Sun Directory Server Enterprise Edition 7.0 Upgrade and Migration Guide

Password Policy

Directory Server7.0 implements a password policy that uses the standard object class and attributes described in the “Password Policy for LDAP Directories” Internet-Draft.

The password policy provides the following new features:

A grace login limit, specified by the pwdGraceAuthNLimit attribute. This attribute specifies the number of times an expired password can be used to authenticate. If it is not present or if it is set to 0, authentication will fail.
Safe password modification, specified by the pwdSafeModify attribute. This attribute specifies whether the existing password must be sent when changing a password. If the attribute is not present, the existing password does not need to be sent.

In addition, the password policy provides the following controls:

LDAP_CONTROL_PWP_[REQUEST|RESPONSE]
LDAP_CONTROL_ACCOUNT_USABLE_[REQUEST|RESPONSE]

These controls enable LDAP clients to obtain account status information.

The LDAP_CONTROL_PWP control provides account status information on LDAP bind, search, modify, add, delete, modDN, and compare operations.

The following information is available, using the OID 1.3.6.1.4.1.42.2.27.8.5.1 in the search:

Period of time before the password expires
Number of grace login attempts remaining
The password has expired
The account is locked
The password must be changed after being reset
Password modifications are allowed
The user must supply his/her old password
The password quality (syntax) is insufficient
The password is too short
The password is too young
The password already exists in history

The LDAP_CONTROL_PWP control indicates warning and error conditions. The control value is a BER octet string, with the format {tii}, which has the following meaning:

t is a tag defining which warning is set, if any. The value of t can be one of the following:

LDAP_PWP_WARNING_RESP_NONE (0x00L)
LDAP_PWP_WARNING_RESP_EXP (0x01L)
LDAP_PWP_WARNING_RESP_GRACE (0x02L)

The first i indicates warning information.

The warning depends on the value set for t as follows:
- If t is set to LDAP_PWP_WARNING_RESP_NONE, the warning is -1.
- If t is set to LDAP_PWP_WARNING_RESP_EX, the warning is the number of seconds before expiration.
- If t is set to LDAP_PWP_WARNING_RESP_GRACE, the warning is the number of remaining grace logins.
The second i indicates error information. If t is set to LDAP_PWP_WARNING_RESP_NONE, the error contains one of the following values:

pwp_resp_no_error (-1)
pwp_resp_expired_error (0)
pwp_resp_locked_error (1)
pwp_resp_need_change_error (2)
pwp_resp_mod_not_allowed_error (3)
pwp_resp_give_old_error (4)
pwp_resp_bad_qa_error (5)
pwp_resp_too_short_error (6)
pwp_resp_too_young_error (7)
pwp_resp_in_hist_error (8)

The LDAP_CONTROL_ACCOUNT_USABLE control provides account status information on LDAP search operations only.

To know about password policy compatibility issues, refer to Password Policy Compatibility in Sun Directory Server Enterprise Edition 7.0 Administration Guide