|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
SLAPO_PPOLICY(5) File Formats Manual SLAPO_PPOLICY(5)
slapo-ppolicy - Password Policy overlay to slapd
ETCDIR/slapd.conf
The ppolicy overlay is an implementation of the most recent IETF
Password Policy proposal for LDAP. When instantiated, it
intercepts, decodes and applies specific password policy controls
to overall use of a backend database, changes to user password
fields, etc.
The overlay provides a variety of password control mechanisms.
They include password aging -- both minimum and maximum ages,
password reuse and duplication control, account time-outs,
mandatory password resets, acceptable password content, and even
grace logins. Different groups of users may be associated with
different password policies, and there is no limit to the number
of password policies that may be created.
Note that some of the policies do not take effect when the
operation is performed with the rootdn identity; all the
operations, when performed with any other identity, may be
subjected to constraints, like access control. This overlay
requires a rootdn to be configured on the database.
During password update, an identity with manage access to the
userPassword attribute is considered a password administrator
where relevant to the IETF Password Policy proposal.
Note that the IETF Password Policy proposal for LDAP makes sense
when considering a single-valued password attribute, while the
userPassword attribute allows multiple values. This
implementation enforces a single value for the userPassword
attribute, despite its specification.
In addition to supporting the IETF Password Policy, this module
supports the SunDS Account Usability control
(1.3.6.1.4.1.42.2.27.9.5.8) on search requests and can send the
Netscape Password validity controls when configured to do so.
These slapd.conf configuration options apply to the ppolicy
overlay. They should appear after the overlay directive.
ppolicy_forward_updates
Specify that policy state changes that result from Bind
operations (such as recording failures, lockout, etc.) on a
consumer should be forwarded to a provider instead of being
written directly into the consumer's local database. This
setting is only useful on a replication consumer, and also
requires the updateref setting and chain overlay to be
appropriately configured.
ppolicy_hash_cleartext
Specify that cleartext passwords present in Add and Modify
requests should be hashed before being stored in the
database. This violates the X.500/LDAP information model,
but may be needed to compensate for LDAP clients that don't
use the Password Modify extended operation to manage
passwords. It is recommended that when this option is used
that compare, search, and read access be denied to all
directory users.
ppolicy_use_lockout
A client will always receive an LDAP InvalidCredentials
response when Binding to a locked account. By default, when
a Password Policy control was provided on the Bind request,
a Password Policy response will be included with no special
error code set. This option changes the Password Policy
response to include the AccountLocked error code. Note that
sending the AccountLocked error code provides useful
information to an attacker; sites that are sensitive to
security issues should not enable this option.
ppolicy_send_netscape_controls
If set, ppolicy will send the password policy expired
(2.16.840.1.113730.3.4.4) and password policy expiring
(2.16.840.1.113730.3.4.5) controls when appropriate. The
controls are not sent for bind requests where the Password
policy control has already been requested. Default is not
to send the controls.
ppolicy_check_module <path>
Specify the path of a loadable module containing a
check_password() function for additional password quality
checks. The use of this module is described further below
in the description of the pwdPolicyChecker objectclass.
Note: The user-defined loadable module must be in slapd's
standard executable search PATH, or an absolute path must
be provided.
Note: Use of a ppolicy_check_module is a non-standard
extension to the LDAP password policy proposal.
ppolicy_rules [dn[.<dnstyle>]=<DN/regex>]
[require_password=yes|no] [filter=<filter str>]
[group[.expand][/<objectclass>[/<attribute>]]=<DN/pattern>]
no_policy|policy_dn=<policyDN>|policy_dn.expand=<pattern>
[stop|continue]
Specify which pwdPolicy object to use when no specific
policy is set on a given user's entry. The rules are
checked in order and the first one to match will apply (but
see the continue action). If a rule that specifies
no_policy is selected or the selected policyDN is an entry
with objectclass pwdPolicy but its contents are not valid,
then no policies will be enforced.
When checking whether a rule applies, ppolicy checks:
• The entry's DN against the dn[.<dnstyle>]
• If require_password is yes (the default), presence
of the password attribute (currently only
userPassword)
• The entry's contents against the filter
• Whether it is considered a member of the group
specified in group[.expand]
All of which are optional. Matching and meaning of
<dnstyle> and expand loosely follow that described in
slapd.access(5) except that the expansions in the pattern
space are slightly more limited, only the $<digit> form is
supported at the moment and only if dnstyle is regex. It
then tries to retrieve policyDN and check that its
objectclass is pwdPolicy.
If all of the rule checks pass, behaviour depends on the
action keyword (stop|continue). If action is stop (the
default), processing ends here with policy that was just
chosen (or the no_policy decision). If action is continue,
the decision is remembered, processing continues and can be
overriden by later rules.
The way to configure this in cn=config is through child
entries under the overlay entry with objectclass
olcPPolicyRegexRule for regex-based DN matching and
olcPPolicyScopedRule for any other <dnstyle>.
ppolicy_default <policyDN>
Specify the DN of the pwdPolicy object to use when no
specific policy is set on a given user's entry and none of
the ppolicy_rules matched. If there is no specific policy
for an entry and no default is given, then no policies will
be enforced. This option is deprecated in favour of
ppolicy_rules and support for it will be removed in a
future release. It behaves as if the following rule was the
first rule in ppolicy_rules:
ppolicy_rules policyDN=<policyDN> continue
The ppolicy overlay depends on the pwdPolicy object class. The
definition of that class is as follows:
( 1.3.6.1.4.1.42.2.27.8.2.1
NAME 'pwdPolicy'
AUXILIARY
SUP top
MUST ( pwdAttribute )
MAY (
pwdMinAge $ pwdMaxAge $ pwdInHistory $
pwdCheckQuality $ pwdMinLength $ pwdMaxLength $
pwdExpireWarning $ pwdGraceAuthnLimit $
pwdGraceExpiry $ pwdLockout $ pwdLockoutDuration $
pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $
pwdSafeModify $ pwdMaxRecordedFailure $
pwdMinDelay $ pwdMaxDelay $ pwdMaxIdle ) )
The pwdPolicy class is not structural, and so entries using it
require another, structural, object class. The namedPolicy object
class is a good choice. namedPolicy requires a cn attribute,
suitable as the policy entry's rDN.
This implementation also provides two additional objectclasses:
pwdPolicyChecker objectclass
( 1.3.6.1.4.1.4754.2.99.1
NAME 'pwdPolicyChecker'
AUXILIARY
SUP top
MAY ( pwdCheckModule $ pwdCheckModuleArg $
pwdUseCheckModule ) )
used for password quality checking and pwdHashingPolicy
objectclass
( 1.3.6.1.4.1.4754.2.99.2
NAME 'pwdHashingPolicy'
SUP pwdPolicy
AUXILIARY
MAY ( pwdDefaultHash $ pwdRehashOnBind ) )
for more fine-grained control over password hashing. See specific
attributes below for usage.
Every account that should be subject to password policy control
should have a pwdPolicySubentry attribute containing the DN of a
valid pwdPolicy entry, or they can simply use the configured
default. In this way different users may be managed according to
different policies.
Each one of the sections below details the meaning and use of a
particular attribute of this pwdPolicy object class.
pwdAttribute
This attribute contains the name of the attribute to which the
password policy is applied. For example, the password policy may
be applied to the userPassword attribute.
Note: in this implementation, the only value accepted for
pwdAttribute is userPassword .
( 1.3.6.1.4.1.42.2.27.8.1.1
NAME 'pwdAttribute'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
pwdMinAge
This attribute contains the number of seconds that must elapse
between modifications allowed to the password. If this attribute
is not present, zero seconds is assumed (i.e. the password may be
modified whenever and however often is desired).
( 1.3.6.1.4.1.42.2.27.8.1.2
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxAge
This attribute contains the number of seconds after which a
modified password will expire. If this attribute is not present,
or if its value is zero (0), then passwords will not expire.
( 1.3.6.1.4.1.42.2.27.8.1.3
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdInHistory
This attribute is used to specify the maximum number of used
passwords that will be stored in the pwdHistory attribute. If the
pwdInHistory attribute is not present, or if its value is zero
(0), used passwords will not be stored in pwdHistory and thus any
previously-used password may be reused. No history checking
occurs if the password is being modified by the rootdn, although
the password is saved in the history.
( 1.3.6.1.4.1.42.2.27.8.1.4
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdCheckQuality
This attribute indicates if and how password syntax will be
checked while a password is being modified or added. If this
attribute is not present, or its value is zero (0), no syntax
checking will be done. If its value is one (1), the server will
check the syntax, and if the server is unable to check the syntax,
whether due to a client-side hashed password or some other reason,
it will be accepted. If its value is two (2), the server will
check the syntax, and if the server is unable to check the syntax
it will return an error refusing the password.
( 1.3.6.1.4.1.42.2.27.8.1.5
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMinLength
When syntax checking is enabled (see also the pwdCheckQuality
attribute), this attribute contains the minimum length in bytes
that will be accepted in a password. If this attribute is not
present, minimum password length is not enforced. If the server is
unable to check the length of the password, whether due to a
client-side hashed password or some other reason, the server will,
depending on the value of pwdCheckQuality, either accept the
password without checking it (if pwdCheckQuality is zero (0) or
one (1)) or refuse it (if pwdCheckQuality is two (2)). If the
number of characters should be enforced with regards to a
particular encoding, the use of an appropriate
ppolicy_check_module is required.
( 1.3.6.1.4.1.42.2.27.8.1.6
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxLength
When syntax checking is enabled (see also the pwdCheckQuality
attribute), this attribute contains the maximum length in bytes
that will be accepted in a password. If this attribute is not
present, maximum password length is not enforced. If the server is
unable to check the length of the password, whether due to a
client-side hashed password or some other reason, the server will,
depending on the value of pwdCheckQuality, either accept the
password without checking it (if pwdCheckQuality is zero (0) or
one (1)) or refuse it (if pwdCheckQuality is two (2)). If the
number of characters should be enforced with regards to a
particular encoding, the use of an appropriate
ppolicy_check_module is required.
( 1.3.6.1.4.1.42.2.27.8.1.31
NAME 'pwdMaxLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdExpireWarning
This attribute contains the maximum number of seconds before a
password is due to expire that expiration warning messages will be
returned to a user who is authenticating to the directory. If
this attribute is not present, or if the value is zero (0), no
warnings will be sent.
( 1.3.6.1.4.1.42.2.27.8.1.7
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdGraceAuthnLimit
This attribute contains the number of times that an expired
password may be used to authenticate a user to the directory. If
this attribute is not present or if its value is zero (0), users
with expired passwords will not be allowed to authenticate to the
directory.
( 1.3.6.1.4.1.42.2.27.8.1.8
NAME 'pwdGraceAuthnLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdGraceExpiry
This attribute specifies the number of seconds the grace
authentications are valid. If this attribute is not present or if
the value is zero (0), there is no time limit on the grace
authentications.
( 1.3.6.1.4.1.42.2.27.8.1.30
NAME 'pwdGraceExpiry'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdLockout
This attribute specifies the action that should be taken by the
directory when a user has made a number of failed attempts to
authenticate to the directory. If pwdLockout is set (its value is
"TRUE"), the user will not be allowed to attempt to authenticate
to the directory after there have been a specified number of
consecutive failed bind attempts. The maximum number of
consecutive failed bind attempts allowed is specified by the
pwdMaxFailure attribute. If pwdLockout is not present, or if its
value is "FALSE", the password may be used to authenticate no
matter how many consecutive failed bind attempts have been made.
( 1.3.6.1.4.1.42.2.27.8.1.9
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdLockoutDuration
This attribute contains the number of seconds during which the
password cannot be used to authenticate the user to the directory
due to too many consecutive failed bind attempts. (See also
pwdLockout and pwdMaxFailure.) If pwdLockoutDuration is not
present, or if its value is zero (0), the password cannot be used
to authenticate the user to the directory again until it is reset
by an administrator.
( 1.3.6.1.4.1.42.2.27.8.1.10
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxFailure
This attribute contains the number of consecutive failed bind
attempts after which the password may not be used to authenticate
a user to the directory. If pwdMaxFailure is not present, or its
value is zero (0), then a user will be allowed to continue to
attempt to authenticate to the directory, no matter how many
consecutive failed bind attempts have occurred with that user's
DN. (See also pwdLockout and pwdLockoutDuration.)
( 1.3.6.1.4.1.42.2.27.8.1.11
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxRecordedFailure
This attribute contains the maximum number of failed bind attempts
to store in a user's entry. If pwdMaxRecordedFailure is not
present, or its value is zero (0), then it defaults to the value
of pwdMaxFailure. If that value is also 0, the default is 5.
( 1.3.6.1.4.1.42.2.27.8.1.32
NAME 'pwdMaxRecordedFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdFailureCountInterval
This attribute contains the number of seconds after which old
consecutive failed bind attempts are purged from the failure
counter, even though no successful authentication has occurred.
If pwdFailureCountInterval is not present, or its value is zero
(0), the failure counter will only be reset by a successful
authentication.
( 1.3.6.1.4.1.42.2.27.8.1.12
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMustChange
This attribute specifies whether users must change their passwords
when they first bind to the directory after a password is set or
reset by the administrator, or not. If pwdMustChange has a value
of "TRUE", users must change their passwords when they first bind
to the directory after a password is set or reset by the
administrator. If pwdMustChange is not present, or its value is
"FALSE", users are not required to change their password upon
binding after the administrator sets or resets the password.
( 1.3.6.1.4.1.42.2.27.8.1.13
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdAllowUserChange
This attribute specifies whether users are allowed to change their
own passwords or not. If pwdAllowUserChange is set to "TRUE", or
if the attribute is not present, users will be allowed to change
their own passwords. If its value is "FALSE", users will not be
allowed to change their own passwords.
Note: this implies that when pwdAllowUserChange is set to "TRUE",
users will still be able to change the password of another user,
subjected to access control. This restriction only applies to
modifications of ones's own password. It should also be noted
that pwdAllowUserChange was defined in the specification to
provide rough access control to the password attribute in
implementations that do not allow fine-grain access control.
Since OpenLDAP provides fine-grain access control, the use of this
attribute is discouraged; ACLs should be used instead (see
slapd.access(5) for details).
( 1.3.6.1.4.1.42.2.27.8.1.14
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdSafeModify
This attribute denotes whether the user's existing password must
be sent along with their new password when changing a password.
If pwdSafeModify is set to "TRUE", the existing password must be
sent along with the new password. If the attribute is not
present, or its value is "FALSE", the existing password need not
be sent along with the new password.
( 1.3.6.1.4.1.42.2.27.8.1.15
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdMinDelay
This attribute specifies the number of seconds to delay responding
to the first failed authentication attempt. If this attribute is
not set or is zero (0), no delays will be used. pwdMaxDelay must
also be specified if pwdMinDelay is set.
Note that this implementation uses a variable lockout instead of
delaying the bind response.
( 1.3.6.1.4.1.42.2.27.8.1.24
NAME 'pwdMinDelay'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxDelay
This attribute specifies the maximum number of seconds to delay
when responding to a failed authentication attempt. The time
specified in pwdMinDelay is used as the starting time and is then
doubled on each failure until the delay time is greater than or
equal to pwdMaxDelay (or a successful authentication occurs, which
resets the failure counter). pwdMinDelay must also be specified
if pwdMaxDelay is set.
Note that this implementation uses a variable lockout instead of
delaying the bind response.
( 1.3.6.1.4.1.42.2.27.8.1.25
NAME 'pwdMaxDelay'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdMaxIdle
This attribute specifies the number of seconds an account may
remain unused before it becomes locked. If this attribute is not
set or is zero (0), no check is performed. For this to be
enforced, lastbind functionality needs to be enabled on the
database, that is olcLastBind is set to TRUE.
( 1.3.6.1.4.1.42.2.27.8.1.26
NAME 'pwdMaxIdle'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
pwdUseCheckModule/pwdCheckModuleArg
The pwdUseCheckModule attribute enables use of a loadable module
previously configured with ppolicy_check_module for the current
policy. The module must instantiate the check_password() function.
This function will be called to further check a new password if
pwdCheckQuality is set to one (1) or two (2), after all of the
built-in password compliance checks have been passed. This
function will be called according to this function prototype:
int check_password (char *pPasswd, struct berval *pErrmsg,
Entry *pEntry, struct berval *pArg);
The pPasswd parameter contains the clear-text user password, the
pErrmsg parameter points to a struct berval containing space to
return human-readable details about any error it encounters. The
bv_len field must contain the size of the space provided by the
bv_val field.
The pEntry parameter is optional, if non-NULL, carries a pointer
to the entry whose password is being checked.
The optional pArg parameter points to a struct berval containing
the value of pwdCheckModuleArg in the effective password policy,
if set, otherwise NULL.
If pErrmsg is NULL, then funcName must NOT attempt to use it. A
return value of LDAP_SUCCESS from the called function indicates
that the password is ok, any other value indicates that the
password is unacceptable. If the password is unacceptable, the
server will return an error to the client, and pErrmsg may be used
to return a human-readable textual explanation of the error. If
the space passed in by the caller is too small, the function may
replace it with a dynamically allocated buffer, which will be
free()'d by slapd.
The pwdCheckModule attribute is now obsolete and is ignored.
( 1.3.6.1.4.1.4754.1.99.1
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
OBSOLETE
SINGLE-VALUE )
( 1.3.6.1.4.1.4754.1.99.2
NAME 'pwdCheckModuleArg'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
DESC 'Argument to pass to check_password() function'
SINGLE-VALUE )
( 1.3.6.1.4.1.4754.1.99.3
NAME 'pwdUseCheckModule'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
pwdDefaultHash
If specified, this attribute overrides the configured default
password hash for objects that are governed by this policy.
( 1.3.6.1.4.1.4754.1.99.4
NAME 'pwdDefaultHash'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
DESC 'Per policy default hash setting'
SINGLE-VALUE )
pwdRehashOnBind
This attribute denotes whether the user's existing password should
be rehashed. If pwdReset is set to "TRUE", pwdDefaultHash is set
to a known password hash and a Simple Bind succeeds, the entry's
userPassword is replaced with a version using that hash.
( 1.3.6.1.4.1.4754.1.99.5
NAME 'pwdRehashOnBind'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
DESC 'On successful Simple Bind, rehash password
with default hash if different'
SINGLE-VALUE )
The operational attributes used by the ppolicy module are stored
in the user's entry. Most of these attributes are not intended to
be changed directly by users; they are there to track user
activity. They have been detailed here so that administrators and
users can both understand the workings of the ppolicy module.
Note that the current IETF Password Policy proposal does not
define how these operational attributes are expected to behave in
a replication environment. In general, authentication attempts on
a replica server only affect the copy of the operational
attributes on that replica and will not affect any attributes for
a user's entry on the provider. Operational attribute changes
resulting from authentication attempts on a provider will usually
replicate to the replicas (and also overwrite any changes that
originated on the replica). These behaviors are not guaranteed
and are subject to change when a formal specification emerges.
userPassword
The userPassword attribute is not strictly part of the ppolicy
module. It is, however, the attribute that is tracked and
controlled by the module. Please refer to the standard OpenLDAP
schema for its definition.
pwdPolicySubentry
This attribute refers directly to the pwdPolicy subentry that is
to be used for this particular directory user. Every account that
should be subject to password policy control will have a
pwdPolicySubentry attribute containing the DN of a pwdPolicy
entry. The module will use the one stored in the DB if it exists,
otherwise it will attempt to derive the correct policy to apply
based on the rules it has been configured with, see
ppolicy_rules/olcPPolicyScopedRule/olcPPolicyRegexRule
configuration options. In this way different users may be managed
according to configurable policies. The value of the effective
policy DN will be returned if requested in a search request but
this is a virtual attribute and is not usable in a filter.
Modifying/adding this attribute directly is deprecated and the
ability to do so will be removed in a future release.
( 1.3.6.1.4.1.42.2.27.8.1.23
NAME 'pwdPolicySubentry'
DESC 'The pwdPolicy subentry in effect for
this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
USAGE directoryOperation)
pwdChangedTime
This attribute denotes the last time that the entry's password was
changed. This value is used by the password expiration policy to
determine whether the password is too old to be allowed to be used
for user authentication. If pwdChangedTime does not exist, the
user's password will not expire.
( 1.3.6.1.4.1.42.2.27.8.1.16
NAME 'pwdChangedTime'
DESC 'The time the password was last changed'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdAccountLockedTime
This attribute contains the time that the user's account was
locked. If the account has been locked, the password may no
longer be used to authenticate the user to the directory. If
pwdAccountLockedTime is set to 000001010000Z, the user's account
has been permanently locked and may only be unlocked by an
administrator. Note that account locking only takes effect when
the pwdLockout password policy attribute is set to "TRUE".
( 1.3.6.1.4.1.42.2.27.8.1.17
NAME 'pwdAccountLockedTime'
DESC 'The time an user account was locked'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
USAGE directoryOperation)
pwdFailureTime
This attribute contains the timestamps of each of the consecutive
authentication failures made upon attempted authentication to this
DN (i.e. account). If too many timestamps accumulate here (refer
to the pwdMaxFailure password policy attribute for details), and
the pwdLockout password policy attribute is set to "TRUE", the
account may be locked. (Please also refer to the pwdLockout
password policy attribute.) Excess timestamps beyond those
allowed by pwdMaxFailure or pwdMaxRecordedFailure may also be
purged. If a successful authentication is made to this DN (i.e.
to this user account), then pwdFailureTime will be cleansed of
entries.
( 1.3.6.1.4.1.42.2.27.8.1.19
NAME 'pwdFailureTime'
DESC 'The timestamps of the last consecutive
authentication failures'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
NO-USER-MODIFICATION
USAGE directoryOperation )
pwdHistory
This attribute contains the history of previously used passwords
for this DN (i.e. for this user account). The values of this
attribute are stored in string format as follows:
pwdHistory=
time "#" syntaxOID "#" length "#" data
time=
GeneralizedTime as specified in section 3.3.13 of
[RFC4517]
syntaxOID = numericoid
This is the string representation of the dotted-decimal
OID that defines the syntax used to store the password.
numericoid is described in section 1.4 of [RFC4512].
length = NumericString
The number of octets in the data. NumericString is
described in section 3.3.23 of [RFC4517].
data =
Octets representing the password in the format specified
by syntaxOID.
This format allows the server to store and transmit a history of
passwords that have been used. In order for equality matching on
the values in this attribute to function properly, the time field
is in GMT format.
( 1.3.6.1.4.1.42.2.27.8.1.20
NAME 'pwdHistory'
DESC 'The history of user passwords'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
EQUALITY octetStringMatch
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdGraceUseTime
This attribute contains the list of timestamps of logins made
after the user password in the DN has expired. These post-
expiration logins are known as "grace logins". If too many grace
logins have been used (please refer to the pwdGraceAuthnLimit
password policy attribute), then the DN will no longer be allowed
to be used to authenticate the user to the directory until the
administrator changes the DN's userPassword attribute.
( 1.3.6.1.4.1.42.2.27.8.1.21
NAME 'pwdGraceUseTime'
DESC 'The timestamps of the grace login once the password
has expired'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
NO-USER-MODIFICATION
USAGE directoryOperation)
pwdReset
This attribute indicates whether the user's password has been
reset by the administrator and thus must be changed upon first use
of this DN for authentication to the directory. If pwdReset is
set to "TRUE", then the password was reset and the user must
change it upon first authentication. If the attribute does not
exist, or is set to "FALSE", the user need not change their
password due to administrative reset.
( 1.3.6.1.4.1.42.2.27.8.1.22
NAME 'pwdReset'
DESC 'The indication that the password has
been reset'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE directoryOperation)
pwdStartTime
This attribute specifies the time the entry's password becomes
valid for authentication. Authentication attempts made before
this time will fail. If this attribute does not exist, then no
restriction applies.
( 1.3.6.1.4.1.42.2.27.8.1.27
NAME 'pwdStartTime'
DESC 'The time the password becomes enabled'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE directoryOperation )
pwdEndTime
This attribute specifies the time the entry's password becomes
invalid for authentication. Authentication attempts made after
this time will fail, regardless of expiration or grace settings.
If this attribute does not exist, then this restriction does not
apply.
( 1.3.6.1.4.1.42.2.27.8.1.28
NAME 'pwdEndTime'
DESC 'The time the password becomes disabled'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
USAGE directoryOperation )
Note that pwdStartTime may be set to a time greater than or equal
to pwdEndTime; this simply disables the account.
pwdAccountTmpLockoutEnd
This attribute that the user's password has been locked out
temporarily according to the pwdMinDelay policy option and when
the lockout ends.
( 1.3.6.1.4.1.42.2.27.8.1.33
NAME 'pwdAccountTmpLockoutEnd'
DESC 'Temporary lockout end'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
NO-USER-MODIFICATION
USAGE directoryOperation )
If the SunDS Account Usability control is used with a search
request, the overlay will attach validity information to each
entry provided all of the following are met:
• There is a password policy that applies to the entry
• The user has compare access to the entry's password attribute.
• The configured password attribute is present in the entry
database mdb
suffix dc=example,dc=com
...
overlay ppolicy
ppolicy_default "cn=Standard,ou=Policies,dc=example,dc=com"
ldap(3), slapd.conf(5), slapd-config(5), slapo-chain(5).
"OpenLDAP Administrator's Guide"
(http://www.OpenLDAP.org/doc/admin/)
IETF LDAP password policy proposal by P. Behera, L. Poitou and J.
Sermersheim: documented in IETF document "draft-behera-ldap-
password-policy-10.txt".
The LDAP Password Policy specification is not yet an approved
standard, and it is still evolving. This code will continue to be
in flux until the specification is finalized.
This module was written in 2004 by Howard Chu of Symas Corporation
with significant input from Neil Dunbar and Kartik Subbarao of
Hewlett-Packard.
This manual page borrows heavily and shamelessly from the
specification upon which the password policy module it describes
is based. This source is the IETF LDAP password policy proposal
by P. Behera, L. Poitou and J. Sermersheim. The proposal is
fully documented in the IETF document named draft-behera-ldap-
password-policy-10.txt, written in August of 2009.
OpenLDAP Software is developed and maintained by The OpenLDAP
Project <http://www.openldap.org/>. OpenLDAP Software is derived
from the University of Michigan LDAP 3.3 Release.
This page is part of the OpenLDAP (an open source implementation
of the Lightweight Directory Access Protocol) project.
Information about the project can be found at
⟨http://www.openldap.org/⟩. If you have a bug report for this
manual page, see ⟨http://www.openldap.org/its/⟩. This page was
obtained from the project's upstream Git repository
⟨https://git.openldap.org/openldap/openldap.git⟩ on 2025-08-11.
(At that time, the date of the most recent commit that was found
in the repository was 2025-08-05.) If you discover any rendering
problems in this HTML version of the page, or you believe there is
a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
man-pages@man7.org
OpenLDAP LDVERSION RELEASEDATE SLAPO_PPOLICY(5)
Pages that refer to this page: slapd.overlays(5)
|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|