6. Draft history
Draft name: draft-behera-ldap-password-policy
Version 0: 20 October 1999
Version 10: August 9, 2009
Draft is expired since February 10, 2010
6
7. Extended control
Password policy is request and response
control (OID 1.3.6.1.4.1.42.2.27.8.5.1)
The request control indicates the client is
ppolicy aware
The response control contains flags to
advertise client about ppolicy status, it should
be parsed by the client
Control can be sent on BIND, MOD (if
modification contains the password) and
PASSMOD operations
7
9. Modification
Size check (size does matter)
Presence in history (with check of minimal
age)
Password quality (implementation specific)
Safe modification (require old password)Size
check
9
10. Password change after reset
Someone changes the password of a user
An attribute should be added to user entry
(pwdReset)
At next authentication, the response code is 0
(OK) but the ppolicy control has the “password
must change” flag
The client should force user to change the
password!
10
12. Password policy in OpenLDAP
Implemented as an overlay
Catch BIND, MOD and PASSMOD operations
Use version 9 of Behera Draft
Possibility to add a pwdChecker module
12
13. Overlay configuration
Load overlay if compiled as module:
olcModuleLoad: ppolicy.la
Configure overlay in a backend:
dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {1}ppolicy
olcPPolicyDefault: ou=default,ou=ppolicy,dc=example,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
13
14. Password policy configuration
Configuration in an LDAP specific entry:
dn: ou=default,ou=ppolicy,dc=example,dc=com
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: organizationalUnit
objectClass: top
ou: default
14
16. More than one policy
Possibility to have several policies:
– Several pwdPolicy entries
– Use of pwdPolicySubentry in entries
dn: uid=bobama,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
ObjectClass : person
objectClass: top
uid : bobama
cn : Barack OBAMA
sn : OBAMA
pwdPolicySubentry : ou=nsa,ou=ppolicy,dc=example,dc=com
16
17. Password checker
LDAP Tool Box provides a compatible
password checker module:
– Check against upper case, lower case, digits
and punctuation
– Cracklib support
ITS 7412 in OpenLDAP to add this module as
a contribution
17
18. Last authentication time
The lastbind overlay is available in OpenLDAP
contribution
Provided in contrib-overlays LTB package
Add authTimestamp operational attribute
Should be replaced by pwdLastSuccess form
version 10 of the draft
18