directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r858529 - in /websites/staging/directory/trunk/content: ./ apacheds/advanced-ug/4.3-password-policy.html
Date Mon, 15 Apr 2013 11:50:08 GMT
Author: buildbot
Date: Mon Apr 15 11:50:07 2013
New Revision: 858529

Log:
Staging update by buildbot for directory

Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Apr 15 11:50:07 2013
@@ -1 +1 @@
-1467836
+1467945

Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
(original)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.3-password-policy.html
Mon Apr 15 11:50:07 2013
@@ -138,32 +138,32 @@
 
 
 <h1 id="43-password-policy">4.3. Password Policy</h1>
-<p>The <strong>Password Policy</strong> is a <strong><a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">RFC</a></strong>
draft that has been designed for the very first version in 1999, and the latest version is
from 2009. Although it's still a draft, and it's currently noted as inactive, it has been
implemented by many existing <strong>LDAP</strong> servers.</p>
-<p><strong>ApacheDS</strong> implements most the draft.</p>
+<p>The <strong>Password Policy for LDAP Directories</strong> is a <strong><a
href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">RFC</a></strong>
draft that has been designed for the very first version in 1999, and the latest version is
from 2009. Although it's still a draft, and it's currently noted as inactive, it has been
implemented by many existing <strong>LDAP</strong> servers.</p>
+<p><strong>ApacheDS</strong> implements most of the draft.</p>
 <p><DIV class="warning" markdown="1">
-Enforcing a strict passowrd policy is extremely punitive to users. It may leads users to
workaround the policy by storing their password in a postit, an workaround that will defeat
any password policy...</p>
-<p>Always try to think about better alternatives than force users to always define
password with 10 or more characters, including numbers, upper and lower case, special chars,
and to change it every month...</p>
+Enforcing a strict passowrd policy is extremely punitive to users. It may leads users to
workaround the policy by storing their password in a post-it, a workaround that will defeat
any password policy...</p>
+<p>Always try to think about better alternatives than force users to always define
a password with 10 or more characters, including numbers, upper and lower case, special chars,
and to change it every month...</p>
 <p>A long sentence (4 or 5 words), like "The horse has won the race three time" is
most certainly a better passowrd than any other combinaison, and is easy to remember...
 </DIV></p>
 <h2 id="what-is-a-password-policy">What is a password policy ?</h2>
-<p>As explained on <a href="http://en.wikipedia.org/wiki/Password_policy">wikipedia</a>
:</p>
+<p>As explained on <a href="http://en.wikipedia.org/wiki/Password_policy">wikipedia</a>:</p>
 <div class="codehilite"><pre>A password policy is a set of rules designed to
enhance computer security by encouraging users to employ strong passwords 
 and use them properly.
 </pre></div>
 
 
 <p>Basically, the system, once activated, will enforce some rules and check the password
strength. We will list the various options in this chapter.</p>
-<p>There are different aspects to consider :</p>
-<div class="codehilite"><pre><span class="o">*</span> <span class="n">The</span>
<span class="n">password</span> <span class="n">check</span> <span
class="n">when</span> <span class="n">it</span><span class="s">&#39;s
added or modified</span>
-<span class="s">* The password management when the user bind, in other words, it&#39;</span><span
class="n">s</span> <span class="n">life</span> <span class="n">cycle</span>
-<span class="o">*</span> <span class="n">The</span> <span class="n">password</span>
<span class="n">protection</span> <span class="n">against</span> <span
class="n">attacks</span>
-</pre></div>
-
-
+<p>There are different aspects to consider:</p>
+<ul>
+<li>The password check when it's added or modified</li>
+<li>The password management when the user bind, in other words, it's life cycle</li>
+<li>The password protection against attacks</li>
+</ul>
 <p>Those aspects are exposed in the following paragraphs.</p>
 <h2 id="how-do-we-configure-it">How do we configure it ?</h2>
-<p>The <em>PasswordPolicy</em> can be configured in two ways. First of
all, it's important to know that it's activated by default. let's see the default configuration
first.</p>
-<p>There is an entry contianing all the default values for the <em>PasswordPolicy</em>,
under :</p>
+<p>The <em>Password Policy</em> can be configured in two ways.
+First of all, it's important to know that it's activated by default. Let's see the default
configuration first.</p>
+<p>There is an entry containing all the default configuration values for the <em>Password
Policy</em>, under the DN <strong>"ou=passwordPolicies, ads-interceptorId=authenticationInterceptor,
ou=interceptors, ads-directoryServiceId=&lt;default&gt;, ou=config"</strong>,
which corresponds to the following hierarchy:</p>
 <div class="codehilite"><pre><span class="o">*</span> <span class="n">ou</span><span
class="o">=</span><span class="n">config</span>
     <span class="o">*</span> <span class="n">ads</span><span class="o">-</span><span
class="n">directoryServiceId</span><span class="o">=</span><span class="sr">&lt;default&gt;</span>
         <span class="o">*</span> <span class="n">ou</span><span
class="o">=</span><span class="n">interceptors</span>
@@ -172,7 +172,7 @@ and use them properly.
 </pre></div>
 
 
-<p>This entry contains the following values :</p>
+<p>This entry contains the following values:</p>
 <table>
 <thead>
 <tr>
@@ -185,7 +185,7 @@ and use them properly.
 <tr>
 <td>ads-pwdAllowUserChange</td>
 <td>TRUE</td>
-<td>tells if the user can change its password</td>
+<td>Tells if the user can change its password</td>
 </tr>
 <tr>
 <td>ads-pwdCheckQuality</td>
@@ -279,7 +279,7 @@ and use them properly.
 </tr>
 </tbody>
 </table>
-<p>Here is the entry :</p>
+<p>Here is the entry in LDIF format:</p>
 <div class="codehilite"><pre>dn: ads-pwdId=default,ou=passwordPolicies,ads-interceptorId=authenticationIn
  terceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
 objectclass: top
@@ -318,23 +318,22 @@ All the configured delays are stored in 
 <h2 id="password-protection">Password protection</h2>
 <p>This part is exposing the various technics the system uses to protect your password
from an attack.</p>
 <h3 id="password-guessing-limit">Password guessing limit</h3>
-<p>The idea is to protect the password against multiple guess attempts. The following
rules are applied :</p>
-<div class="codehilite"><pre><span class="o">*</span> <span class="n">a</span>
<span class="n">counter</span> <span class="n">track</span> <span
class="n">the</span> <span class="n">failed</span> <span class="n">attemps</span><span
class="p">,</span> <span class="ow">and</span> <span class="n">block</span>
<span class="n">when</span> <span class="n">it</span><span class="err">&#39;</span><span
class="n">s</span> <span class="n">reached</span>
-<span class="o">*</span> <span class="n">an</span> <span class="n">incremental</span>
<span class="n">delay</span> <span class="n">is</span> <span class="n">added</span>
<span class="n">after</span> <span class="n">a</span> <span class="n">failure</span>
<span class="n">before</span> <span class="n">a</span> <span class="k">new</span>
<span class="n">attempt</span> <span class="n">can</span> <span
class="n">be</span> <span class="n">done</span>
-<span class="o">*</span> <span class="n">a</span> <span class="n">global</span>
<span class="n">delay</span> <span class="k">for</span> <span class="n">all</span>
<span class="n">the</span> <span class="n">failed</span> <span
class="n">attempt</span> <span class="n">is</span> <span class="n">used</span><span
class="p">,</span> <span class="n">when</span> <span class="n">reached</span><span
class="p">,</span> <span class="n">the</span> <span class="n">account</span>
<span class="n">is</span> <span class="n">blocked</span>
-</pre></div>
-
-
+<p>The idea is to protect the password against multiple guess attempts. The following
rules are applied:</p>
+<ul>
+<li>a counter tracks the failed attemps, and blocks when it's reached</li>
+<li>an incremental delay is added after a failure before a new attempt can be done</li>
+<li>a global delay for all the failed attempt is used, when reached, the account is
locked</li>
+</ul>
 <p>When the account is locked, it can remain locked, or be unlocked after a grace period.</p>
 <h4 id="attempts-counter">Attempts counter</h4>
 <p><DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdLockout, ads-pwdMaxFailure, ads-pwdLockoutDuration
+Impacted Attributes: ads-pwdLockout, ads-pwdMaxFailure, ads-pwdLockoutDuration
 </DIV></p>
-<p>Each failed attempt will be logged in the entry, in the <em>ads-pwdFailureTime</em>
Attribute (it will contain the date of the attempt). When the Attribute contains more values
than the maximum number of failed attempts, the entry will be locked (the <em>ads-pwdAccountLockedTime</em>
Attribute will contain the date the entry has been locked).</p>
+<p>Each failed attempt will be logged in the entry, in the <em>ads-pwdFailureTime</em>
Attribute (it will contain the date and time of the attempt). When the attribute contains
more values than the maximum number of failed attempts, the entry will be locked (the <em>ads-pwdAccountLockedTime</em>
Attribute will contain the date and time the entry has been locked).</p>
 <p><DIV class="warning" markdown="1">
 In order to activate this control the ads-pwdLockout parameter must be set to TRUE.
 </DIV></p>
-<p>The following table expose the various possible cases, with three failed attempts
: </p>
+<p>The following table expose the various possible cases, with three failed attempts:
</p>
 <table>
 <thead>
 <tr>
@@ -369,7 +368,7 @@ In order to activate this control the ad
 <td>date1, date2, date3</td>
 <td>date3</td>
 <td>Yes</td>
-<td>Failure 3 : account locked</td>
+<td>Failure 3: account locked</td>
 </tr>
 <tr>
 <td>3</td>
@@ -400,46 +399,44 @@ In order to activate this control the ad
 <p>As we can see, the account is locked only when we reach the number of failure, and
the <em>ads-pwdLockout</em> flag is TRUE. If the <em>ads-pwdLockoutDuration</em>
flag is set, then the password will remain locked for the delay stored in this attribute.</p>
 <h4 id="delayed-login">Delayed login</h4>
 <p><DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdLockout, ads-pwdMaxFailure, ads-pwdLockoutDuration
+Impacted Attributes: ads-pwdLockout, ads-pwdMaxFailure, ads-pwdLockoutDuration
 </DIV></p>
-<p>When we have reached a number of failed attempt, the account will be locked. We
can set another attribute to tell the server that the locked out account can be unlocked afer
a delay : the <em>ads-pwdLockoutDuration</em> Attribute stores this delay.</p>
-<p>When the account is locked, no further attempt will succed, even if the correct
password is sent. After the delay, the user will be unlocked.</p>
+<p>When we have reached a number of failed attempt, the account will be locked. We
can set another attribute to tell the server that the locked out account can be unlocked afer
a delay: the <em>ads-pwdLockoutDuration</em> Attribute stores this delay.</p>
+<p>When the account is locked, no further attempt will succeed, even if the correct
password is sent. After the delay, the user will be unlocked.</p>
 <h4 id="purging-failures">Purging failures</h4>
 <p><DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdFailureCountInterval
+Impacted Attributes: ads-pwdFailureCountInterval
 </DIV></p>
-<p>As we store all the failures withing the entry, at some point we may want to purge
those failures. This is done either because we have successfully loged, or because the <em>ads-pwdFailureCountInterval</em>
value has expired. In this last case, all the failure older than the current time minus the
set interval will be removed.</p>
+<p>As we store all the failures within the entry, at some point we may want to purge
those failures. This is done either because we have successfully logged, or because the <em>ads-pwdFailureCountInterval</em>
value has expired. In this last case, all the failures older than the current time minus the
set interval will be removed.</p>
 <h3 id="password-checks-and-strength-enforcement">Password checks and strength enforcement</h3>
 <p>Those rules are used to enforce some constraints on the password, so that weak passwords
can't be used.</p>
 <h4 id="quality-check-policy">Quality Check policy</h4>
 <p><DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdQualityCheck
-Default value : 1
+Impacted Attributes: ads-pwdQualityCheck<br>
+Default value: 1
 </DIV></p>
-<p>The system can be enabled or disabled, and when enabled, two different level of
checks con be done : relaxed or strict. We use a parameter to specify the kind of check we
do on the password : <em>ads-pwdCheckQuality</em>, which can take three values
:</p>
-<div class="codehilite"><pre><span class="o">*</span> <span class="mi">0</span>
<span class="p">:</span> <span class="n">The</span> <span class="n">password</span>
<span class="n">is</span> <span class="ow">not</span> <span class="n">checked</span>
-<span class="o">*</span> <span class="mi">1</span> <span class="p">:</span>
<span class="n">We</span> <span class="n">check</span> <span class="n">the</span>
<span class="n">password</span> <span class="n">when</span> <span
class="n">we</span> <span class="n">can</span><span class="p">,</span>
<span class="n">ie</span> <span class="n">when</span> <span class="n">it</span><span
class="s">&#39;s not hashed. When the password is hashed, or in a form </span>
-<span class="s">that does not allow us to apply the checks, then we ignore the errors</span>
-<span class="s">* 2 : The password is checked, and if it&#39;</span><span
class="n">s</span> <span class="n">hashed</span> <span class="ow">or</span>
<span class="n">in</span> <span class="n">a</span> <span class="n">form</span>
<span class="n">that</span> <span class="n">does</span> <span class="ow">not</span>
<span class="n">allow</span> <span class="n">the</span> <span class="n">checks</span>
<span class="n">to</span> <span class="n">be</span> <span class="n">done</span><span
class="p">,</span> 
-<span class="k">then</span> <span class="n">the</span> <span class="n">changes</span>
<span class="n">are</span> <span class="n">rejected</span><span
class="o">.</span>
-</pre></div>
-
-
+<p>The system can be enabled or disabled, and when enabled, two different level of
checks con be done: relaxed or strict.
+We use a parameter to specify the kind of check we do on the password: <em>ads-pwdCheckQuality</em>,
which can take three values:</p>
+<ul>
+<li>0: The password is not checked</li>
+<li>1: We check the password when we can, i.e. when it's not hashed. When the password
is hashed, or in a form that does not allow us to apply the checks, then we ignore the errors</li>
+<li>2: The password is checked, and if it's hashed or in a form that does not allow
the checks to be done, then the changes are rejected.</li>
+</ul>
 <h4 id="password-history">Password History</h4>
 <p><DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdInHistory
+Impacted Attributes: ads-pwdInHistory
 </DIV></p>
 <p>The server can keep a backlog of passwords, so that a user can't keep a password
for ever. When requested to do so the user will have to change his/her password, and the old
password will be stored in the user's entry password history.</p>
 <p>We can specify the number of passwords we keep in the password history by configuring
the <em>ads-pwdInHistory</em> attribute.</p>
 <h4 id="minimum-delay-between-modifications">Minimum delay between modifications</h4>
 <p><DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdMinAge
+Impacted Attributes: ads-pwdMinAge
 </DIV></p>
 <p>When the password history is activated, some users may change their passwords many
times to get their old password out of the history, and add it as their password again.  Setting
a delay between two password changes may protect the password against such action.</p>
 <p>The <em>ads-pwdMinAge</em> attribute is used for this purpose, and it
keeps a value in seconds.</p>
 <h4 id="password-length-constraint">Password length constraint</h4>
 <p><DIV class="info" markdown="1">
-Impacted Attributes : ads-pwdMinLength and ads-pwdMaxLength
+Impacted Attributes: ads-pwdMinLength and ads-pwdMaxLength
 </DIV></p>
 <p>You can control the minimum and maximum length for a password by setting the <em>ads-pwdMinLength</em>
and <em>ads-pwdMaxLength</em> attributes.</p>
 <p><DIV class="warning" markdown="1">
@@ -449,20 +446,20 @@ Setting a password max length is most ce
 <p>We now have to expose the rules that apply to the password during it's life.</p>
 <h4 id="password-max-age">Password max age</h4>
 <p><DIV class="info" markdown="1">
-Impacted Attribute : ads-pwdMaxAge
+Impacted Attribute: ads-pwdMaxAge
 </DIV></p>
 <p>A password may have a limited life expectation, and when this age is reached, the
password will be invalidated. This is configured through the <em>ads-pwdMaxAge</em>
parameter, which contains the number of second a password will last.</p>
-<p>This password invalidation can be overruled by the two next parameters</p>
+<p>This password invalidation can be overruled by the two next parameters.</p>
 <h4 id="password-grace-auth-n-limit">Password grace auth N limit</h4>
 <p><DIV class="info" markdown="1">
-Impacted Attribute : ads-pwdGraceAuthNLimit
+Impacted Attribute: ads-pwdGraceAuthNLimit
 </DIV></p>
 <p>When the password has expired, this parameter (<em>ads-pwdGraceAuthNLimit</em>)
tells how many times a user will still be allowed to bind before the password is definitively
locked. Each attempt will decrement the associated counter.</p>
 <h4 id="paswword-grace-expire">Paswword grace Expire</h4>
 <p><DIV class="info" markdown="1">
-Impacted Attribute : ads-pwdGraceExpire
+Impacted Attribute: ads-pwdGraceExpire
 </DIV></p>
-<p>Another option when the password has expired is to give the user the possibility
to log in during a certain period of time. This is mainly useful when the <em>ads-pwdGraceAuthNLimit</em>
is set : not only there is a limited number of attempts, but those attempts must be done in
a limited period of time, ortherwise the password will be locked.</p>
+<p>Another option when the password has expired is to give the user the possibility
to log in during a certain period of time. This is mainly useful when the <em>ads-pwdGraceAuthNLimit</em>
is set: not only there is a limited number of attempts, but those attempts must be done in
a limited period of time, ortherwise the password will be locked.</p>
 <p>If the configuration of the <em>ads-pwdGraceAuthNLimit</em> is 0, the
<em>ads-pwdGraceExpire</em> value is simply added to the <em>ads-pwdMaxAge</em>
value.</p>
 
 



Mime
View raw message