Commit 0c17e0ec authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#9279 - Add draft for vchu-ldap-pwd-policy

parent c1e4f372
LDAP-EXT Working Group Valerie Chu
INTERNET-DRAFT Netscape Communications Corp.
Expires in six months
Intended Category: Informational
December 1998
Password Policy for LDAP Directories
<draft-vchu-ldap-pwd-policy-00.txt>
1. Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working docu-
ments of the Internet Engineering Task Force (IETF), its areas, and its
working groups. Note that other groups may also distribute working docu-
ments as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference material
or to cite them other than as ``work in progress.''
To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe),
ftp.nic.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org
(US East Coast), or ftp.isi.edu (US West Coast).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
2. Abstract
This document describes the implementation of password policy in
Netscape LDAP directories, and introduces two new object classes,
twenty-three new attribute types, and two new controls in support of
password policy.
Password policy is a set of rules that control how passwords are used in
LDAP directories. In order to improve the security of LDAP directories
and make it difficult for password cracking programs to break into
directories, it is desirable to enforce a set of rules on password
usage. These rules are made to ensure that the users change their pass-
words periodically, the new password meets construction requirements,
the re-use of the old password is restricted, and lock out the users
Chu [Page 1]
Expires June 1999 INTERNET DRAFT
after a certain number of bad password attempts.
3. Overview
LDAP-based directory services currently are accepted by many organiza-
tions as the access protocol for directories. The ability to ensure the
secure read, update access to directory information throughout the net-
work is essential to the successful deployment. There are several secu-
rity mechanisms which are used in Netscape LDAP implementation to pro-
tect the directory data. For example, the access control is used to
prevent unauthorized access to information stored in directories; SASL
is used to negotiate for integrity and privacy services.[RFC-2251] The
most fundamental security mechanism in Netscape Directory is the simple
authentication using password. In many systems, in order to improve the
security of the system, the simple password-based authentication often
is used in conjunction with a set of password restrictions to control
how passwords are used in the system. For example, the passwd program
in UNIX systems, or the user account policy in WindowsNT, has a set of
rules that users need to follow to use password authentication. At the
moment, LDAP does not define a password policy model, but it is needed
to achieve greater security protection and it is critical to the suc-
cessful deployment of LDAP directories.
Specifically, the password policy defines:
- The maximum length of time that a given password is valid.
- The minimum length of time required between password changes.
- The maximum length of time before a user's password is due to
expire that the user will be sent a warning message.
- Whether users can reuse passwords.
- The minimum number of characters a password must contain.
- Whether the password syntax is checked before a new password is
saved.
- Whether users are allowed to change their own passwords.
- Whether passwords must be changed after they are reset by the
administrator.
- Whether users will be locked out of the directory after a given
number of failed bind attempts.
Chu [Page 2]
Expires June 1999 INTERNET DRAFT
- How long users will be locked out of the directory after a given
number of failed bind attempts.
- The length of time before the password failure counter which
keeps track of the number of failed password attempts is reset.
The password policy defined in this document is applied to the LDAP sim-
ple authentication method [RFC-2251] and userPassword attribute values
only.
In this document, the term "user" represents any application which is an
LDAP client using the directory to retrieve or store information.
Directory administrators are not forced to comply with any of password
policies.
4. New Attribute Types and Object Classes
4.1. The passwordPolicy Object Class
The passwordPolicy object class holds the password policy settings for a
set of user accounts. In the Netscape Directory implementation, they
are located in the "cn=config" entry.
The description of passwordPolicy object class:
( 2.16.840.1.113730.3.2.13
NAME 'passwordPolicy'
AUXILIARY
SUP top
DESC 'Password Policy object class to hold password policy information'
MAY (
passwordMaxAge $ passwordExp $ passwordMinLength $
passwordKeepHistory $ passwordInHistory $ passwordChange $
passwordCheckSyntax $ passwordWarning $ passwordLockout $
passwordMaxFailure $ passwordUnlock $ passwordLockoutDuration $
passwordMustChange $ passwordStorageScheme $ passwordMinAge $
passwordResetFailureCount
)
)
4.2. The new attribute types used in the passwordPolicy Object Class:
( 2.16.840.1.113730.3.1.97
NAME 'passwordMaxAge'
DESC 'the number of seconds after which user passwords will expire'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
Chu [Page 3]
Expires June 1999 INTERNET DRAFT
)
( 2.16.840.1.113730.3.1.98
NAME 'passwordExp'
DESC 'a flag which indicates whether passwords will expire after a
given number of seconds'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.99
NAME 'passwordMinLength'
DESC 'the minimum number of characters that must be used in a password'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.100
NAME 'passwordKeepHistory'
DESC 'a flag which indicates whether passwords can be reused"
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.101
NAME 'passwordInHistory'
DESC 'the number of passwords the directory server stores in history'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.102
NAME 'passwordChange'
DESC 'a flag which indicates whether users can change their passwords'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.103
NAME 'passwordCheckSyntax'
DESC 'a flag which indicates whether the password syntax will be checked
before the password is saved'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.104
NAME 'passwordWarning'
DESC 'the number of seconds before a user's password is due to expire that
the user will be sent a warning message'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.105
NAME 'passwordLockout'
Chu [Page 4]
Expires June 1999 INTERNET DRAFT
DESC 'a flag which indicates whether users will be locked out of the
directory after a given number of consecutive failed bind attempts'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.106
NAME 'passwordMaxFailure'
DESC 'the number of consecutive failed bind attempts after which a user
will be locked out of the directory'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.108
NAME 'passwordUnlock'
DESC 'a flag which indicates whether a user will be locked out of the
directory for a given number of seconds or until the administrator
resets the password after an account lockout'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.109
NAME 'passwordLockoutDuration'
DESC 'the number of seconds that users will be locked out of the directory
after an account lockout
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.220
NAME 'passwordMustChange'
DESC 'a flag which indicates whether users must change their passwords when
they first bind to the directory server'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
( 2.16.840.1.113730.3.1.221
NAME 'passwordStorageScheme'
DESC 'the type of hash algorithm used to store directory server passwords'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
The description of password storage scheme can be found in [RFC-2307].
( 2.16.840.1.113730.3.1.222
NAME 'passwordMinAge'
DESC 'the number of seconds that must elapse before a user can change their
password again'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
Chu [Page 5]
Expires June 1999 INTERNET DRAFT
( 2.16.840.1.113730.3.1.223
NAME 'passwordResetFailureCount'
DESC 'the number of seconds after which the password failure counter will
be reset'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
)
Currently in Netscape Directory password policy implementation,
passwordMaxAge, passwordMinLength, passwordInHistory, passwordWarn-
ing, passwordMaxFailure, passwordLockoutDuration, passwordMinAge, and
passwordResetFailureCount attributes are defined as
1.3.6.1.4.1.1466.115.121.1.15 ('Directory String'). It is recom-
mented to change them to 1.3.6.1.4.1.1466.115.121.1.27 ('Integer') in
the future implementation.
The attributes which are used as a flag have the syntax
'1.3.6.1.4.1.1466.115.121.1.15' ('Directory String'). A value of '1'
represents 'true', while '0' represents 'false'. It is recommented
to change them to 1.3.6.1.4.1.1466.115.121.1.7 ('Boolean') in the
future implementation.
4.3. The passwordObject Object Class
The passwordObject object class holds the password policy state informa-
tion for each user. For example, how many consecutive bad password
attempts an user made. The information is located in each user entries.
The description of passwordObject object class:
( 2.16.840.1.113730.3.2.12
NAME 'passwordObject'
AUXILIARY
SUP top
DESC 'Password object class to hold password policy information for each
entry'
MAY (
passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $
retryCountResetTime $ accountUnlockTime $ passwordHistory $
passwordAllowChangeTime
)
)
4.4. The new attribute types used in the passwordObject Object Class:
( 2.16.840.1.113730.3.1.91
NAME 'passwordExpirationTime'
DESC 'the time the entry's password expires'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
Chu [Page 6]
Expires June 1999 INTERNET DRAFT
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.92
NAME 'passwordExpWarned'
DESC 'a flag which indicates whether a password expiration warning is sent
to the client'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.93
NAME 'passwordRetryCount'
DESC 'the count of consecutive failed password attempts'
EQUALITY 'caseIgnoreMatch'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.94
NAME 'retryCountResetTime'
DESC 'the time to reset the passwordRetryCount'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.95
NAME 'accountUnlockTime'
DESC 'the time that the user can bind again after an account lockout'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.96
NAME 'passwordHistory'
DESC 'the history of user's passwords'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
EQUALITY bitStringMatch
USAGE directoryOperation
)
( 2.16.840.1.113730.3.1.214
NAME 'passwordAllowChangeTime'
Chu [Page 7]
Expires June 1999 INTERNET DRAFT
DESC 'the time that the user is allowed change the password'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SINGLE-VALUE
USAGE directoryOperation
)
5. Password Expiration and Expiration Warning
New attributes, passwordExp, passwordMaxAge, and passwordWarning are
defined to specify whether the password will expire, when the password
expires and when a warning message will be sent to the client respec-
tively. The actual expiration time for a password will be stored in a
new attribute, passwordExpirationTime attribute in the user entry.
After bind operation succeed with authentication, the server should
check for password expiration. If the password expiration policy is on
and the account's password is expired, the server should send bin-
dResponse with the resultCode: LDAP_INVALID_CREDENTIALS along with an
error message to inform the client that the password has expired. If
the password is going to expire sooner than the password warning dura-
tion, the server should send bindResponse with the resultCode:
LDAP_SUCCESS, and should include the password expiring control in the
controls field of the bindResponse message:
controlType: 2.16.840.1.113730.3.4.5,
controlValue: an octet string to indicate the time in seconds until
the password expires.
criticality: false
The server should send at least one warning message to the client before
expiring the client's password.
6. Password Minimum Age
This policy defines the number of seconds that must pass before a user
can change the password again. This policy can be used in conjunction
with the password history policy to prevent users from quickly cycling
through passwords in history so that they can reuse the old password. A
value of zero indicates that the user can change the password immedi-
ately.
During the modify password operation, the server should check if the
user is allowed to change password at this time. If not, the server
Chu [Page 8]
Expires June 1999 INTERNET DRAFT
should send the LDAP_CONSTRAINT_VIOLATION result code back to the client
and an error message to indicate that the password cannot be changed
within password minimum age.
7. Password History
passwordHistory and passwordInHistory attributes control whether the
user can reuse passwords and how many passwords the directory server
stores in history.
During the modify password operation, the server should check for pass-
word history. If password history is on and the new password matches
one of the old passwords in history, the server should send
modifyResponse back to the client with resultCode:
LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the new
password is in history, choose another password.
8. Password Syntax and Minimum length
The passwordCheckSyntax attribute indicates whether the password syntax
will be checked before a new password is saved. If this policy is on,
the directory server should check that the new password meets the pass-
word minimum length requirement and that the string does not contain any
trivial words such as the user's name, user id and so on.
The passwordMinLength attribute defines the minimum number of characters
that must be used in a password.
During the modify or add password operation, the server should check for
password syntax. If password check syntax is on and the new password
fail the syntax checking, the server should send modifyResponse or
addResponse back to the client with resultCode:
LDAP_CONSTRAINT_VIOLATION, and an error message to indicate the new
password failed the syntax checking, the user should choose another
password.
9. User Defined Passwords
This policy defines whether the users can change their own passwords.
During the modify password operation, the server should check if the
user is allowed to change password. If not, the server should send to
the client the LDAP_UNWILLING_TO_PERFORM result code and an error mes-
sage to indicate that the user is not allowed to change password.
10. Password Change After Reset
This policy forces the user to select a new password on first bind or
after password reset. After bind operation succeed with authentication,
Chu [Page 9]
Expires June 1999 INTERNET DRAFT
the server should check if the password change after reset policy is on
and this is the first time logon. If so, the server should send bin-
dResponse with the resultCode: LDAP_SUCCESS, and should include the
password expired control in the controls field of the bindResponse mes-
sage:
controlType: 2.16.840.1.113730.3.4.4,
controlValue: an octet string: "0",
criticality: false
After that, for any operation issued by the user other than modify pass-
word, bind, unbind, abandon, or search, the server should send the
response message with the resultCode: LDAP_UNWILLING_TO_PERFORM, and
should include the password expired control in the controls field of the
response message:
controlType: 2.16.840.1.113730.3.4.4,
controlValue: an octet string: "0",
criticality: false
11. Password Guessing limit
This policy enforces the limit of number of tries the client has to get
the password right. The user will be locked out of the directory after
a given number of consecutive failed attempts to bind to the directory.
This policy protects the directory from automated guessing attacks.
The server should keep a failure counter in the passwordRetryCount
attribute for each entry. The server should increment the failure
counter when a bind operation fails with the LDAP_INVALID_CREDENTIALS
error code. The server should clear the failure counter when a bind
operation succeeds with authentication, the account password is reset by
administrator, or when the failure counter reset time is reached.
During the bind operation, the server should check for password guessing
limit. If password guessing limit policy is on and the password guess-
ing limit is reached, the server should send bindResponse back to the
client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error message
to indicate the password failure limit is reached.
12. Server Implementation
Chu [Page 10]
Expires June 1999 INTERNET DRAFT
12.1. Password policy initialization
The passwordPolicy object class holds the password policy settings for a
set of user accounts. During the server initial startup, password pol-
icy should be assigned a set of initial values. The settings should be
modified only by the directory administrators and should be readable by
anyone. The server should preserve the settings over server restart.
Currently in the Netscape Directory implementation, the password policy
settings are stored in "cn=config" entry and an identical copy is kept
in a configuration file which is used as bootstrap. The Netscape Direc-
tory password default settings are listed below as an example.
- User may change password
- Do not need to change password first time logon
- Use SHA as the password hash algorithm
- No password syntax check
- Password minimum length: 6
- No password expiration
- Expires in 100 days
- No password minimum age
- Send warning one day before password expires
- Do not keep password history