author Aravind Gottipati <>
Tue, 08 Dec 2009 20:51:08 -0800
changeset 5 2c3b87629a8c
parent 2 b27b1a60ca5e
permissions -rw-r--r--
Added tag 2.4.20 for changeset 13fda6915ec6

ppolicy enhancement

OpenLDAP Verion 2.4.16


The OpenLDAP ppolicy overlay provides many powerful features to LDAP 
administrators that significantly enhance security including password aging 
which forces users to regularly change passwords. 

Many LDAP client applications cache user passwords and in most cases error 
recovery strategies will involve repeated attempts. Following a password change 
this frequently means multiple bind attempts using an incorrect password. The 
standard OpenLDAP ppolicy overlay counts all incorrect passwords attempts as 
errors and when the count of such errors reaches the value defined by 
pwdMaxFailure the user's account is locked. This can lead to a significant 
number of false account lockout conditions increasing user frustration and 
administrator workloads. To minimise such false positive lockouts
administrators may raise the value of pwdMaxFailure which in turn may increase 
the likehood of a dictionary attack succeeding. 

The ppolicy enhancement allows administrators to optionally differentiate 
between login attempts using a repeat password and those using a unique 
password. The administrator may optionally choose to set a limit to the number
of login attempts using a repeat password to provide DoS protection. The 
enhanced ppolicy behavior is invoked through the use of an addition pwdPolicy 
user attribute (pwdMaxTotalAttempts).  


Funding for the enhancement was generously provided by Mozilla Corporation.


This enhancement consists of the following items:

1. replacement ppolicy.c
2. replacement ppolicy.schema
3. replacement man page slapo-ppolicy.5
4. draft-mozilla-ldap-password-policy-05.doc
5. draft-mozilla-ldap-password-policy-05.txt


The enhancement may be installed to either a source distribution (tarball) or 
BSD port as follows:

If using a tarball:
1. Unpack the source to a suitable directly 
2. Replace the following:
  a. openldap-2.4.16/servers/slapd/overlays/ppolicy.c
  b. openldap-2.4.16/servers/slapd/schema/ppolicy.schema
  c. openldap-2.4.16/doc/man/man5/slapo-ppolicy.5
3. Configure, build and install OpenLDAP in the normal manner

If using a BSD Port:

1. cd to the port directory (normally /usr/ports/net/openldap24-server)
2. make patch
3. when the configure has stopped replace the following modules with those 
   supplied with this enhancement
  a. work/openldap-2.4.16/servers/slapd/overlays/ppolicy.c
  b. work/openldap-2.4.16/servers/slapd/schema/ppolicy.schema
  c. work/openldap-2.4.16/doc/mam/man5/slapo-ppolicy.5
4. make install [clean] 

If enhancing an existing installation you can either:

 a. repeat the full install process as above using any special flags necessary 
    to override any package management utilities.
 b. Complete the build but do not intstall the full OpenLDAP system:
    i. if using dynamic overlays copy (and/or from 
        openldap-2.4.16/servers/slapd/.libs/ to the appropriate 
    ii. if using static (compiled in) overlays copy the openldap application 
		    from openldap-2.4.16/servers/slapd/.libs/slapd to the executable 
        location (use locate slapd to find)
    iii. copy ppolicy.schema to your normal schema location
    iv.  tar the updated man file from 
         openldap-2.4.16/doc/man/man5/slapo-ppolicy.5.tmp to your normal man5 
         location (typical Linux = /usr/man/man5 BSD = /usr/local/man/man5) 
         using a command like:
         tar -czvf man/man5/slapo-ppolicy.5.gz doc/man/man5/slapo-ppolicy.5.tmp
To invoke repeat password checking:

The user attribute pwdMaxTotalAttempts (in objectclass pwdPolicy) defines what, 
if any, processing occurs when a bind attempts fails when using a repeat 
password . The attribute may take one of three values. If pwdMaxTotalAttempts 
is zero (0) or not defined then no repeat password checking is perfomed. If 
pwdMaxTotalAttempts is -1 repeat password checking is performed and an 
unlimited number of attempts with any number (up to the limit defined by 
pwdMaxFailure) of repeat passwords are allowed. It shuld be noted that allowing
an unlimited number of repeat password attempts may increase the effectivness 
of a DoS attack using large numbers of unsuccessful bind attempts. If 
pwdMaxTotalAttempts is set to any positive number then this number defines the 
maximum number of unique plus repeat password attempts allowed before the 
account is locked.

The operational attribute pwdUniqueAttempts is used to store all unique 
failed password attempts and will appear only if pwdMaxTotalAttempts is either 
-1 or a positive number. The failed password is maintained in hashed format in 
this attribute.