New Password Policy

Directory Server6.0 implements a new password policy that uses the standard object class and attributes described in the “Password Policy for LDAP Directories” Internet-Draft.

The new password policy provides the following new features:

• A grace login limit, specified by the pwdGraceAuthNLimit attribute. This attribute specifies the number of times an expired password can be used to authenticate. If it is not present or if it is set to 0, authentication will fail.

• Safe password modification, specified by the pwdSafeModify attribute. This attribute specifies whether the existing password must be sent when changing a password. If the attribute is not present, the existing password does not need to be sent.

In addition, the new password policy provides the following new controls:

• LDAP_CONTROL_PWP_[REQUEST|RESPONSE]

• LDAP_CONTROL_ACCOUNT_USABLE_[REQUEST|RESPONSE]

These controls enable LDAP clients to obtain account status information.

The LDAP_CONTROL_PWP control provides account status information on LDAP bind, search, modify, add, delete, modDN, and compare operations.

The following information is available, using the OID 1.3.6.1.4.1.42.2.27.8.5.1 in the search:

• Period of time before the password expires

• Number of grace login attempts remaining

• The password has expired

• The account is locked

• The password must be changed after being reset

• Password modifications are allowed

• The user must supply his/her old password

• The password quality (syntax) is insufficient

• The password is too short

• The password is too young

• The password already exists in history

The LDAP_CONTROL_PWP control indicates warning and error conditions. The control value is a BER octet string, with the format {tii}, which has the following meaning:

• t is a tag defining which warning is set, if any. The value of t can be one of the following:

  LDAP_PWP_WARNING_RESP_NONE (0x00L)
  LDAP_PWP_WARNING_RESP_EXP (0x01L)
  LDAP_PWP_WARNING_RESP_GRACE (0x02L)

• The first i indicates warning information.

  The warning depends on the value set for t as follows:

  • If t is set to LDAP_PWP_WARNING_RESP_NONE, the warning is -1.

  • If t is set to LDAP_PWP_WARNING_RESP_EX, the warning is the number of seconds before expiration.

  • If t is set to LDAP_PWP_WARNING_RESP_GRACE, the warning is the number of remaining grace logins.

• The second i indicates error information. If t is set to LDAP_PWP_WARNING_RESP_NONE, the error contains one of the following values:

pwp_resp_no_error (-1)
pwp_resp_expired_error (0)
pwp_resp_locked_error (1)
pwp_resp_need_change_error (2)
pwp_resp_mod_not_allowed_error (3)
pwp_resp_give_old_error (4)
pwp_resp_bad_qa_error (5)
pwp_resp_too_short_error (6)
pwp_resp_too_young_error (7)
pwp_resp_in_hist_error (8)

The LDAP_CONTROL_ACCOUNT_USABLE control provides account status information on LDAP search operations only.

Password Policy Compatibility

For migration purposes, the new password policy maintains compatibility with previous Directory Server versions by identifying a compatibility mode. The compatibility mode determines whether password policy attributes are handled as old attributes or new attributes, where old refers to Directory Server 5 password policy attributes.

The compatibility mode can be read using dsconf command as follows:

$ dsconf get-server-prop pwd-compat-mode

The pwd-compat-mode property can have one of the following values:

DS5-compatible-mode

If you install a Directory Server instance as part of a replicated topology that includes a version 5 server, the compatibility state should be set to DS5-compatible-mode. In this state both old and new password policy attributes are recognized. Only version 5 password policy attributes are replicated, but both sets of attributes are stored in the database.

If you upgrade an existing standalone server to Directory Server 6.0, the compatibility state is set to DS5-compatible-mode. The server generates the new equivalent password policy attributes.

If you upgrade an existing server as part of a replicated topology that includes Directory Server 5 servers, the compatibility state should also set to DS5-compatible-mode. The server accepts both old and new password policy attributes. Both sets of attributes are stored in the database. Only version 5 attributes can be replicated (using fractional replication).

DS6-migration-mode

As part of your migration, you can set the compatibility state to DS6-migration-mode. In this mode, all servers in the topology are version 6 servers, but there may be some existing Directory Server 5 password policy attributes in the database.

DS6-mode

If you install a standalone Directory Server instance, set compatibility mode to DS6-mode. In this case, only new password policy attributes are recognized.

A server in DS6-mode can never be a supplier to or consumer of a Directory Server 5 server. When all servers have been migrated to version 6.0, DS6-mode should be the only compatibility mode.

The compatibility mode is set using the dsconf command as follows:

$ dsconf pwd-compat new-mode

The new-mode action takes one of the following values:

to-DS6-migration-mode

Change to DS6-migration-mode from DS5-compatible-mode.

Once the change is made, only DS6-migration-mode and DS6-mode are available.

to-DS6-mode

Change to DS6-mode from DS6-migration-mode.

Once the change is made, only DS6-mode is available.

The server state can move only towards stricter compliance with the new password policy specifications. Compatibility with the old password policy will not be supported indefinitely. You should therefore migrate to the new password policy as soon as is feasible for your deployment.

When you consider migrating to the new password policy, note that the pwdChangedTime attribute did not exist in Directory Server 5.2. This attribute is required by the new password policy. When the attribute is not present in the user entry, its value is calculated from the entry's passwordExpirationTime attribute. However, writing the calculated pwdChangedTime attribute to the user entry would have a large performance impact directly after migration, because the first bind for every entry would require a write to the directory.

The calculated pwdChangedTime is therefore not written to the user entry during the DS5-compatible mode. You should leave your topology in DS5-compatible-mode until you have been through an entire password expiration cycle (90 days, for example, depending on the value of passwordMaxAge). In this way, the pwdChangedTime is added gradually across the directory (at the password change of each user entry).