directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r858305 - in /websites/staging/directory/trunk/content: ./ apacheds/advanced-ug/4.3-password-policy.html
Date Sat, 13 Apr 2013 06:54:27 GMT
Author: buildbot
Date: Sat Apr 13 06:54:27 2013
New Revision: 858305

Log:
Staging update by buildbot for directory

Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sat Apr 13 06:54:27 2013
@@ -1 +1 @@
-1467116
+1467563

Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
(original)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
Sat Apr 13 06:54:27 2013
@@ -138,8 +138,13 @@
 
 
 <h1 id="43-password-policy">4.3. Password Policy</h1>
-<p>The <strong>Password Policy</strong> is a <strong>RFC</strong>
draft that has been designed for the very first version in 1999, and the latest version is
from 2009. Although it's still a draft, and it's currently noted as inactive, it has been
implemented by many existing <strong>LDAP</strong> servers.</p>
-<p><strong>ApacheDS</strong> implements the draft fully.</p>
+<p>The <strong>Password Policy</strong> is a <strong><a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">RFC</a></strong>
draft that has been designed for the very first version in 1999, and the latest version is
from 2009. Although it's still a draft, and it's currently noted as inactive, it has been
implemented by many existing <strong>LDAP</strong> servers.</p>
+<p><strong>ApacheDS</strong> implements the draft.</p>
+<p><DIV class="warn" markdown="1">
+Enforcing a strict passowrd policy is extremely punitive to users. It may leads users to
workaround the policy by storing their password in a postit, an workaround that will defeat
any password policy...</p>
+<p>Always try to think about better alternatives than force users to always define
password with 10 or more characters, including numbers, upper and lower case, special chars,
and to change it every month...</p>
+<p>A long sentence (4 or 5 words), like "The horse has won the race three time" is
most certainly a better passowrd than any other combinaison, and is easy to remember...
+</DIV></p>
 <h2 id="what-is-a-password-policy">What is a password policy ?</h2>
 <p>As explained on <a href="http://en.wikipedia.org/wiki/Password_policy">wikipedia</a>
:</p>
 <div class="codehilite"><pre>A password policy is a set of rules designed to
enhance computer security by encouraging users to employ strong passwords 
@@ -160,38 +165,147 @@ and use them properly.
 
 
 <p>This entry contains the following values :</p>
+<table>
+<thead>
+<tr>
+<th>Attrinbte</th>
+<th>Default value</th>
+<th>Comment</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>ads-pwdAllowUserChange</td>
+<td>TRUE</td>
+<td>tells if the user can change its password</td>
+</tr>
+<tr>
+<td>ads-pwdCheckQuality</td>
+<td>1</td>
+<td>The kind of quality we wnt for the password (0, 1, or 2)</td>
+</tr>
+<tr>
+<td>ads-pwdExpireWarning</td>
+<td>600</td>
+<td></td>
+</tr>
+<tr>
+<td>ads-pwdFailureCountInterval</td>
+<td>30</td>
+<td>The duration of failure logs we keep in the entry</td>
+</tr>
+<tr>
+<td>ads-pwdGraceAuthnLimit</td>
+<td>5</td>
+<td></td>
+</tr>
+<tr>
+<td>ads-pwdGraceExpire</td>
+<td>0</td>
+<td></td>
+</tr>
+<tr>
+<td>ads-pwdInHistory</td>
+<td>5</td>
+<td>The number of passwords we keep in the password history</td>
+</tr>
+<tr>
+<td>ads-pwdLockout</td>
+<td>TRUE</td>
+<td>Tells if the password should be locked or not on failures</td>
+</tr>
+<tr>
+<td>ads-pwdLockoutDuration</td>
+<td>0</td>
+<td>The delay we wait before allowing a new attept when the password hs been locked</td>
+</tr>
+<tr>
+<td>ads-pwdMaxAge</td>
+<td>0</td>
+<td></td>
+</tr>
+<tr>
+<td>ads-pwdMaxDelay</td>
+<td>0</td>
+<td>The maximum we wait before sending the BindResponse</td>
+</tr>
+<tr>
+<td>ads-pwdMaxFailure</td>
+<td>5</td>
+<td>The maximum number of failure we accept before locking the password</td>
+</tr>
+<tr>
+<td>ads-pwdMaxIdle</td>
+<td>0</td>
+<td></td>
+</tr>
+<tr>
+<td>ads-pwdMaxLength</td>
+<td>0</td>
+<td></td>
+</tr>
+<tr>
+<td>ads-pwdMinAge</td>
+<td>0</td>
+<td>The delay between two password changes</td>
+</tr>
+<tr>
+<td>ads-pwdMinDelay</td>
+<td>0</td>
+<td>The minimum we wait before sending the BindResponse</td>
+</tr>
+<tr>
+<td>ads-pwdMinLength</td>
+<td>5</td>
+<td></td>
+</tr>
+<tr>
+<td>ads-pwdMustChange</td>
+<td>FALSE</td>
+<td></td>
+</tr>
+<tr>
+<td>ads-pwdSafeModify</td>
+<td>FALSE</td>
+<td></td>
+</tr>
+</tbody>
+</table>
+<p>Here is the entry :</p>
 <div class="codehilite"><pre>dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
  terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
 objectclass: top
 objectclass: ads-base
 objectclass: ads-passwordPolicy
-ads-pwdattribute: userPassword
-ads-pwdid: default
+ads-pwdAttribute: userPassword
+ads-pwdId: default
 ads-enabled: TRUE
-ads-pwdallowuserchange: TRUE
-ads-pwdcheckquality: 1
-ads-pwdexpirewarning: 600
-ads-pwdfailurecountinterval: 30
-ads-pwdgraceauthnlimit: 5
-ads-pwdgraceexpire: 0
-ads-pwdinhistory: 5
-ads-pwdlockout: TRUE
-ads-pwdlockoutduration: 0
-ads-pwdmaxage: 0
-ads-pwdmaxdelay: 0
-ads-pwdmaxfailure: 5
-ads-pwdmaxidle: 0
-ads-pwdmaxlength: 0
-ads-pwdminage: 0
-ads-pwdmindelay: 0
-ads-pwdminlength: 5
-ads-pwdmustchange: FALSE
-ads-pwdsafemodify: FALSE
+ads-pwdAllowUserChange: TRUE
+ads-pwdCheckQuality: 1
+ads-pwdExpireWarning: 600
+ads-pwdFailureCountInterval: 30
+ads-pwdGraceAuthnLimit: 5
+ads-pwdGraceExpire: 0
+ads-pwdInHistory: 5
+ads-pwdLockout: TRUE
+ads-pwdLockoutDuration: 0
+ads-pwdMaxAge: 0
+ads-pwdMaxDelay: 0
+ads-pwdMaxFailure: 5
+ads-pwdMaxIdle: 0
+ads-pwdMaxLength: 0
+ads-pwdMinAge: 0
+ads-pwdMinDelay: 0
+ads-pwdMinLength: 5
+ads-pwdMustChange: FALSE
+ads-pwdSafeModify: FALSE
 </pre></div>
 
 
-<h4 id="disabling-the-passwordpolicy">Disabling the PasswordPolicy</h4>
+<h4 id="enablingdisabling-the-passwordpolicy">Enabling/Disabling the PasswordPolicy</h4>
 <p>The <em>PasswordPolicy</em> is enabled by default. It's possible to
disable it by setting the <em>ads-enabled</em> value to FALSE, with a server restart.</p>
+<h2 id="usage">Usage</h2>
+<p>We will explain in the following paragraphs how to configure the <em>PasswordPolicy</em>
and the impact each configuration has on the authentication.</p>
 <h3 id="password-guessing-limit">Password guessing limit</h3>
 <p>The idea is to protect the password against multiple guess attempts. The following
rules are applied :</p>
 <div class="codehilite"><pre><span class="o">*</span> <span class="n">a</span>
<span class="n">counter</span> <span class="n">track</span> <span
class="n">the</span> <span class="n">failed</span> <span class="n">attemps</span><span
class="p">,</span> <span class="ow">and</span> <span class="n">block</span>
<span class="n">when</span> <span class="n">it</span><span class="err">&#39;</span><span
class="n">s</span> <span class="n">reached</span>
@@ -203,9 +317,9 @@ ads-pwdsafemodify: FALSE
 <p>When the account is locked, it can remain locked, or be unlocked after a grace period.</p>
 <h4 id="attempts-counter">Attempts counter</h4>
 <p><DIV class="info" markdown="1">
-Attributes : ads-pwdLockout, ads-pwdmaxfailure
+Impacted Attributes : ads-pwdLockout, ads-pwdMaxFailure, ads-pwdLockoutDuration
 </DIV></p>
-<p>Each failed attempt will be logged in the entry, in the <em>pwdFailureTime</em>
Attribute (it will contain the date of the attempt). When the Attribute contains more values
than the maximum number of failed attempts, the entry will be locked (the <em>pwdAccountLockedTime</em>
Attribute will contain the date the entry has been locked).</p>
+<p>Each failed attempt will be logged in the entry, in the <em>ads-pwdFailureTime</em>
Attribute (it will contain the date of the attempt). When the Attribute contains more values
than the maximum number of failed attempts, the entry will be locked (the <em>ads-pwdAccountLockedTime</em>
Attribute will contain the date the entry has been locked).</p>
 <p><DIV class="warn" markdown="1">
 In order to activate this control the ads-pwdLockout parameter must be set to TRUE.
 </DIV></p>
@@ -214,9 +328,9 @@ In order to activate this control the ad
 <thead>
 <tr>
 <th><em>ads-pwdmaxfailure</em></th>
-<th><em>pwdLockout</em></th>
-<th><em>pwdFailureTime</em></th>
-<th><em>pwdAccountLockedTime</em></th>
+<th><em>ads-pwdLockout</em></th>
+<th><em>ads-pwdFailureTime</em></th>
+<th><em>ads-pwdAccountLockedTime</em></th>
 <th>Locked</th>
 <th>Comment</th>
 </tr>
@@ -272,7 +386,40 @@ In order to activate this control the ad
 </tr>
 </tbody>
 </table>
-<p>As we can see, the account is locked only when we reach the number of failure, and
the <em>pwdLockout</em> flag is TRUE.</p>
+<p>As we can see, the account is locked only when we reach the number of failure, and
the <em>ads-pwdLockout</em> flag is TRUE. If the <em>ads-pwdLockoutDuration</em>
flag is set, then the password will remain locked for the delay stored in this attribute.</p>
+<h4 id="delayed-login">Delayed login</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attributes : ads-pwdLockout, ads-pwdMaxFailure, ads-pwdLockoutDuration
+</DIV></p>
+<p>When we have reached a number of failed attempt, the account will be locked. We
can set another attribute to tell the server that the locked out account can be unlocked afer
a delay : the <em>ads-pwdLockoutDuration</em> Attribute stores this delay.</p>
+<p>When the account is locked, no further attempt will succed, even if the correct
password is sent. After the delay, the user will be unlocked.</p>
+<h4 id="purging-failures">Purging failures</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attributes : ads-pwdFailureCountInterval
+</DIV></p>
+<p>As we store all the failures withing the entry, at some point we may want to purge
those failures. This is done either because we have successfully loged, or because the <em>ads-pwdFailureCountInterval</em>
value has expired. In this last case, all the failure older than the current time minus the
set interval will be removed.</p>
+<h3 id="password-checks">Password checks</h3>
+<p>Those rules are used to enforce some constraints on the password, so that weak passwords
can't be used.</p>
+<h4 id="password-history">Password History</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attributes : ads-pwdInHistory
+</DIV></p>
+<p>The server can keep a backlog of passwords, so that a user can't keep a assword
for ever. When requested to do so the user will have to change his/her password, and the old
password will be stored in the user's entry password history.</p>
+<p>We can specify the number of passwords we keep in the password history by configuring
the <em>ads-pwdInHistory</em> attribute.</p>
+<h4 id="minimum-delay-between-modifications">Minimum delay between modifications</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attributes : ads-pwdMinAge
+</DIV></p>
+<p>When the password history is activated, some users may change their passwords many
times to get their old password out of the history, and add it as their password again.  Setting
a delay between two password changes may protect the password against such action.</p>
+<p>The <em>ads-pwdMinAge</em> attribute is used for this purpose, and it
keeps a value in seconds.</p>
+<h4 id="password-length-constraint">Password length constraint</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attributes : ads-pwdMinLength and ads-pwdMaxLength
+</DIV></p>
+<p>You can control the minimum and maximum length for a password by setting the <em>ads-pwdMinLength</em>
and <em>ads-pwdMaxLength</em> attributes.</p>
+<p><DIV class="warning" markdown="1">
+Setting a password max length is most certainly a waste of time. It's very likely that this
parameter has been added to the specification for the sake of symetry...
+</DIV></p>
 
 
     <div class="nav">



Mime
View raw message