directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1467709 - /directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext
Date Sat, 13 Apr 2013 21:54:49 GMT
Author: elecharny
Date: Sat Apr 13 21:54:49 2013
New Revision: 1467709

Added the pwdQualityCheck doco


Modified: directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext
--- directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext (original)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext Sat Apr 13
21:54:49 2013
@@ -26,7 +26,7 @@ Notice: Licensed to the Apache Software 
 The **Password Policy** is a **[RFC](**
draft that has been designed for the very first version in 1999, and the latest version is
from 2009. Although it's still a draft, and it's currently noted as inactive, it has been
implemented by many existing **LDAP** servers.
-**ApacheDS** implements the draft.
+**ApacheDS** implements most the draft.
 <DIV class="warning" markdown="1">
 Enforcing a strict passowrd policy is extremely punitive to users. It may leads users to
workaround the policy by storing their password in a postit, an workaround that will defeat
any password policy...
@@ -47,6 +47,15 @@ As explained on [wikipedia](http://en.wi
 Basically, the system, once activated, will enforce some rules and check the password strength.
We will list the various options in this chapter.
+There are different aspects to consider :
+	* The password check when it's added or modified
+	* The password management when the user bind, in other words, it's life cycle
+	* The password protection against attacks
+Those aspects are exposed in the following paragraphs.
 ## How do we configure it ?
 The _PasswordPolicy_ can be configured in two ways. First of all, it's important to know
that it's activated by default. let's see the default configuration first.
@@ -119,9 +128,9 @@ Here is the entry :
 The _PasswordPolicy_ is enabled by default. It's possible to disable it by setting the _ads-enabled_
value to FALSE, with a server restart.
-## Usage
+## Password protection
-We will explain in the following paragraphs how to configure the _PasswordPolicy_ and the
impact each configuration has on the authentication.
+This part is exposing the various technics the system uses to protect your password from
an attack.
 ### Password guessing limit
@@ -177,17 +186,30 @@ Impacted Attributes : ads-pwdFailureCoun
 As we store all the failures withing the entry, at some point we may want to purge those
failures. This is done either because we have successfully loged, or because the _ads-pwdFailureCountInterval_
value has expired. In this last case, all the failure older than the current time minus the
set interval will be removed.
-### Password checks
+### Password checks and strength enforcement
 Those rules are used to enforce some constraints on the password, so that weak passwords
can't be used.
+#### Quality Check policy
+<DIV class="info" markdown="1">
+Impacted Attributes : ads-pwdQualityCheck
+Default value : 1
+The system can be enabled or disabled, and when enabled, two different level of checks con
be done : relaxed or strict. We use a parameter to specify the kind of check we do on the
password : _ads-pwdCheckQuality_, which can take three values :
+	* 0 : The password is not checked
+	* 1 : We check the password when we can, ie when it's not hashed. When the password is hashed,
or in a form that does not allow us to apply the checks, then we ignore the errors
+	* 2 : The password is checked, and if it's hashed or in a form that does not allow the checks
to be done, then the changes are rejected.
 #### Password History
 <DIV class="info" markdown="1">
 Impacted Attributes : ads-pwdInHistory
-The server can keep a backlog of passwords, so that a user can't keep a assword for ever.
When requested to do so the user will have to change his/her password, and the old password
will be stored in the user's entry password history.
+The server can keep a backlog of passwords, so that a user can't keep a password for ever.
When requested to do so the user will have to change his/her password, and the old password
will be stored in the user's entry password history.
 We can specify the number of passwords we keep in the password history by configuring the
_ads-pwdInHistory_ attribute.
@@ -211,4 +233,9 @@ You can control the minimum and maximum 
 <DIV class="warning" markdown="1">
 Setting a password max length is most certainly a waste of time. It's very likely that this
parameter has been added to the specification for the sake of symetry...
\ No newline at end of file
+### Password lifecycle management
+We now have to expose the rules that apply to the password during it's life.
\ No newline at end of file

View raw message