[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00

LDAP-EXT Working Group                                     Valerie Chu
INTERNET-DRAFT                           Netscape Communications Corp.
Expires in six months
Intended Category: Informational
                                                         December 1998


                  Password Policy for LDAP Directories
                  <draft-vchu-ldap-pwd-policy-00.txt>



1.  Status of this Memo

This document is an Internet-Draft. Internet-Drafts  are  working  docu-
ments  of the Internet Engineering Task Force (IETF), its areas, and its
working groups. Note that other groups may also distribute working docu-
ments as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum  of  six  months
and  may  be  updated,  replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference  material
or to cite them other than as ``work in progress.''

To view the entire list of current  Internet-Drafts,  please  check  the
"1id-abstracts.txt"  listing  contained  in  the  Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net  (Northern  Europe),
ftp.nic.it  (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org
(US East Coast), or ftp.isi.edu (US West Coast).

The key words "MUST", "MUST  NOT",  "REQUIRED",  "SHALL",  "SHALL  NOT",
"SHOULD",  "SHOULD  NOT",  "RECOMMENDED",  "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.

2.  Abstract

This  document  describes  the  implementation  of  password  policy  in
Netscape  LDAP  directories,  and  introduces  two  new  object classes,
twenty-three new attribute types, and two new  controls  in  support  of
password policy.

Password policy is a set of rules that control how passwords are used in
LDAP  directories.  In order to improve the security of LDAP directories
and make it difficult for  password  cracking  programs  to  break  into
directories,  it  is  desirable  to  enforce  a set of rules on password
usage. These rules are made to ensure that the users change their  pass-
words  periodically,  the  new password meets construction requirements,
the re-use of the old password is restricted, and  lock  out  the  users



Chu                                                             [Page 1]

Expires June 1999                                         INTERNET DRAFT


after a certain number of bad password attempts.

3.  Overview

LDAP-based directory services currently are accepted by  many  organiza-
tions as the access protocol for directories.  The ability to ensure the
secure read, update access to directory information throughout the  net-
work is essential to the successful deployment.  There are several secu-
rity mechanisms which are used in Netscape LDAP implementation  to  pro-
tect  the  directory  data.   For example, the access control is used to
prevent unauthorized access to information stored in  directories;  SASL
is  used to negotiate for integrity and privacy services.[RFC-2251]  The
most fundamental security mechanism in Netscape Directory is the  simple
authentication using password.  In many systems, in order to improve the
security of the system, the simple password-based  authentication  often
is  used  in  conjunction with a set of password restrictions to control
how passwords are used in the system.  For example, the  passwd  program
in  UNIX  systems, or the user account policy in WindowsNT, has a set of
rules that users need to follow to use password authentication.  At  the
moment,  LDAP  does not define a password policy model, but it is needed
to achieve greater security protection and it is critical  to  the  suc-
cessful deployment of LDAP directories.

Specifically, the password policy defines:


  -    The maximum length of time that a given password is valid.

  -    The minimum length of time required between password changes.

  -    The maximum length of time before a user's  password  is  due  to
       expire that the user will be sent a warning message.

  -    Whether users can reuse passwords.

  -    The minimum number of characters a password must contain.

  -    Whether the password syntax is checked before a new  password  is
       saved.

  -    Whether users are allowed to change their own passwords.

  -    Whether passwords must be changed after they  are  reset  by  the
       administrator.

  -    Whether users will be locked out of the directory after  a  given
       number of failed bind attempts.




Chu                                                             [Page 2]

Expires June 1999                                         INTERNET DRAFT


  -    How long users will be locked out of the directory after a  given
       number of failed bind attempts.

  -    The length of time before  the  password  failure  counter  which
       keeps track of the number of failed password attempts is reset.

The password policy defined in this document is applied to the LDAP sim-
ple  authentication  method [RFC-2251] and userPassword attribute values
only.

In this document, the term "user" represents any application which is an
LDAP client using the directory to retrieve or store information.

Directory administrators are not forced to comply with any  of  password
policies.

4.  New Attribute Types and Object Classes

4.1.  The passwordPolicy Object Class

The passwordPolicy object class holds the password policy settings for a
set  of  user  accounts.  In the Netscape Directory implementation, they
are located in the "cn=config" entry.

The description of passwordPolicy object class:

   ( 2.16.840.1.113730.3.2.13
     NAME 'passwordPolicy'
     AUXILIARY
     SUP top
     DESC 'Password Policy object class to hold password policy information'
     MAY (
           passwordMaxAge $ passwordExp $ passwordMinLength $
           passwordKeepHistory $ passwordInHistory $ passwordChange $
           passwordCheckSyntax $ passwordWarning $ passwordLockout $
           passwordMaxFailure $ passwordUnlock $ passwordLockoutDuration $
           passwordMustChange $ passwordStorageScheme $ passwordMinAge $
           passwordResetFailureCount
         )
   )

4.2.  The new attribute types used in the passwordPolicy Object Class:

   ( 2.16.840.1.113730.3.1.97
     NAME 'passwordMaxAge'
     DESC 'the number of seconds after which user passwords will expire'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'



Chu                                                             [Page 3]

Expires June 1999                                         INTERNET DRAFT


   )
   ( 2.16.840.1.113730.3.1.98
     NAME 'passwordExp'
     DESC 'a flag which indicates whether passwords will expire after a
           given number of seconds'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.99
     NAME 'passwordMinLength'
     DESC 'the minimum number of characters that must be used in a password'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.100
     NAME 'passwordKeepHistory'
     DESC 'a flag which indicates whether passwords can be reused"
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.101
     NAME 'passwordInHistory'
     DESC 'the number of passwords the directory server stores in history'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.102
     NAME 'passwordChange'
     DESC 'a flag which indicates whether users can change their passwords'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.103
     NAME 'passwordCheckSyntax'
     DESC 'a flag which indicates whether the password syntax will be checked
           before the password is saved'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.104
     NAME 'passwordWarning'
     DESC 'the number of seconds before a user's password is due to expire that
           the user will be sent a warning message'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.105
     NAME 'passwordLockout'



Chu                                                             [Page 4]

Expires June 1999                                         INTERNET DRAFT


     DESC 'a flag which indicates whether users will be locked out of the
           directory after a given number of consecutive failed bind attempts'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.106
     NAME 'passwordMaxFailure'
     DESC 'the number of consecutive failed bind attempts after which a user
           will be locked out of the directory'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.108
     NAME 'passwordUnlock'
     DESC 'a flag which indicates whether a user will be locked out of the
           directory for a given number of seconds or until the administrator
           resets the password after an account lockout'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.109
     NAME 'passwordLockoutDuration'
     DESC 'the number of seconds that users will be locked out of the directory
           after an account lockout
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.220
     NAME 'passwordMustChange'
     DESC 'a flag which indicates whether users must change their passwords when
           they first bind to the directory server'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   ( 2.16.840.1.113730.3.1.221
     NAME 'passwordStorageScheme'
     DESC 'the type of hash algorithm used to store directory server passwords'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )
   The description of password storage scheme can be found in [RFC-2307].
   ( 2.16.840.1.113730.3.1.222
     NAME 'passwordMinAge'
     DESC 'the number of seconds that must elapse before a user can change their
           password again'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )



Chu                                                             [Page 5]

Expires June 1999                                         INTERNET DRAFT


   ( 2.16.840.1.113730.3.1.223
     NAME 'passwordResetFailureCount'
     DESC 'the number of seconds after which the password failure counter will
           be reset'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
   )

   Currently  in  Netscape  Directory  password  policy  implementation,
   passwordMaxAge,  passwordMinLength,  passwordInHistory, passwordWarn-
   ing, passwordMaxFailure, passwordLockoutDuration, passwordMinAge, and
   passwordResetFailureCount      attributes      are     defined     as
   1.3.6.1.4.1.1466.115.121.1.15 ('Directory  String').   It  is  recom-
   mented to change them to 1.3.6.1.4.1.1466.115.121.1.27 ('Integer') in
   the future implementation.

   The  attributes  which  are  used  as  a   flag   have   the   syntax
   '1.3.6.1.4.1.1466.115.121.1.15' ('Directory String').  A value of '1'
   represents 'true', while '0' represents 'false'.  It  is  recommented
   to  change  them  to  1.3.6.1.4.1.1466.115.121.1.7 ('Boolean') in the
   future implementation.

4.3.  The passwordObject Object Class

The passwordObject object class holds the password policy state informa-
tion  for  each  user.  For  example,  how many consecutive bad password
attempts an user made.  The information is located in each user entries.
The description of passwordObject object class:

   ( 2.16.840.1.113730.3.2.12
     NAME 'passwordObject'
     AUXILIARY
     SUP top
     DESC 'Password object class to hold password policy information for each
           entry'
     MAY (
           passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $
           retryCountResetTime $ accountUnlockTime $ passwordHistory $
           passwordAllowChangeTime
         )
   )

4.4.  The new attribute types used in the passwordObject Object Class:
   ( 2.16.840.1.113730.3.1.91
     NAME 'passwordExpirationTime'
     DESC 'the time the entry's password expires'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
     EQUALITY generalizedTimeMatch



Chu                                                             [Page 6]

Expires June 1999                                         INTERNET DRAFT


     ORDERING generalizedTimeOrderingMatch
     SINGLE-VALUE
     USAGE directoryOperation
   )
   ( 2.16.840.1.113730.3.1.92
     NAME 'passwordExpWarned'
     DESC 'a flag which indicates whether a password expiration warning is sent
           to the client'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
     SINGLE-VALUE
     USAGE directoryOperation
   )
   ( 2.16.840.1.113730.3.1.93
     NAME 'passwordRetryCount'
     DESC 'the count of consecutive failed password attempts'
     EQUALITY 'caseIgnoreMatch'
     SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
     SINGLE-VALUE
     USAGE directoryOperation
   )
   ( 2.16.840.1.113730.3.1.94
     NAME 'retryCountResetTime'
     DESC 'the time to reset the passwordRetryCount'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
     EQUALITY generalizedTimeMatch
     ORDERING generalizedTimeOrderingMatch
     SINGLE-VALUE
     USAGE directoryOperation
   )
   ( 2.16.840.1.113730.3.1.95
     NAME 'accountUnlockTime'
     DESC 'the time that the user can bind again after an account lockout'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
     EQUALITY generalizedTimeMatch
     ORDERING generalizedTimeOrderingMatch
     SINGLE-VALUE
     USAGE directoryOperation
   )
   ( 2.16.840.1.113730.3.1.96
     NAME 'passwordHistory'
     DESC 'the history of user's passwords'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
     EQUALITY bitStringMatch
     USAGE directoryOperation
   )
   ( 2.16.840.1.113730.3.1.214
     NAME 'passwordAllowChangeTime'



Chu                                                             [Page 7]

Expires June 1999                                         INTERNET DRAFT


     DESC 'the time that the user is allowed change the password'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
     EQUALITY generalizedTimeMatch
     ORDERING generalizedTimeOrderingMatch
     SINGLE-VALUE
     USAGE directoryOperation
   )

5.  Password Expiration and Expiration Warning

New attributes, passwordExp,  passwordMaxAge,  and  passwordWarning  are
defined  to  specify whether the password will expire, when the password
expires and when a warning message will be sent to  the  client  respec-
tively.  The  actual  expiration time for a password will be stored in a
new attribute, passwordExpirationTime attribute in the user entry.

After bind operation succeed  with  authentication,  the  server  should
check  for password expiration.  If the password expiration policy is on
and the account's password is  expired,  the  server  should  send  bin-
dResponse  with  the  resultCode: LDAP_INVALID_CREDENTIALS along with an
error message to inform the client that the password  has  expired.   If
the  password  is going to expire sooner than the password warning dura-
tion,  the  server  should  send  bindResponse  with   the   resultCode:
LDAP_SUCCESS,  and  should  include the password expiring control in the
controls field of the bindResponse message:

    controlType:  2.16.840.1.113730.3.4.5,

    controlValue: an octet string to indicate the time in seconds until
                  the password expires.

    criticality:  false


The server should send at least one warning message to the client before
expiring the client's password.

6.  Password Minimum Age

This policy defines the number of seconds that must pass before  a  user
can  change  the password again.  This policy can be used in conjunction
with the password history policy to prevent users from  quickly  cycling
through passwords in history so that they can reuse the old password.  A
value of zero indicates that the user can change  the  password  immedi-
ately.

During the modify password operation, the server  should  check  if  the
user  is  allowed  to  change password at this time.  If not, the server



Chu                                                             [Page 8]

Expires June 1999                                         INTERNET DRAFT


should send the LDAP_CONSTRAINT_VIOLATION result code back to the client
and  an  error  message  to indicate that the password cannot be changed
within password minimum age.

7.  Password History

passwordHistory and passwordInHistory  attributes  control  whether  the
user  can  reuse  passwords  and how many passwords the directory server
stores in history.

During the modify password operation, the server should check for  pass-
word  history.   If  password history is on and the new password matches
one  of  the  old  passwords  in  history,  the   server   should   send
modifyResponse     back     to     the     client    with    resultCode:
LDAP_CONSTRAINT_VIOLATION, and an error  message  to  indicate  the  new
password is in history, choose another password.

8.  Password Syntax and Minimum length

The passwordCheckSyntax attribute indicates whether the password  syntax
will  be  checked before a new password is saved.  If this policy is on,
the directory server should check that the new password meets the  pass-
word minimum length requirement and that the string does not contain any
trivial words such as the user's name, user id and so on.

The passwordMinLength attribute defines the minimum number of characters
that must be used in a password.

During the modify or add password operation, the server should check for
password  syntax.   If  password check syntax is on and the new password
fail the syntax checking,  the  server  should  send  modifyResponse  or
addResponse      back     to     the     client     with     resultCode:
LDAP_CONSTRAINT_VIOLATION, and an error  message  to  indicate  the  new
password  failed  the  syntax  checking,  the user should choose another
password.

9.  User Defined Passwords

This policy defines whether the users can change  their  own  passwords.
During  the  modify  password  operation, the server should check if the
user is allowed to change password. If not, the server  should  send  to
the  client  the LDAP_UNWILLING_TO_PERFORM result code and an error mes-
sage to indicate that the user is not allowed to change password.

10.  Password Change After Reset

This policy forces the user to select a new password on  first  bind  or
after  password reset. After bind operation succeed with authentication,



Chu                                                             [Page 9]

Expires June 1999                                         INTERNET DRAFT


the server should check if the password change after reset policy is  on
and  this  is  the  first time logon. If so, the server should send bin-
dResponse with the resultCode:  LDAP_SUCCESS,  and  should  include  the
password  expired control in the controls field of the bindResponse mes-
sage:

    controlType:  2.16.840.1.113730.3.4.4,

    controlValue: an octet string: "0",

    criticality: false

After that, for any operation issued by the user other than modify pass-
word,  bind,  unbind,  abandon,  or  search,  the server should send the
response message with  the  resultCode:  LDAP_UNWILLING_TO_PERFORM,  and
should include the password expired control in the controls field of the
response message:

    controlType:  2.16.840.1.113730.3.4.4,

    controlValue: an octet string: "0",

    criticality: false

11.  Password Guessing limit

This policy enforces the limit of number of tries the client has to  get
the  password right.  The user will be locked out of the directory after
a given number of consecutive failed attempts to bind to the  directory.
This policy protects the directory from automated guessing attacks.

The server should keep  a  failure  counter  in  the  passwordRetryCount
attribute  for  each  entry.   The  server  should increment the failure
counter when a bind operation fails  with  the  LDAP_INVALID_CREDENTIALS
error  code.   The  server  should clear the failure counter when a bind
operation succeeds with authentication, the account password is reset by
administrator, or when the failure counter reset time is reached.

During the bind operation, the server should check for password guessing
limit.   If password guessing limit policy is on and the password guess-
ing limit is reached, the server should send bindResponse  back  to  the
client  with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error message
to indicate the password failure limit is reached.

12.  Server Implementation






Chu                                                            [Page 10]

Expires June 1999                                         INTERNET DRAFT


12.1.  Password policy initialization

The passwordPolicy object class holds the password policy settings for a
set  of user accounts.  During the server initial startup, password pol-
icy should be assigned a set of initial values.  The settings should  be
modified  only by the directory administrators and should be readable by
anyone.  The server should preserve the settings  over  server  restart.
Currently  in the Netscape Directory implementation, the password policy
settings are stored in "cn=config" entry and an identical copy  is  kept
in a configuration file which is used as bootstrap.  The Netscape Direc-
tory password default settings are listed below as an example.

  -    User may change password

  -    Do not need to change password first time logon

  -    Use SHA as the password hash algorithm

  -    No password syntax check

  -    Password minimum length: 6

  -    No password expiration

  -    Expires in 100 days

  -    No password minimum age

  -    Send warning one day before password expires

  -    Do not keep password history

  -    Six passwords in history

  -    No account lockout

  -    Lockout after 3 bind failures

  -    Do not lockout forever

  -    Lock account for 60 minutes

  -    Reset retry count after 10 minutes

  In ldif format:

  passwordchange: on




Chu                                                            [Page 11]

Expires June 1999                                         INTERNET DRAFT


  passwordmustchange: off

  passwordstoragescheme: SHA

  passwordchecksyntax: off

  passwordminlength: 6

  passwordexp: off

  passwordmaxage: 8640000

  passwordminage: 0

  passwordwarning: 86400

  passwordkeephistory: off

  passwordinhistory: 6

  passwordlockout: off

  passwordmaxfailure: 3

  passwordunlock: on

  passwordlockoutduration: 3600

  passwordresetfailurecount: 600

12.2.  Bind Operations

12.2.1.  During bind operations, the server should  check  for  password
guessing  limit.   If password guessing limit policy is on and the pass-
word guessing limit is reached, the server should send bindResponse back
to  the  client with resultCode: LDAP_CONSTRAINT_VIOLATION, and an error
message to indicate the password failure limit  is  reached.   Otherwise
the server should continue the bind operation.

12.2.2.  After Bind Operations succeed with authentication,  the  server
should

  1.   Clear the password failure counter.

  2.   Check if the password change after reset policy is on and this is
       the  first  time  logon.  If  so,  the server should disallow all
       operations issued by this user except  modify  password,  bind  ,
       unbind,  abandon, or search.  The server should send bindResponse



Chu                                                            [Page 12]

Expires June 1999                                         INTERNET DRAFT


       with the resultCode: LDAP_SUCCESS, and should include  the  pass-
       word  expired  control  in the controls field of the bindResponse
       message.

       controlType:  2.16.840.1.113730.3.4.4,

       controlValue: an octet string: "0",

       criticality: false

  3.   Check for password expiration.  If the password expiration policy
       is  on  and  the account's password is expired, the server should
       send bindResponse with the  resultCode:  LDAP_INVALID_CREDENTIALS
       along  with  an error message to inform the client that the pass-
       word has expired.

  4.   Check if the password is going to expire sooner than the password
       warning  duration,  the  server should send bindResponse with the
       resultCode: LDAP_SUCCESS, and should include the password  expir-
       ing control in the controls field of the bindResponse message:

       controlType:  2.16.840.1.113730.3.4.5,

       controlValue: an octet string to indicate the time in seconds
                     until the password expires.

       criticality:  false


12.2.3.  After Bind Operations fail with  LDAP_INVALID_CREDENTIALS,  the
server should

  1.   Check if it is time to reset the password  failure  counter.   If
       so,  set  the  failure  counter  to  1  and re-calculate the next
       failure counter reset  time.  Otherwise,  increment  the  failure
       counter.

  2.   Check if failure counter exceeds the allowed maximum  value.   If
       so, the server should lock the user account.

12.3.  Add Password Operations

12.3.1.  During the add password operation, the server should

  1.   Check for password syntax.  If password check syntax  is  on  and
       the new password fail the syntax checking, the server should send
       addResponse    back    to    the    client    with    resultCode:
       LDAP_CONSTRAINT_VIOLATION,  and  an error message to indicate the



Chu                                                            [Page 13]

Expires June 1999                                         INTERNET DRAFT


       new password failed the syntax checking, the user  should  choose
       another password.

  2.   Calculate and add passwordexpirationtime and passwordallowchange-
       time  attributes  to  the entry if password expiration policy and
       password minimum age policy are on respectively.

12.4.  Modify Password Operations

12.4.1.  During the modify password operation, the server should

  1.   Check if the user is allowed to change  password.   If  not,  the
       server  should  send  to the client the LDAP_UNWILLING_TO_PERFORM
       result code and an error message to indicate that the user is not
       allowed to change password.

  2.   Check for password minimum age, password minimum length, password
       history,  and password syntax.  If the checking fails, the server
       should send modifyResponse back to the  client  with  resultCode:
       LDAP_CONSTRAINT_VIOLATION, and an appropriate error message.

  3.   If it is the first time logon and the user needs to change  pass-
       word  the  first time logon, the server should check if the user-
       password attribute is in this modify request.  If so, the  server
       should  continue  the  modify  operation.   Otherwise, the server
       should  send  the   response   message   with   the   resultCode:
       LDAP_UNWILLING_TO_PERFORM,   and   should  include  the  password
       expired control in the controls field of the response message:

       controlType:  2.16.840.1.113730.3.4.4,

       controlValue: an octet string: "0",

       criticality: false

12.4.2.  After modify password operations succeed, the server should

  1.   Update password history in the user's entry, if the password his-
       tory policy is on.

  2.   Update passwordExpirationTime in the user's entry, if  the  pass-
       word expiration policy is on.

  3.   Update passwordAllowChangeTime in the user's entry, if the  pass-
       word minimum age policy is on.

  4.   Clear the password failure counter, if the password is reset by a
       directory administrator.



Chu                                                            [Page 14]

Expires June 1999                                         INTERNET DRAFT


  5.   Set a flag to indicate the user is the first time logon,  if  the
       password  change  after  reset  policy  is on and the password is
       reset by a directory administrator.

13.  Client Implementation

13.1.  Bind Response

For every bind response received, the client needs  to  parse  the  bind
result code, error message, and controls to determine if any of the fol-
lowing conditions is true and prompt the user accordingly.

1.   The user needs to change  password  first  time  logon.   The  user
     should be prompted to change the password immediately.

     resultCode: LDAP_SUCCESS, with the control
         controlType: 2.16.840.1.113730.3.4.4,
         controlValue: "0",
         criticality: false


2.   This is a warning message that the server sends to a user to  indi-
     cate the time in seconds until the user's password expires.

     resultCode: LDAP_SUCCESS, with the control
         controlType:  2.16.840.1.113730.3.4.5,
         controlValue: an octet string to indicate the time in seconds until
                       the password expires.
         criticality:  false


3.   The password failure limit is reached.  The  user  needs  to  retry
     later or contact the directory administrator to reset the password.

     resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message.
                For example:
                errorMessage: "exceed password retry limit"


4.   The password is expired.  The user needs to contact  the  directory
     administrator to reset the password.

     resultCode: LDAP_INVALID_CREDENTIALS, with an appropriate error message.
                For example:
                errorMessage: "password expired"






Chu                                                            [Page 15]

Expires June 1999                                         INTERNET DRAFT


13.2.  Modify Responses

For the modify response received for the change  password  request,  the
client  needs to check the result code and error message to determine if
it failed the password checking, and either let the user retry or quit.

1.   The user defined password policy is  disabled.   The  user  is  not
     allowed to change password.

     resultCode: LDAP_UNWILLING_TO_PERFORM, with an appropriate error message.
                For example:
                errorMessage: "user is not allowed to change password"


2.   The new password  failed  the  password  syntax  checking,  or  the
     current  password  has not reached the minimum password age, or the
     new password is in history.

     resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message.
                For example:
                errorMessage: "invalid password syntax"
                errorMessage: "password in history"
                errorMessage: "trivial password"
                errorMessage: "within minimum password age"

13.3.  Add Responses

For the add response received for the  add  entry  request,  the  client
needs  to  check  the  result  code and error message to determine if it
failed the password checking, and either let the user retry or quit.

1.   The new password failed the password syntax checking.

     resultCode: LDAP_CONSTRAINT_VIOLATION, with an appropriate error message.
                For example:
                errorMessage: "invalid password syntax"
                errorMessage: "trivial password"

13.4.  Other Responses

For operations other than bind, unbind, abandon, or search,  the  client
needs to check the following result code and control to determine if the
user needs to change the password immediately.

1.   The user needs to change  password  first  time  logon.   The  user
     should be prompted to change the password immediately.

     resultCode: LDAP_UNWILLING_TO_PERFORM, with the control



Chu                                                            [Page 16]

Expires June 1999                                         INTERNET DRAFT


         controlType: 2.16.840.1.113730.3.4.4,
         controlValue: "0",
         criticality: false

14.  Security Considerations

The password policy defined in this document is applied to the LDAP sim-
ple  authentication  method [RFC-2251] and userPassword attribute values
only.  The simple authentication method provides minimal  authentication
facilities,  with  the  contents  of the authentication field consisting
only of a cleartext  password.   Note  that  the  simple  authentication
method  and  password  policy  are designed for authentication where the
underlying transport service cannot guarantee confidentiality.   Use  of
simple  authentication  method and password policy may result in disclo-
sure of the password to unauthorized parties.  SASL and  TLS  mechanisms
may be used with LDAP to provide integrity or confidentiality services.


15.  Bibliography


[RFC-2251]Wahl, M., Howes, T., Kille, S., "Lightweight Directory  Access
          Protocol (v3)", RFC 2251, August 1997.

[RFC-2307]L. Howard, "An Approach for Using LDAP as a  Network  Informa-
          tion Service", RFC 2307, March 1998.

[RFC-2119]S. Bradner, "Key Words for use in RFCs to Indicate Requirement
          Levels", RFC 2119, March 1997.

16.  Author's Addresses

   Valerie Chu
   Netscape Communications Corp.
   501 E. Middlefield Rd.
   Mountain View, CA 94043
   USA
   +1 650 937-3443
   vchu@netscape.com












Chu                                                            [Page 17]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/