Overview#

Password Policy is a Policy that governs the Password within a system.

Typically there are two major areas that should be covered:

Draft-behera-ldap-password-policy even though it is an expired Internet Draft is still the "de facto" standard.

LDAP and Password Policy#

The typical Directory Server Password Policy provides a mechanism for controlling how passwords will be stored and maintained in the server, and how users will be allowed to authenticate.

The "industry standard" many LDAP Server Implementations use, at least to some degree, the draft-behera-ldap-password-policy

Typical Elements of a password policy include:

  • The attribute used to store user passwords. By default, this is the userPassword attribute.
  • The default set of password storage schemes that will be used to encode passwords stored in the server.
  • A set of deprecated Password Storage Scheme that may be used to authenticate users, but will cause the password to be re-encoded using the default scheme(s) upon a successful bind.
  • A flag that indicates whether users will be allowed to change their own passwords.
  • A number of settings related to password expiration, including the maximum age for passwords, warnings before expiration, and whether users will be allowed to change their passwords after they expire.
  • A number of settings related to Account Lockout, which can be used to prevent users from authenticating after too many failed attempts.
  • Flags that indicate whether users will be required to change their passwords the first time they authenticate and/or whether they will be required to change their passwords after they have been reset by an administrator.
  • A set of password validators that can be used to determine whether proposed new password values are acceptable for use.
  • A flag that indicates whether users will be required to provide their current passwords to be allowed to change their passwords.
  • A flag that indicates whether clients will be allowed to specify new passwords that have already been encoded using one of the password storage schemes defined in the server. Allowing pre-encoded passwords may be necessary for some applications, but may allow the user to bypass certain restrictions, like password validators, that might otherwise be enforced.
  • Settings related to maintaining the Last Login Time, including the attribute to use to store its value, the format to use for the time stamp, and whether to lock an account after too much time has elapsed without authenticating.
  • Flags that control whether the user will be required to authenticate in a secure manner and/or whether they will be required to change their passwords in a secure manner.

Edirectory Password Policy#

We have some specific information on the Edirectory Password Policy.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-22) was last changed on 08-Apr-2017 12:34 by jim