!!! Overview
We found these [Schema Extensions] in [NetWare] when [Novell Secure Password Manager|NSPM] was first released.
[{$pagename}] provides some key information that we have not been able to locate since; So we keep this around.
!! [NspmPasswordPolicy] (Object Class)
{{{
GeneralOID 2.16.840.1.113719.1.39.43.6.1
Name nspmPasswordPolicy
PropertiesSuperior Top
Kind Structural (0x01)
}}}
{{{
description
loginGraceLimit
nsimAssignments
nsimChallengeSetDN
nsimChallengeSetGUID
nsimForgottenAction
nsimForgottenLoginConfig
nsimPwdRuleEnforcement
nspmAdminsDoNotExpirePassword
nspmCaseSensitive
nspmChangePasswordMessage
nspmComplexityRules
nspmConfigurationOptions
nspmDisallowedAttributeValues
nspmExcludeList
nspmExtendedAsFirstCharacter
nspmExtendedAsLastCharacter
nspmExtendedCharactersAllowed
nspmLowerAsFirstCharacter
nspmLowerAsLastCharacter
nspmMaxConsecutiveCharacters
nspmMaxExtendedCharacters
nspmMaxLowerCaseCharacters
nspmMaxNumericCharacters
nspmMaxRepeatedCharacters
nspmMaxSpecialCharacters
nspmMaxUpperCaseCharacters
nspmMaximumLength
nspmMinExtendedCharacters
nspmMinLowerCaseCharacters
nspmMinNumericCharacters
nspmMinPasswordLifetime
nspmMinSpecialCharacters
nspmMinUniqueCharacters
nspmMinUpperCaseCharacters
nspmNumericAsFirstCharacter
nspmNumericAsLastCharacter
nspmNumericCharactersAllowed
nspmPasswordACL
nspmPasswordHistoryExpiration
nspmPasswordHistoryLimit
nspmPolicyPrecedence
nspmSpecialAsFirstCharacter
nspmSpecialAsLastCharacter
nspmSpecialCharactersAllowed
nspmUpperAsFirstCharacter
nspmUpperAsLastCharacter
passwordAllowChange
passwordExpirationInterval
passwordMinimumLength
passwordRequired
passwordUniqueRequired
pwdInHistory
}}}
!!! Novell Secure Password Manager Schema Definitions
This was derived from a Netware 6.x server some time ago.
However, there is a lot on information in regards to the Universal Password that we have not been able to find elsewhere.
{{{
-- Novell Secure Password Manager Schema Definitions
-- Novell Inc.
-- 1800 South Novell Place
-- Provo, UT 84606
--
-- Version=NMAS 2.2 2003 01 27
-- Copyright=(c) Copyright 2002, Novell, Inc. All rights reserved
--
-- Object ID (OID) is registered with Internal Schema Registration
-- as of 15 Jan 1997.
--
-- OIDs Defined as Follows:
-- joint-iso-ccitt(2) country(16) us(840) organization(1)
-- Novell(113719) applications(1) SAS(39) NSPM(43)
-- NSPMAttributeType(4) attr#
-- NSPMObjectClass(6) class#
NSPMSchemaExtentions DEFINITIONS ::=
BEGIN
-- -- -- -- -- -- -- -- -- -- -- -- --
-- Password User Attributes
-- -- -- -- -- -- -- -- -- -- -- -- --
-- User specific secret key that is wrapped with Security Domain Key.
"nspmPasswordKey" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_OCTET_STRING,
Flags {DS_HIDDEN_ATTR, DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 1}
}
-- The current user password. It is a null terminated unicode string encrypted with
-- the user specific secret key that is stored in the nspmPasswordKey attribute.
"nspmPassword" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_OCTET_STRING,
Flags {DS_HIDDEN_ATTR, DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 2}
}
-- The user distribution password. It may or may not be the same value as the
-- user's current password It is a null terminated unicode string encrypted with
-- the user specific secret key that is stored in the nspmPasswordKey attribute.
"nspmDistributionPassword" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_OCTET_STRING,
Flags {DS_HIDDEN_ATTR, DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 3}
}
-- The user password history. Each password is a null terminated unicode string encrypted
-- with the user specific secret key that is stored in the nspmPasswordKey attribute.
"nspmPasswordHistory" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_OCTET_STRING,
Flags {DS_HIDDEN_ATTR, DS_SYNC_IMMEDIATE},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 4}
}
-- This attribute indicates the number of times that the administrator set
-- user's the login credentials.
-- This is to support the non-reputation feature of Single Sign-on.
"nspmAdministratorChangeCount" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_COUNTER,
Flags {DS_HIDDEN_ATTR, DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 5}
}
-- Attribute on the login properties object (e.g., user object)
-- that specifies the effective Password Policy for the object
"nspmPasswordPolicyDN" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_DIST_NAME,
Flags {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 6}
}
-- -- -- -- -- -- -- -- -- -- -- -- --
-- Password Policy Configuration Attributes
-- -- -- -- -- -- -- -- -- -- -- -- --
-- The NSPM options flags:
-- 0x01 = On set password request the NDS password hash will be removed by SPM
-- 0x02 = On set password request the NDS password hash will not be set by SPM
-- 0x04 = On set password request the Simple password will not be set by SPM
-- 0x10 = Allow password retrieval by self
-- 0x20 = Allow password retrieval by admin
-- 0x40 = Allow password retrieval by password agents
-- 0x100 = Password enabled
-- 0x200 = Advanced password policy enabled
"nspmConfigurationOptions" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 100}
}
-- Administator defined message to be displayed when a user is prompted to change his password
"nspmChangePasswordMessage" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_CE_STRING,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 102}
}
-- The maximum number of passwords stored user password history.
"nspmPasswordHistoryLimit" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 5}
}
-- The minimum time in seconds that passwords are stored user password history.
"nspmPasswordHistoryExpiration" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 6}
}
-- The minimum time in seconds that the user is allowed to change his password again.
"nspmMinPasswordLifetime" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 7}
}
-- -- -- -- -- -- -- -- -- -- -- -- --
-- Password Syntax Attributes
-- -- -- -- -- -- -- -- -- -- -- -- --
-- Maximum number of characters
"nspmMaximumLength" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 200}
}
-- Minimum number of upper case characters required
"nspmMinUpperCaseCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 201}
}
-- Maximum number of upper case characters allowed
"nspmMaxUpperCaseCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 202}
}
-- Minimum number of lower case characters required
"nspmMinLowerCaseCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 203}
}
-- Maximum number of lower case characters allowed
"nspmMaxLowerCaseCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 204}
}
-- Numeric characters allowed flag. Note that if this attribute
-- does not exist then numeric characters are allowed.
"nspmNumericCharactersAllowed" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_BOOLEAN,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 205}
}
-- Indicates if numeric characters are disallowed as the first character of a password.
-- Numeric characters are allowed if this attribute is missing.
"nspmNumericAsFirstCharacter" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_BOOLEAN,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 206}
}
-- Indicates if numeric characters are disallowed as the last character of a password.
-- Numeric characters are allowed if this attribute is missing.
"nspmNumericAsLastCharacter" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_BOOLEAN,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 207}
}
-- Minimum number of numeric characters required
"nspmMinNumericCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 208}
}
-- Maximum number of numeric characters allowed
"nspmMaxNumericCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 209}
}
-- Special characters allowed flag. Note that if this attribute
-- does not exist then special characters are allowed.
"nspmSpecialCharactersAllowed" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_BOOLEAN,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 210}
}
-- Indicates if special characters are disallowed as the first character of a password.
-- Special characters are allowed if this attribute is missing.
"nspmSpecialAsFirstCharacter" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_BOOLEAN,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 211}
}
-- Indicates if special characters are disallowed as the last character of a password.
-- Special characters are allowed if this attribute is missing.
"nspmSpecialAsLastCharacter" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_BOOLEAN,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 212}
}
-- Minimum number of special characters required
"nspmMinSpecialCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 213}
}
-- Maximum number of special characters allowed
"nspmMaxSpecialCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 214}
}
-- Maximum number of times a character can appear in a password
"nspmMaxRepeatedCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 215}
}
-- Maximum number of times a character can appear consecutivly in a password
"nspmMaxConsecutiveCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 216}
}
-- Mimimum number of different characters must be in a password
"nspmMinUniqueCharacters" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 217}
}
-- Attribute values not allowed as a password or a portion of a password
"nspmDisallowedAttributeValues" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_CE_STRING,
ASN1ObjID {2 16 840 1 113719 1 39 43 4 218}
}
-- Strings that are not allowed as a password or a portion of a password
"nspmExcludeList" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_STREAM,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 219}
}
-- Case Sensitive comparison flag
"nspmCaseSensitive" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_BOOLEAN,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 220}
}
-- Used to determine which password policy takes precedence when
-- more than one password policy is associated with a user
"nspmPolicyPrecedence" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_INTEGER,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 221}
}
-- Extended characters allowed flag. Note that if this attribute
-- does not exist then extended characters are allowed.
"nspmExtendedCharactersAllowed" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_BOOLEAN,
Flags {DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 222}
}
-- -- -- -- -- -- -- -- -- -- -- -- --
-- Password Policy Agent Code Attributes
-- Executable code is stored for each supported OS platform
-- that will enforce the password policy.
-- -- -- -- -- -- -- -- -- -- -- -- --
-- Attribute on the Security Container that specifies the
-- container that contains all Password Policy Agent objects
"nspmPolicyAgentContainerDN" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_DIST_NAME,
Flags {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 300}
}
-- Password Policy Agent NetWare code
"nspmPolicyAgentNetWare" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_STREAM,
Flags {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 301}
}
-- Password Policy Agent Windows Server code
"nspmPolicyAgentWINNT" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_STREAM,
Flags {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 302}
}
-- Password Policy Agent Solaris code
"nspmPolicyAgentSolaris" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_STREAM,
Flags {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 303}
}
-- Password Policy Agent Linux code
"nspmPolicyAgentLinux" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_STREAM,
Flags {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 304}
}
-- Password Policy Agent AIX code
"nspmPolicyAgentAIX" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_STREAM,
Flags {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 305}
}
-- Password Policy Agent HPUX code
"nspmPolicyAgentHPUX" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_STREAM,
Flags {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
ASN1ObjID {2 16 840 1 113719 1 39 43 4 306}
}
-- -------------------
-- Class Definitions
-- -------------------
-- The container that contains all Password Policy Agent objects
"nspmPasswordPolicyContainer" OBJECT-CLASS ::=
{
Operation ADD,
Flags {DS_CONTAINER_CLASS, DS_EFFECTIVE_CLASS},
SubClassOf {"Top"},
ContainedBy {"SAS:Security"},
NamedBy {"CN"},
MustContain {"CN"},
MayContain {"Description"},
ASN1ObjID {2 16 840 1 113719 1 39 43 6 2}
}
-- Password Policy Agent object
"nspmPolicyAgent" OBJECT-CLASS ::=
{
Operation ADD,
Flags {DS_EFFECTIVE_CLASS},
SubClassOf {"Top"},
ContainedBy {"nspmPasswordPolicyContainer"},
NamedBy {"CN"},
MustContain {"CN"},
MayContain {"Description",
"nspmPolicyAgentNetWare",
"nspmPolicyAgentWINNT",
"nspmPolicyAgentSolaris",
"nspmPolicyAgentLinux",
"nspmPolicyAgentAIX",
"nspmPolicyAgentHPUX"
},
ASN1ObjID {2 16 840 1 113719 1 39 43 6 3}
}
"nspmPasswordPolicy" OBJECT-CLASS ::=
{
Operation ADD,
Flags {DS_EFFECTIVE_CLASS},
SubClassOf {"Top"},
ContainedBy {"nspmPasswordPolicyContainer", "Domain", "Locality", "Organization", "Organizational Unit"},
NamedBy {"CN"},
MustContain {"CN"},
MayContain {"Description",
"nspmPolicyPrecedence",
"nspmConfigurationOptions",
"nspmChangePasswordMessage",
"Password Expiration Interval",
"Login Grace Limit",
"nspmMinPasswordLifetime",
"Password Unique Required",
"nspmPasswordHistoryLimit",
"nspmPasswordHistoryExpiration",
"Password Allow Change",
"Password Required",
"Password Minimum Length",
"nspmMaximumLength",
"nspmCaseSensitive",
"nspmMinUpperCaseCharacters",
"nspmMaxUpperCaseCharacters",
"nspmMinLowerCaseCharacters",
"nspmMaxLowerCaseCharacters",
"nspmNumericCharactersAllowed",
"nspmNumericAsFirstCharacter",
"nspmNumericAsLastCharacter",
"nspmMinNumericCharacters",
"nspmMaxNumericCharacters",
"nspmSpecialCharactersAllowed",
"nspmSpecialAsFirstCharacter",
"nspmSpecialAsLastCharacter",
"nspmMinSpecialCharacters",
"nspmMaxSpecialCharacters",
"nspmMaxRepeatedCharacters",
"nspmMaxConsecutiveCharacters",
"nspmMinUniqueCharacters",
"nspmDisallowedAttributeValues",
"nspmExcludeList",
"nspmExtendedCharactersAllowed"
},
ASN1ObjID {2 16 840 1 113719 1 39 43 6 1}
}
-- --------------------------------
-- Modification of Existing Classes
-- --------------------------------
"ndsLoginProperties" OBJECT-CLASS ::=
{
Operation MODIFY,
MayContain {
"nspmPasswordKey",
"nspmPassword",
"nspmDistributionPassword",
"nspmPasswordHistory",
"nspmAdministratorChangeCount",
"nspmPasswordPolicyDN"
}
}
"Group" OBJECT-CLASS ::=
{
Operation MODIFY,
MayContain {
"nspmPasswordPolicyDN"
}
}
"ndsContainerLoginProperties" OBJECT-CLASS ::=
{
Operation MODIFY,
MayContain {
"nspmPasswordPolicyDN"
}
}
"SAS:Login Policy" OBJECT-CLASS ::=
{
Operation MODIFY,
MayContain {
"nspmPasswordPolicyDN"
}
}
"SAS:Security" OBJECT-CLASS ::=
{
Operation MODIFY,
MayContain {
"nspmPolicyAgentContainerDN"
}
}
END
}}}
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]