directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r858368 - in /websites/staging/directory/trunk/content: ./ apacheds/advanced-ug/4.3-password-policy.html
Date Sat, 13 Apr 2013 21:54:54 GMT
Author: buildbot
Date: Sat Apr 13 21:54:54 2013
New Revision: 858368

Log:
Staging update by buildbot for directory

Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sat Apr 13 21:54:54 2013
@@ -1 +1 @@
-1467568
+1467709

Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
(original)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
Sat Apr 13 21:54:54 2013
@@ -139,7 +139,7 @@
 
 <h1 id="43-password-policy">4.3. Password Policy</h1>
 <p>The <strong>Password Policy</strong> is a <strong><a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">RFC</a></strong>
draft that has been designed for the very first version in 1999, and the latest version is
from 2009. Although it's still a draft, and it's currently noted as inactive, it has been
implemented by many existing <strong>LDAP</strong> servers.</p>
-<p><strong>ApacheDS</strong> implements the draft.</p>
+<p><strong>ApacheDS</strong> implements most the draft.</p>
 <p><DIV class="warning" markdown="1">
 Enforcing a strict passowrd policy is extremely punitive to users. It may leads users to
workaround the policy by storing their password in a postit, an workaround that will defeat
any password policy...</p>
 <p>Always try to think about better alternatives than force users to always define
password with 10 or more characters, including numbers, upper and lower case, special chars,
and to change it every month...</p>
@@ -153,6 +153,14 @@ and use them properly.
 
 
 <p>Basically, the system, once activated, will enforce some rules and check the password
strength. We will list the various options in this chapter.</p>
+<p>There are different aspects to consider :</p>
+<div class="codehilite"><pre><span class="o">*</span> <span class="n">The</span>
<span class="n">password</span> <span class="n">check</span> <span
class="n">when</span> <span class="n">it</span><span class="s">&#39;s
added or modified</span>
+<span class="s">* The password management when the user bind, in other words, it&#39;</span><span
class="n">s</span> <span class="n">life</span> <span class="n">cycle</span>
+<span class="o">*</span> <span class="n">The</span> <span class="n">password</span>
<span class="n">protection</span> <span class="n">against</span> <span
class="n">attacks</span>
+</pre></div>
+
+
+<p>Those aspects are exposed in the following paragraphs.</p>
 <h2 id="how-do-we-configure-it">How do we configure it ?</h2>
 <p>The <em>PasswordPolicy</em> can be configured in two ways. First of
all, it's important to know that it's activated by default. let's see the default configuration
first.</p>
 <p>There is an entry contianing all the default values for the <em>PasswordPolicy</em>,
under :</p>
@@ -304,8 +312,8 @@ ads-pwdSafeModify: FALSE
 
 <h4 id="enablingdisabling-the-passwordpolicy">Enabling/Disabling the PasswordPolicy</h4>
 <p>The <em>PasswordPolicy</em> is enabled by default. It's possible to
disable it by setting the <em>ads-enabled</em> value to FALSE, with a server restart.</p>
-<h2 id="usage">Usage</h2>
-<p>We will explain in the following paragraphs how to configure the <em>PasswordPolicy</em>
and the impact each configuration has on the authentication.</p>
+<h2 id="password-protection">Password protection</h2>
+<p>This part is exposing the various technics the system uses to protect your password
from an attack.</p>
 <h3 id="password-guessing-limit">Password guessing limit</h3>
 <p>The idea is to protect the password against multiple guess attempts. The following
rules are applied :</p>
 <div class="codehilite"><pre><span class="o">*</span> <span class="n">a</span>
<span class="n">counter</span> <span class="n">track</span> <span
class="n">the</span> <span class="n">failed</span> <span class="n">attemps</span><span
class="p">,</span> <span class="ow">and</span> <span class="n">block</span>
<span class="n">when</span> <span class="n">it</span><span class="err">&#39;</span><span
class="n">s</span> <span class="n">reached</span>
@@ -398,13 +406,25 @@ Impacted Attributes : ads-pwdLockout, ad
 Impacted Attributes : ads-pwdFailureCountInterval
 </DIV></p>
 <p>As we store all the failures withing the entry, at some point we may want to purge
those failures. This is done either because we have successfully loged, or because the <em>ads-pwdFailureCountInterval</em>
value has expired. In this last case, all the failure older than the current time minus the
set interval will be removed.</p>
-<h3 id="password-checks">Password checks</h3>
+<h3 id="password-checks-and-strength-enforcement">Password checks and strength enforcement</h3>
 <p>Those rules are used to enforce some constraints on the password, so that weak passwords
can't be used.</p>
+<h4 id="quality-check-policy">Quality Check policy</h4>
+<p><DIV class="info" markdown="1">
+Impacted Attributes : ads-pwdQualityCheck
+Default value : 1
+</DIV></p>
+<p>The system can be enabled or disabled, and when enabled, two different level of
checks con be done : relaxed or strict. We use a parameter to specify the kind of check we
do on the password : <em>ads-pwdCheckQuality</em>, which can take three values
:</p>
+<div class="codehilite"><pre><span class="o">*</span> <span class="mi">0</span>
<span class="p">:</span> <span class="n">The</span> <span class="n">password</span>
<span class="n">is</span> <span class="ow">not</span> <span class="n">checked</span>
+<span class="o">*</span> <span class="mi">1</span> <span class="p">:</span>
<span class="n">We</span> <span class="n">check</span> <span class="n">the</span>
<span class="n">password</span> <span class="n">when</span> <span
class="n">we</span> <span class="n">can</span><span class="p">,</span>
<span class="n">ie</span> <span class="n">when</span> <span class="n">it</span><span
class="s">&#39;s not hashed. When the password is hashed, or in a form that does not
allow us to apply the checks, then we ignore the errors</span>
+<span class="s">* 2 : The password is checked, and if it&#39;</span><span
class="n">s</span> <span class="n">hashed</span> <span class="ow">or</span>
<span class="n">in</span> <span class="n">a</span> <span class="n">form</span>
<span class="n">that</span> <span class="n">does</span> <span class="ow">not</span>
<span class="n">allow</span> <span class="n">the</span> <span class="n">checks</span>
<span class="n">to</span> <span class="n">be</span> <span class="n">done</span><span
class="p">,</span> <span class="k">then</span> <span class="n">the</span>
<span class="n">changes</span> <span class="n">are</span> <span
class="n">rejected</span><span class="o">.</span>
+</pre></div>
+
+
 <h4 id="password-history">Password History</h4>
 <p><DIV class="info" markdown="1">
 Impacted Attributes : ads-pwdInHistory
 </DIV></p>
-<p>The server can keep a backlog of passwords, so that a user can't keep a assword
for ever. When requested to do so the user will have to change his/her password, and the old
password will be stored in the user's entry password history.</p>
+<p>The server can keep a backlog of passwords, so that a user can't keep a password
for ever. When requested to do so the user will have to change his/her password, and the old
password will be stored in the user's entry password history.</p>
 <p>We can specify the number of passwords we keep in the password history by configuring
the <em>ads-pwdInHistory</em> attribute.</p>
 <h4 id="minimum-delay-between-modifications">Minimum delay between modifications</h4>
 <p><DIV class="info" markdown="1">
@@ -420,6 +440,8 @@ Impacted Attributes : ads-pwdMinLength a
 <p><DIV class="warning" markdown="1">
 Setting a password max length is most certainly a waste of time. It's very likely that this
parameter has been added to the specification for the sake of symetry...
 </DIV></p>
+<h3 id="password-lifecycle-management">Password lifecycle management</h3>
+<p>We now have to expose the rules that apply to the password during it's life.</p>
 
 
     <div class="nav">



Mime
View raw message