directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pamarce...@apache.org
Subject svn commit: r1467945 - /directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext
Date Mon, 15 Apr 2013 11:50:01 GMT
Author: pamarcelot
Date: Mon Apr 15 11:50:01 2013
New Revision: 1467945

URL: http://svn.apache.org/r1467945
Log:
Fixed various typos.

Modified:
    directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext

Modified: directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext?rev=1467945&r1=1467944&r2=1467945&view=diff
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext (original)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.3-password-policy.mdtext Mon Apr 15
11:50:01 2013
@@ -24,14 +24,14 @@ Notice: Licensed to the Apache Software 
 
 # 4.3. Password Policy
 
-The **Password Policy** is a **[RFC](http://tools.ietf.org/html/draft-behera-ldap-password-policy-10)**
draft that has been designed for the very first version in 1999, and the latest version is
from 2009. Although it's still a draft, and it's currently noted as inactive, it has been
implemented by many existing **LDAP** servers.
+The **Password Policy for LDAP Directories** is a **[RFC](http://tools.ietf.org/html/draft-behera-ldap-password-policy-10)**
draft that has been designed for the very first version in 1999, and the latest version is
from 2009. Although it's still a draft, and it's currently noted as inactive, it has been
implemented by many existing **LDAP** servers.
 
-**ApacheDS** implements most the draft.
+**ApacheDS** implements most of the draft.
 
 <DIV class="warning" markdown="1">
-Enforcing a strict passowrd policy is extremely punitive to users. It may leads users to
workaround the policy by storing their password in a postit, an workaround that will defeat
any password policy...
+Enforcing a strict passowrd policy is extremely punitive to users. It may leads users to
workaround the policy by storing their password in a post-it, a workaround that will defeat
any password policy...
 
-Always try to think about better alternatives than force users to always define password
with 10 or more characters, including numbers, upper and lower case, special chars, and to
change it every month...
+Always try to think about better alternatives than force users to always define a password
with 10 or more characters, including numbers, upper and lower case, special chars, and to
change it every month...
 
 A long sentence (4 or 5 words), like "The horse has won the race three time" is most certainly
a better passowrd than any other combinaison, and is easy to remember...
 </DIV>
@@ -39,7 +39,7 @@ A long sentence (4 or 5 words), like "Th
 
 ## What is a password policy ?
 
-As explained on [wikipedia](http://en.wikipedia.org/wiki/Password_policy) :
+As explained on [wikipedia](http://en.wikipedia.org/wiki/Password_policy):
 
 	:::Text
 	A password policy is a set of rules designed to enhance computer security by encouraging
users to employ strong passwords 
@@ -47,20 +47,21 @@ As explained on [wikipedia](http://en.wi
 
 Basically, the system, once activated, will enforce some rules and check the password strength.
We will list the various options in this chapter.
 
-There are different aspects to consider :
+There are different aspects to consider:
 
-	* The password check when it's added or modified
-	* The password management when the user bind, in other words, it's life cycle
-	* The password protection against attacks
+* The password check when it's added or modified
+* The password management when the user bind, in other words, it's life cycle
+* The password protection against attacks
 
 Those aspects are exposed in the following paragraphs.
 
 
 ## How do we configure it ?
 
-The _PasswordPolicy_ can be configured in two ways. First of all, it's important to know
that it's activated by default. let's see the default configuration first.
+The _Password Policy_ can be configured in two ways.
+First of all, it's important to know that it's activated by default. Let's see the default
configuration first.
 
-There is an entry contianing all the default values for the _PasswordPolicy_, under :
+There is an entry containing all the default configuration values for the _Password Policy_,
under the DN **"ou=passwordPolicies, ads-interceptorId=authenticationInterceptor, ou=interceptors,
ads-directoryServiceId=&lt;default&gt;, ou=config"**, which corresponds to the following
hierarchy:
 
 	* ou=config
 		* ads-directoryServiceId=<default>
@@ -68,11 +69,11 @@ There is an entry contianing all the def
 				* ads-interceptorId=authenticationInterceptor
 					* ou=passwordPolicies
 
-This entry contains the following values :
+This entry contains the following values:
 
 | Attrinbte | Default value | Comment |
 |---|---|---|
-| ads-pwdAllowUserChange | TRUE | tells if the user can change its password |
+| ads-pwdAllowUserChange | TRUE | Tells if the user can change its password |
 | ads-pwdCheckQuality | 1 | The kind of quality we wnt for the password (0, 1, or 2) |
 | ads-pwdExpireWarning | 600 |  |
 | ads-pwdFailureCountInterval | 30 | The duration of failure logs we keep in the entry |
@@ -92,7 +93,7 @@ This entry contains the following values
 | ads-pwdMustChange | FALSE |  |
 | ads-pwdSafeModify | FALSE |  |
 
-Here is the entry :
+Here is the entry in LDIF format:
 
 	:::Text
 	dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
@@ -137,33 +138,33 @@ This part is exposing the various techni
 
 ### Password guessing limit
 
-The idea is to protect the password against multiple guess attempts. The following rules
are applied :
+The idea is to protect the password against multiple guess attempts. The following rules
are applied:
 
-	* a counter track the failed attemps, and block when it's reached
-	* an incremental delay is added after a failure before a new attempt can be done
-	* a global delay for all the failed attempt is used, when reached, the account is blocked
+* a counter tracks the failed attemps, and blocks when it's reached
+* an incremental delay is added after a failure before a new attempt can be done
+* a global delay for all the failed attempt is used, when reached, the account is locked
 	
 When the account is locked, it can remain locked, or be unlocked after a grace period.
 
 #### Attempts counter
 
 <DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdLockout, ads-pwdMaxFailure, ads-pwdLockoutDuration
+Impacted Attributes: ads-pwdLockout, ads-pwdMaxFailure, ads-pwdLockoutDuration
 </DIV>
 
-Each failed attempt will be logged in the entry, in the _ads-pwdFailureTime_ Attribute (it
will contain the date of the attempt). When the Attribute contains more values than the maximum
number of failed attempts, the entry will be locked (the _ads-pwdAccountLockedTime_ Attribute
will contain the date the entry has been locked).
+Each failed attempt will be logged in the entry, in the _ads-pwdFailureTime_ Attribute (it
will contain the date and time of the attempt). When the attribute contains more values than
the maximum number of failed attempts, the entry will be locked (the _ads-pwdAccountLockedTime_
Attribute will contain the date and time the entry has been locked).
 
 <DIV class="warning" markdown="1">
 In order to activate this control the ads-pwdLockout parameter must be set to TRUE.
 </DIV>
 
-The following table expose the various possible cases, with three failed attempts : 
+The following table expose the various possible cases, with three failed attempts: 
 
 | _ads-pwdmaxfailure_ | _ads-pwdLockout_ | _ads-pwdFailureTime_ | _ads-pwdAccountLockedTime_
| Locked | Comment |
 |---|---|---|---|---|---|
 | 3 | true | date1 | - | No | Failure 1 |
 |  |  | date1, date2 | - | No | Failure 2 |
-|  |  | date1, date2, date3 | date3 | Yes | Failure 3 : account locked |
+|  |  | date1, date2, date3 | date3 | Yes | Failure 3: account locked |
 | 3 | false | date1 | - | No | Failure 1 |
 |  |  | date1, date2 | - | No | Failure 2 |
 |  |  | date1, date2, date3 | - | No | Failure 3 |
@@ -173,20 +174,20 @@ As we can see, the account is locked onl
 #### Delayed login
 
 <DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdLockout, ads-pwdMaxFailure, ads-pwdLockoutDuration
+Impacted Attributes: ads-pwdLockout, ads-pwdMaxFailure, ads-pwdLockoutDuration
 </DIV>
 
-When we have reached a number of failed attempt, the account will be locked. We can set another
attribute to tell the server that the locked out account can be unlocked afer a delay : the
_ads-pwdLockoutDuration_ Attribute stores this delay.
+When we have reached a number of failed attempt, the account will be locked. We can set another
attribute to tell the server that the locked out account can be unlocked afer a delay: the
_ads-pwdLockoutDuration_ Attribute stores this delay.
 
-When the account is locked, no further attempt will succed, even if the correct password
is sent. After the delay, the user will be unlocked.
+When the account is locked, no further attempt will succeed, even if the correct password
is sent. After the delay, the user will be unlocked.
 
 #### Purging failures
 
 <DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdFailureCountInterval
+Impacted Attributes: ads-pwdFailureCountInterval
 </DIV>
 
-As we store all the failures withing the entry, at some point we may want to purge those
failures. This is done either because we have successfully loged, or because the _ads-pwdFailureCountInterval_
value has expired. In this last case, all the failure older than the current time minus the
set interval will be removed.
+As we store all the failures within the entry, at some point we may want to purge those failures.
This is done either because we have successfully logged, or because the _ads-pwdFailureCountInterval_
value has expired. In this last case, all the failures older than the current time minus the
set interval will be removed.
 
 
 ### Password checks and strength enforcement
@@ -196,22 +197,21 @@ Those rules are used to enforce some con
 #### Quality Check policy
 
 <DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdQualityCheck
-Default value : 1
+Impacted Attributes: ads-pwdQualityCheck<br>
+Default value: 1
 </DIV>
 
-The system can be enabled or disabled, and when enabled, two different level of checks con
be done : relaxed or strict. We use a parameter to specify the kind of check we do on the
password : _ads-pwdCheckQuality_, which can take three values :
+The system can be enabled or disabled, and when enabled, two different level of checks con
be done: relaxed or strict.
+We use a parameter to specify the kind of check we do on the password: _ads-pwdCheckQuality_,
which can take three values:
 
-	* 0 : The password is not checked
-	* 1 : We check the password when we can, ie when it's not hashed. When the password is hashed,
or in a form 
-	that does not allow us to apply the checks, then we ignore the errors
-	* 2 : The password is checked, and if it's hashed or in a form that does not allow the checks
to be done, 
-	then the changes are rejected.
+* 0: The password is not checked
+* 1: We check the password when we can, i.e. when it's not hashed. When the password is hashed,
or in a form that does not allow us to apply the checks, then we ignore the errors
+* 2: The password is checked, and if it's hashed or in a form that does not allow the checks
to be done, then the changes are rejected.
 
 #### Password History
 
 <DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdInHistory
+Impacted Attributes: ads-pwdInHistory
 </DIV>
 
 The server can keep a backlog of passwords, so that a user can't keep a password for ever.
When requested to do so the user will have to change his/her password, and the old password
will be stored in the user's entry password history.
@@ -221,7 +221,7 @@ We can specify the number of passwords w
 #### Minimum delay between modifications
 
 <DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdMinAge
+Impacted Attributes: ads-pwdMinAge
 </DIV>
 
 When the password history is activated, some users may change their passwords many times
to get their old password out of the history, and add it as their password again.  Setting
a delay between two password changes may protect the password against such action.
@@ -231,7 +231,7 @@ The _ads-pwdMinAge_ attribute is used fo
 #### Password length constraint
 
 <DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdMinLength and ads-pwdMaxLength
+Impacted Attributes: ads-pwdMinLength and ads-pwdMaxLength
 </DIV>
 
 You can control the minimum and maximum length for a password by setting the _ads-pwdMinLength_
and _ads-pwdMaxLength_ attributes.
@@ -249,17 +249,17 @@ We now have to expose the rules that app
 #### Password max age
 
 <DIV class="info" markdown="1">
-Impacted Attribute : ads-pwdMaxAge
+Impacted Attribute: ads-pwdMaxAge
 </DIV>
 
 A password may have a limited life expectation, and when this age is reached, the password
will be invalidated. This is configured through the _ads-pwdMaxAge_ parameter, which contains
the number of second a password will last.
 
-This password invalidation can be overruled by the two next parameters
+This password invalidation can be overruled by the two next parameters.
 
 #### Password grace auth N limit
 
 <DIV class="info" markdown="1">
-Impacted Attribute : ads-pwdGraceAuthNLimit
+Impacted Attribute: ads-pwdGraceAuthNLimit
 </DIV>
 
 When the password has expired, this parameter (_ads-pwdGraceAuthNLimit_) tells how many times
a user will still be allowed to bind before the password is definitively locked. Each attempt
will decrement the associated counter.
@@ -267,9 +267,9 @@ When the password has expired, this para
 #### Paswword grace Expire
 
 <DIV class="info" markdown="1">
-Impacted Attribute : ads-pwdGraceExpire
+Impacted Attribute: ads-pwdGraceExpire
 </DIV>
 
-Another option when the password has expired is to give the user the possibility to log in
during a certain period of time. This is mainly useful when the _ads-pwdGraceAuthNLimit_ is
set : not only there is a limited number of attempts, but those attempts must be done in a
limited period of time, ortherwise the password will be locked.
+Another option when the password has expired is to give the user the possibility to log in
during a certain period of time. This is mainly useful when the _ads-pwdGraceAuthNLimit_ is
set: not only there is a limited number of attempts, but those attempts must be done in a
limited period of time, ortherwise the password will be locked.
 
 If the configuration of the _ads-pwdGraceAuthNLimit_ is 0, the _ads-pwdGraceExpire_ value
is simply added to the _ads-pwdMaxAge_ value.



Mime
View raw message