136
137In this	document, the term "user" represents any application which is an
138LDAP client using the directory	to retrieve or store information.
139
140Directory administrators are not forced	to comply with any  of	password
141policies.
142
1434.  New	Attribute Types	and Object Classes
144
1454.1.  The passwordPolicy Object	Class
146
147The passwordPolicy object class	holds the password policy settings for a
148set  of	 user  accounts.  In the Netscape Directory implementation, they
149are located in the "cn=config" entry.
150
151The description	of passwordPolicy object class:
152
153   ( 2.16.840.1.113730.3.2.13
154     NAME 'passwordPolicy'
155     AUXILIARY
156     SUP top
157     DESC 'Password Policy object class	to hold	password policy	information'
158     MAY (
159	   passwordMaxAge $ passwordExp	$ passwordMinLength $
160	   passwordKeepHistory $ passwordInHistory $ passwordChange $
161	   passwordCheckSyntax $ passwordWarning $ passwordLockout $
162	   passwordMaxFailure $	passwordUnlock $ passwordLockoutDuration $
163	   passwordMustChange $	passwordStorageScheme $	passwordMinAge $
164	   passwordResetFailureCount
165	 )
166   )
167
1684.2.  The new attribute	types used in the passwordPolicy Object	Class:
169
170   ( 2.16.840.1.113730.3.1.97
171     NAME 'passwordMaxAge'
172     DESC 'the number of seconds after which user passwords will expire'
173     EQUALITY 'caseIgnoreMatch'
174     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
175
176
177
178Chu								[Page 3]
179
180
181
182
183
184Expires	June 1999					  INTERNET DRAFT
185
186
187   )
188   ( 2.16.840.1.113730.3.1.98
189     NAME 'passwordExp'
190     DESC 'a flag which	indicates whether passwords will expire	after a
191	   given number	of seconds'
192     EQUALITY 'caseIgnoreMatch'
193     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
194   )
195   ( 2.16.840.1.113730.3.1.99
196     NAME 'passwordMinLength'
197     DESC 'the minimum number of characters that must be used in a password'
198     EQUALITY 'caseIgnoreMatch'
199     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
200   )
201   ( 2.16.840.1.113730.3.1.100
202     NAME 'passwordKeepHistory'
203     DESC 'a flag which	indicates whether passwords can	be reused"
204     EQUALITY 'caseIgnoreMatch'
205     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
206   )
207   ( 2.16.840.1.113730.3.1.101
208     NAME 'passwordInHistory'
209     DESC 'the number of passwords the directory server	stores in history'
210     EQUALITY 'caseIgnoreMatch'
211     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
212   )
213   ( 2.16.840.1.113730.3.1.102
214     NAME 'passwordChange'
215     DESC 'a flag which	indicates whether users	can change their passwords'
216     EQUALITY 'caseIgnoreMatch'
217     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
218   )
219   ( 2.16.840.1.113730.3.1.103
220     NAME 'passwordCheckSyntax'
221     DESC 'a flag which	indicates whether the password syntax will be checked
222	   before the password is saved'
223     EQUALITY 'caseIgnoreMatch'
224     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
225   )
226   ( 2.16.840.1.113730.3.1.104
227     NAME 'passwordWarning'
228     DESC 'the number of seconds before	a user's password is due to expire that
229	   the user will be sent a warning message'
230     EQUALITY 'caseIgnoreMatch'
231     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
232   )
233   ( 2.16.840.1.113730.3.1.105
234     NAME 'passwordLockout'
235
236
237
238Chu								[Page 4]
239
240
241
242
243
244Expires	June 1999					  INTERNET DRAFT
245
246
247     DESC 'a flag which	indicates whether users	will be	locked out of the
248	   directory after a given number of consecutive failed	bind attempts'
249     EQUALITY 'caseIgnoreMatch'
250     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
251   )
252   ( 2.16.840.1.113730.3.1.106
253     NAME 'passwordMaxFailure'
254     DESC 'the number of consecutive failed bind attempts after	which a	user
255	   will	be locked out of the directory'
256     EQUALITY 'caseIgnoreMatch'
257     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
258   )
259   ( 2.16.840.1.113730.3.1.108
260     NAME 'passwordUnlock'
261     DESC 'a flag which	indicates whether a user will be locked	out of the
262	   directory for a given number	of seconds or until the	administrator
263	   resets the password after an	account	lockout'
264     EQUALITY 'caseIgnoreMatch'
265     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
266   )
267   ( 2.16.840.1.113730.3.1.109
268     NAME 'passwordLockoutDuration'
269     DESC 'the number of seconds that users will be locked out of the directory
270	   after an account lockout
271     EQUALITY 'caseIgnoreMatch'
272     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
273   )
274   ( 2.16.840.1.113730.3.1.220
275     NAME 'passwordMustChange'
276     DESC 'a flag which	indicates whether users	must change their passwords when
277	   they	first bind to the directory server'
278     EQUALITY 'caseIgnoreMatch'
279     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
280   )
281   ( 2.16.840.1.113730.3.1.221
282     NAME 'passwordStorageScheme'
283     DESC 'the type of hash algorithm used to store directory server passwords'
284     EQUALITY 'caseIgnoreMatch'
285     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
286   )
287   The description of password storage scheme can be found in [RFC-2307].
288   ( 2.16.840.1.113730.3.1.222
289     NAME 'passwordMinAge'
290     DESC 'the number of seconds that must elapse before a user	can change their
291	   password again'
292     EQUALITY 'caseIgnoreMatch'
293     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
294   )
295
296
297
298Chu								[Page 5]
299
300
301
302
303
304Expires	June 1999					  INTERNET DRAFT
305
306
307   ( 2.16.840.1.113730.3.1.223
308     NAME 'passwordResetFailureCount'
309     DESC 'the number of seconds after which the password failure counter will
310	   be reset'
311     EQUALITY 'caseIgnoreMatch'
312     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
313   )
314
315   Currently  in  Netscape  Directory  password	 policy	 implementation,
316   passwordMaxAge,  passwordMinLength,	passwordInHistory, passwordWarn-
317   ing,	passwordMaxFailure, passwordLockoutDuration, passwordMinAge, and
318   passwordResetFailureCount	  attributes	  are	  defined     as
319   1.3.6.1.4.1.1466.115.121.1.15 ('Directory  String').	  It  is  recom-
320   mented to change them to 1.3.6.1.4.1.1466.115.121.1.27 ('Integer') in
321   the future implementation.
322
323   The	attributes  which  are	used  as  a   flag   have   the	  syntax
324   '1.3.6.1.4.1.1466.115.121.1.15' ('Directory String').  A value of '1'
325   represents 'true', while '0'	represents 'false'.  It	 is  recommented
326   to  change  them  to	 1.3.6.1.4.1.1466.115.121.1.7 ('Boolean') in the
327   future implementation.
328
3294.3.  The passwordObject Object	Class
330
331The passwordObject object class	holds the password policy state	informa-
332tion  for  each	 user.	For  example,  how many	consecutive bad	password
333attempts an user made.	The information	is located in each user	entries.
334The description	of passwordObject object class:
335
336   ( 2.16.840.1.113730.3.2.12
337     NAME 'passwordObject'
338     AUXILIARY
339     SUP top
340     DESC 'Password object class to hold password policy information for each
341	   entry'
342     MAY (
343	   passwordExpirationTime $ passwordExpWarned $	passwordRetryCount $
344	   retryCountResetTime $ accountUnlockTime $ passwordHistory $
345	   passwordAllowChangeTime
346	 )
347   )
348
3494.4.  The new attribute	types used in the passwordObject Object	Class:
350   ( 2.16.840.1.113730.3.1.91
351     NAME 'passwordExpirationTime'
352     DESC 'the time the	entry's	password expires'
353     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
354     EQUALITY generalizedTimeMatch
355
356
357
358Chu								[Page 6]
359
360
361
362
363
364Expires	June 1999					  INTERNET DRAFT
365
366
367     ORDERING generalizedTimeOrderingMatch
368     SINGLE-VALUE
369     USAGE directoryOperation
370   )
371   ( 2.16.840.1.113730.3.1.92
372     NAME 'passwordExpWarned'
373     DESC 'a flag which	indicates whether a password expiration	warning	is sent
374	   to the client'
375     EQUALITY 'caseIgnoreMatch'
376     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
377     SINGLE-VALUE
378     USAGE directoryOperation
379   )
380   ( 2.16.840.1.113730.3.1.93
381     NAME 'passwordRetryCount'
382     DESC 'the count of	consecutive failed password attempts'
383     EQUALITY 'caseIgnoreMatch'
384     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
385     SINGLE-VALUE
386     USAGE directoryOperation
387   )
388   ( 2.16.840.1.113730.3.1.94
389     NAME 'retryCountResetTime'
390     DESC 'the time to reset the passwordRetryCount'
391     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
392     EQUALITY generalizedTimeMatch
393     ORDERING generalizedTimeOrderingMatch
394     SINGLE-VALUE
395     USAGE directoryOperation
396   )
397   ( 2.16.840.1.113730.3.1.95
398     NAME 'accountUnlockTime'
399     DESC 'the time that the user can bind again after an account lockout'
400     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
401     EQUALITY generalizedTimeMatch
402     ORDERING generalizedTimeOrderingMatch
403     SINGLE-VALUE
404     USAGE directoryOperation
405   )
406   ( 2.16.840.1.113730.3.1.96
407     NAME 'passwordHistory'
408     DESC 'the history of user's passwords'
409     SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
410     EQUALITY bitStringMatch
411     USAGE directoryOperation
412   )
413   ( 2.16.840.1.113730.3.1.214
414     NAME 'passwordAllowChangeTime'
415
416
417
418Chu								[Page 7]
419
420
421
422
423
424Expires	June 1999					  INTERNET DRAFT
425
426
427     DESC 'the time that the user is allowed change the	password'
428     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
429     EQUALITY generalizedTimeMatch
430     ORDERING generalizedTimeOrderingMatch
431     SINGLE-VALUE
432     USAGE directoryOperation
433   )
434
4355.  Password Expiration	and Expiration Warning
436
437New attributes,	passwordExp,  passwordMaxAge,  and  passwordWarning  are
438defined	 to  specify whether the password will expire, when the	password
439expires	and when a warning message will	be sent	to  the	 client	 respec-
440tively.	 The  actual  expiration time for a password will be stored in a
441new attribute, passwordExpirationTime attribute	in the user entry.
442
443After bind operation succeed  with  authentication,  the  server  should
444check  for password expiration.	 If the	password expiration policy is on
445and the	account's password is  expired,	 the  server  should  send  bin-
446dResponse  with	 the  resultCode: LDAP_INVALID_CREDENTIALS along with an
447error message to inform	the client that	the password  has  expired.   If
448the  password  is going	to expire sooner than the password warning dura-
449tion,  the  server  should  send  bindResponse	with   the   resultCode:
450LDAP_SUCCESS,  and  should  include the	password expiring control in the
451controls field of the bindResponse message:
452
453    controlType:  2.16.840.1.113730.3.4.5,
454
455    controlValue: an octet string to indicate the time in seconds until
456		  the password expires.
457
458    criticality:  false
459
460
461The server should send at least	one warning message to the client before
462expiring the client's password.
463
4646.  Password Minimum Age
465
466This policy defines the	number of seconds that must pass before	 a  user
467can  change  the password again.  This policy can be used in conjunction
468with the password history policy to prevent users from	quickly	 cycling
469through	passwords in history so	that they can reuse the	old password.  A
470value of zero indicates	that the user can change  the  password	 immedi-
471ately.
472
473During the modify password operation, the server  should  check	 if  the
474user  is  allowed  to  change password at this time.  If not, the server
475
476
477
478Chu								[Page 8]
479
480
481
482
483
484Expires	June 1999					  INTERNET DRAFT
485
486
487should send the	LDAP_CONSTRAINT_VIOLATION result code back to the client
488and  an	 error	message	 to indicate that the password cannot be changed
489within password	minimum	age.
490
4917.  Password History
492
493passwordHistory	and passwordInHistory  attributes  control  whether  the
494user  can  reuse  passwords  and how many passwords the	directory server
495stores in history.
496
497During the modify password operation, the server should	check for  pass-
498word  history.	 If  password history is on and	the new	password matches
499one  of	 the  old  passwords  in  history,  the	  server   should   send
500modifyResponse	   back	    to	   the	   client    with    resultCode:
501LDAP_CONSTRAINT_VIOLATION, and an error	 message  to  indicate	the  new
502password is in history,	choose another password.
503
5048.  Password Syntax and	Minimum	length
505
506The passwordCheckSyntax	attribute indicates whether the	password  syntax
507will  be  checked before a new password	is saved.  If this policy is on,
508the directory server should check that the new password	meets the  pass-
509word minimum length requirement	and that the string does not contain any
510trivial	words such as the user's name, user id and so on.
511
512The passwordMinLength attribute	defines	the minimum number of characters
513that must be used in a password.
514
515During the modify or add password operation, the server	should check for
516password  syntax.   If	password check syntax is on and	the new	password
517fail the syntax	checking,  the	server	should	send  modifyResponse  or
518addResponse	 back	  to	 the	 client	    with     resultCode:
519LDAP_CONSTRAINT_VIOLATION, and an error	 message  to  indicate	the  new
520password  failed  the  syntax  checking,  the user should choose another
521password.
522
5239.  User Defined Passwords
524
525This policy defines whether the	users can change  their	 own  passwords.
526During	the  modify  password  operation, the server should check if the
527user is	allowed	to change password. If not, the	server	should	send  to
528the  client  the LDAP_UNWILLING_TO_PERFORM result code and an error mes-
529sage to	indicate that the user is not allowed to change	password.
530
53110.  Password Change After Reset
532
533This policy forces the user to select a	new password on	 first	bind  or
534after  password	reset. After bind operation succeed with authentication,
535
536
537
538Chu								[Page 9]
539
540
541
542
543
544Expires	June 1999					  INTERNET DRAFT
545
546
547the server should check	if the password	change after reset policy is  on
548and  this  is  the  first time logon. If so, the server	should send bin-
549dResponse with the resultCode:	LDAP_SUCCESS,  and  should  include  the
550password  expired control in the controls field	of the bindResponse mes-
551sage:
552
553    controlType:  2.16.840.1.113730.3.4.4,
554
555    controlValue: an octet string: "0",
556
557    criticality: false
558
559After that, for	any operation issued by	the user other than modify pass-
560word,  bind,  unbind,  abandon,	 or  search,  the server should	send the
561response message with  the  resultCode:	 LDAP_UNWILLING_TO_PERFORM,  and
562should include the password expired control in the controls field of the
563response message:
564
565    controlType:  2.16.840.1.113730.3.4.4,
566
567    controlValue: an octet string: "0",
568
569    criticality: false
570
57111.  Password Guessing limit
572
573This policy enforces the limit of number of tries the client has to  get
574the  password right.  The user will be locked out of the directory after
575a given	number of consecutive failed attempts to bind to the  directory.
576This policy protects the directory from	automated guessing attacks.
577
578The server should keep	a  failure  counter  in	 the  passwordRetryCount
579attribute  for	each  entry.   The  server  should increment the failure
580counter	when a bind operation fails  with  the	LDAP_INVALID_CREDENTIALS
581error  code.   The  server  should clear the failure counter when a bind
582operation succeeds with	authentication,	the account password is	reset by
583administrator, or when the failure counter reset time is reached.
584
585During the bind	operation, the server should check for password	guessing
586limit.	 If password guessing limit policy is on and the password guess-
587ing limit is reached, the server should	send bindResponse  back	 to  the
588client	with resultCode: LDAP_CONSTRAINT_VIOLATION, and	an error message
589to indicate the	password failure limit is reached.
590
59112.  Server Implementation
592
593
594
595
596
597
598Chu							       [Page 10]
599
600
601
602
603
604Expires	June 1999					  INTERNET DRAFT
605
606
60712.1.  Password	policy initialization
608
609The passwordPolicy object class	holds the password policy settings for a
610set  of	user accounts.	During the server initial startup, password pol-
611icy should be assigned a set of	initial	values.	 The settings should  be
612modified  only by the directory	administrators and should be readable by
613anyone.	 The server should preserve the	settings  over	server	restart.
614Currently  in the Netscape Directory implementation, the password policy
615settings are stored in "cn=config" entry and an	identical copy	is  kept
616in a configuration file	which is used as bootstrap.  The Netscape Direc-
617tory password default settings are listed below	as an example.
618
619  -    User may	change password
620
621  -    Do not need to change password first time logon
622
623  -    Use SHA as the password hash algorithm
624
625  -    No password syntax check
626
627  -    Password	minimum	length:	6
628
629  -    No password expiration
630
631  -    Expires in 100 days
632
633  -    No password minimum age
634
635  -    Send warning one	day before password expires
636
637  -    Do not keep password history
638
639  -    Six passwords in	history
640
641  -    No account lockout
642
643  -    Lockout after 3 bind failures
644
645  -    Do not lockout forever
646
647  -    Lock account for	60 minutes
648
649  -    Reset retry count after 10 minutes
650
651  In ldif format:
652
653  passwordchange: on
654
655
656
657
658Chu							       [Page 11]
659
660
661
662
663
664Expires	June 1999					  INTERNET DRAFT
665
666
667  passwordmustchange: off
668
669  passwordstoragescheme: SHA
670
671  passwordchecksyntax: off
672
673  passwordminlength: 6
674
675  passwordexp: off
676
677  passwordmaxage: 8640000
678
679  passwordminage: 0
680
681  passwordwarning: 86400
682
683  passwordkeephistory: off
684
685  passwordinhistory: 6
686
687  passwordlockout: off
688
689  passwordmaxfailure: 3
690
691  passwordunlock: on
692
693  passwordlockoutduration: 3600
694
695  passwordresetfailurecount: 600
696
69712.2.  Bind Operations
698
69912.2.1.	 During	bind operations, the server should  check  for	password
700guessing  limit.   If password guessing	limit policy is	on and the pass-
701word guessing limit is reached,	the server should send bindResponse back
702to  the	 client	with resultCode: LDAP_CONSTRAINT_VIOLATION, and	an error
703message	to indicate the	password failure limit	is  reached.   Otherwise
704the server should continue the bind operation.
705
70612.2.2.	 After Bind Operations succeed with authentication,  the  server
707should
708
709  1.   Clear the password failure counter.
710
711  2.   Check if	the password change after reset	policy is on and this is
712       the  first  time	 logon.	 If  so,  the server should disallow all
713       operations issued by this user except  modify  password,	 bind  ,
714       unbind,	abandon, or search.  The server	should send bindResponse
715
716
717
718Chu							       [Page 12]
719
720
721
722
723
724Expires	June 1999					  INTERNET DRAFT
725
726
727       with the	resultCode: LDAP_SUCCESS, and should include  the  pass-
728       word  expired  control  in the controls field of	the bindResponse
729       message.
730
731       controlType:  2.16.840.1.113730.3.4.4,
732
733       controlValue: an	octet string: "0",
734
735       criticality: false
736
737  3.   Check for password expiration.  If the password expiration policy
738       is  on  and  the	account's password is expired, the server should
739       send bindResponse with the  resultCode:	LDAP_INVALID_CREDENTIALS
740       along  with  an error message to	inform the client that the pass-
741       word has	expired.
742
743  4.   Check if	the password is	going to expire	sooner than the	password
744       warning	duration,  the	server should send bindResponse	with the
745       resultCode: LDAP_SUCCESS, and should include the	password  expir-
746       ing control in the controls field of the	bindResponse message:
747
748       controlType:  2.16.840.1.113730.3.4.5,
749
750       controlValue: an	octet string to	indicate the time in seconds
751		     until the password	expires.
752
753       criticality:  false
754
755
75612.2.3.	 After Bind Operations fail with  LDAP_INVALID_CREDENTIALS,  the
757server should
758
759  1.   Check if	it is time to reset the	password  failure  counter.   If
760       so,  set	 the  failure  counter	to  1  and re-calculate	the next
761       failure counter reset  time.  Otherwise,	 increment  the	 failure
762       counter.
763
764  2.   Check if	failure	counter	exceeds	the allowed maximum  value.   If
765       so, the server should lock the user account.
766
76712.3.  Add Password Operations
768
76912.3.1.	 During	the add	password operation, the	server should
770
771  1.   Check for password syntax.  If password check syntax  is	 on  and
772       the new password	fail the syntax	checking, the server should send
773       addResponse    back    to    the	   client    with    resultCode:
774       LDAP_CONSTRAINT_VIOLATION,  and	an error message to indicate the
775
776
777
778Chu							       [Page 13]
779
780
781
782
783
784Expires	June 1999					  INTERNET DRAFT
785
786
787       new password failed the syntax checking,	the user  should  choose
788       another password.
789
790  2.   Calculate and add passwordexpirationtime	and passwordallowchange-
791       time  attributes	 to  the entry if password expiration policy and
792       password	minimum	age policy are on respectively.
793
79412.4.  Modify Password Operations
795
79612.4.1.	 During	the modify password operation, the server should
797
798  1.   Check if	the user is allowed to change  password.   If  not,  the
799       server  should  send  to	the client the LDAP_UNWILLING_TO_PERFORM
800       result code and an error	message	to indicate that the user is not
801       allowed to change password.
802
803  2.   Check for password minimum age, password	minimum	length,	password
804       history,	 and password syntax.  If the checking fails, the server
805       should send modifyResponse back to the  client  with  resultCode:
806       LDAP_CONSTRAINT_VIOLATION, and an appropriate error message.
807
808  3.   If it is	the first time logon and the user needs	to change  pass-
809       word  the  first	time logon, the	server should check if the user-
810       password	attribute is in	this modify request.  If so, the  server
811       should  continue	 the  modify  operation.   Otherwise, the server
812       should  send  the   response   message	with   the   resultCode:
813       LDAP_UNWILLING_TO_PERFORM,   and	  should  include  the	password
814       expired control in the controls field of	the response message:
815
816       controlType:  2.16.840.1.113730.3.4.4,
817
818       controlValue: an	octet string: "0",
819
820       criticality: false
821
82212.4.2.	 After modify password operations succeed, the server should
823
824  1.   Update password history in the user's entry, if the password his-
825       tory policy is on.
826
827  2.   Update passwordExpirationTime in	the user's entry, if  the  pass-
828       word expiration policy is on.
829
830  3.   Update passwordAllowChangeTime in the user's entry, if the  pass-
831       word minimum age	policy is on.
832
833  4.   Clear the password failure counter, if the password is reset by a
834       directory administrator.
835
836
837
838Chu							       [Page 14]
839
840
841
842
843
844Expires	June 1999					  INTERNET DRAFT
845
846
847  5.   Set a flag to indicate the user is the first time logon,	 if  the
848       password	 change	 after	reset  policy  is on and the password is
849       reset by	a directory administrator.
850
85113.  Client Implementation
852
85313.1.  Bind Response
854
855For every bind response	received, the client needs  to	parse  the  bind
856result code, error message, and	controls to determine if any of	the fol-
857lowing conditions is true and prompt the user accordingly.
858
8591.   The user needs to change  password	 first	time  logon.   The  user
860     should be prompted	to change the password immediately.
861
862     resultCode: LDAP_SUCCESS, with the	control
863	 controlType: 2.16.840.1.113730.3.4.4,
864	 controlValue: "0",
865	 criticality: false
866
867
8682.   This is a warning message that the	server sends to	a user to  indi-
869     cate the time in seconds until the	user's password	expires.
870
871     resultCode: LDAP_SUCCESS, with the	control
872	 controlType:  2.16.840.1.113730.3.4.5,
873	 controlValue: an octet	string to indicate the time in seconds until
874		       the password expires.
875	 criticality:  false
876
877
8783.   The password failure limit	is reached.  The  user	needs  to  retry
879     later or contact the directory administrator to reset the password.
880
881     resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate	error message.
882		For example:
883		errorMessage: "exceed password retry limit"
884
885
8864.   The password is expired.  The user	needs to contact  the  directory
887     administrator to reset the	password.
888
889     resultCode: LDAP_INVALID_CREDENTIALS, with	an appropriate error message.
890		For example:
891		errorMessage: "password	expired"
892
893
894
895
896
897
898Chu							       [Page 15]
899
900
901
902
903
904Expires	June 1999					  INTERNET DRAFT
905
906
90713.2.  Modify Responses
908
909For the	modify response	received for the change	 password  request,  the
910client	needs to check the result code and error message to determine if
911it failed the password checking, and either let	the user retry or quit.
912
9131.   The user defined password policy is  disabled.   The  user	 is  not
914     allowed to	change password.
915
916     resultCode: LDAP_UNWILLING_TO_PERFORM, with an appropriate	error message.
917		For example:
918		errorMessage: "user is not allowed to change password"
919
920
9212.   The new password  failed  the  password  syntax  checking,	 or  the
922     current  password	has not	reached	the minimum password age, or the
923     new password is in	history.
924
925     resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate	error message.
926		For example:
927		errorMessage: "invalid password	syntax"
928		errorMessage: "password	in history"
929		errorMessage: "trivial password"
930		errorMessage: "within minimum password age"
931
93213.3.  Add Responses
933
934For the	add response received for the  add  entry  request,  the  client
935needs  to  check  the  result  code and	error message to determine if it
936failed the password checking, and either let the user retry or quit.
937
9381.   The new password failed the password syntax checking.
939
940     resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate	error message.
941		For example:
942		errorMessage: "invalid password	syntax"
943		errorMessage: "trivial password"
944
94513.4.  Other Responses
946
947For operations other than bind,	unbind,	abandon, or search,  the  client
948needs to check the following result code and control to	determine if the
949user needs to change the password immediately.
950
9511.   The user needs to change  password	 first	time  logon.   The  user
952     should be prompted	to change the password immediately.
953
954     resultCode: LDAP_UNWILLING_TO_PERFORM, with the control
955
956
957
958Chu							       [Page 16]
959
960
961
962
963
964Expires	June 1999					  INTERNET DRAFT
965
966
967	 controlType: 2.16.840.1.113730.3.4.4,
968	 controlValue: "0",
969	 criticality: false
970
97114.  Security Considerations
972
973The password policy defined in this document is	applied	to the LDAP sim-
974ple  authentication  method [RFC-2251] and userPassword	attribute values
975only.  The simple authentication method	provides minimal  authentication
976facilities,  with  the	contents  of the authentication	field consisting
977only of	a cleartext  password.	 Note  that  the  simple  authentication
978method	and  password  policy  are designed for	authentication where the
979underlying transport service cannot guarantee confidentiality.	 Use  of
980simple	authentication	method and password policy may result in disclo-
981sure of	the password to	unauthorized parties.  SASL and	 TLS  mechanisms
982may be used with LDAP to provide integrity or confidentiality services.
983
984
98515.  Bibliography
986
987
988[RFC-2251]Wahl,	M., Howes, T., Kille, S., "Lightweight Directory  Access
989	  Protocol (v3)", RFC 2251, August 1997.
990
991[RFC-2307]L. Howard, "An Approach for Using LDAP as a  Network	Informa-
992	  tion Service", RFC 2307, March 1998.
993
994[RFC-2119]S. Bradner, "Key Words for use in RFCs to Indicate Requirement
995	  Levels", RFC 2119, March 1997.
996
99716.  Author's Addresses
998
999   Valerie Chu
1000   Netscape Communications Corp.
1001   501 E. Middlefield Rd.
1002   Mountain View, CA 94043
1003   USA
1004   +1 650 937-3443
1005   vchu@netscape.com
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018Chu							       [Page 17]
1019
1020
1021