-- ASN module extracted from ITU-T X.520 (10/2019)
PasswordPolicy
{joint-iso-itu-t ds(5) module(1) passwordPolicy(39) 10}
DEFINITIONS ::=
BEGIN
-- EXPORTS All
/*
The types and values defined in this module are exported for use in the other ASN.1
modules contained within the Directory Specifications, and for the use of other
applications which will use them to access Directory services. Other applications may
use them for their own purposes, but this will not constrain extensions and
modifications needed to maintain or improve the Directory service.
*/
IMPORTS
id-asx, id-at, id-mr, id-oa,
ATTRIBUTE, MATCHING-RULE, SYNTAX-NAME, -- to here from InformationFramework
directoryString, integer, integerMatch -- to here from SelectedAttributeTypes
FROM UsefulDefinitions
{joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 10} WITH SUCCESSORS
AlgorithmIdentifier{}, ALGORITHM, EXTENSION, SupportedAlgorithms
FROM AuthenticationFramework
{joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 10} WITH SUCCESSORS
--ATTRIBUTE, MATCHING-RULE, -- pwdHistory{}, pwdRecentlyExpired{},
pwdHistoryMatch{} --, SYNTAX-NAME
FROM InformationFramework
{joint-iso-itu-t ds(5) module(1) informationFramework(1) 10} WITH SUCCESSORS
-- directoryString, integer, integerMatch are no longer imported from this module
bitStringMatch, boolean, booleanMatch, -- directoryString, -- generalizedTime,
generalizedTimeMatch,
generalizedTimeOrderingMatch, -- integer, integerMatch, -- integerOrderingMatch, uri
FROM SelectedAttributeTypes
{joint-iso-itu-t ds(5) module(1) selectedAttributeTypes(5) 10} WITH SUCCESSORS ;
userPwd ATTRIBUTE ::= {
WITH SYNTAX UserPwd
EQUALITY MATCHING RULE userPwdMatch
SINGLE VALUE TRUE
LDAP-SYNTAX userPwdDescription.&id
LDAP-NAME {"userPwd"}
ID id-at-userPwd }
UserPwd ::= CHOICE {
clear UTF8String,
encrypted SEQUENCE {
algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
encryptedString OCTET STRING,
...},
...}
-- Operational attributes
pwdStartTime ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
EQUALITY MATCHING RULE generalizedTimeMatch
ORDERING MATCHING RULE generalizedTimeOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX generalizedTime.&id
LDAP-NAME {"pwdStartTime"}
ID id-oa-pwdStartTime }
pwdExpiryTime ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
EQUALITY MATCHING RULE generalizedTimeMatch
ORDERING MATCHING RULE generalizedTimeOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX generalizedTime.&id
LDAP-NAME {"pwdExpiryTime"}
ID id-oa-pwdExpiryTime }
pwdEndTime ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
EQUALITY MATCHING RULE generalizedTimeMatch
ORDERING MATCHING RULE generalizedTimeOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX generalizedTime.&id
LDAP-NAME {"pwdEndTime"}
ID id-oa-pwdEndTime }
pwdFails ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE dSAOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdFails"}
ID id-oa-pwdFails }
pwdFailureTime ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
EQUALITY MATCHING RULE generalizedTimeMatch
ORDERING MATCHING RULE generalizedTimeOrderingMatch
SINGLE VALUE TRUE
USAGE dSAOperation
LDAP-SYNTAX generalizedTime.&id
LDAP-NAME {"pwdFailureTime"}
ID id-oa-pwdFailureTime }
pwdGracesUsed ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE dSAOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdGracesUsed"}
ID id-oa-pwdGracesUsed }
userPwdHistory ATTRIBUTE ::=
pwdHistory{userPwd,userPwdHistoryMatch,id-oa-userPwdHistory}
userPwdRecentlyExpired ATTRIBUTE ::=
pwdRecentlyExpired{userPwd,id-oa-userPwdRecentlyExpired}
pwdModifyEntryAllowed ATTRIBUTE ::= {
WITH SYNTAX BOOLEAN
EQUALITY MATCHING RULE booleanMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX boolean.&id
LDAP-NAME {"pwdModifyEntryAllowed"}
ID id-oa-pwdModifyEntryAllowed }
pwdChangeAllowed ATTRIBUTE ::= {
WITH SYNTAX BOOLEAN
EQUALITY MATCHING RULE booleanMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX boolean.&id
LDAP-NAME {"pwdChangeAllowed"}
ID id-oa-pwdChangeAllowed }
pwdMaxAge ATTRIBUTE ::= {
WITH SYNTAX INTEGER (1 .. MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdMaxAge"}
ID id-oa-pwdMaxAge }
pwdExpiryAge ATTRIBUTE ::= {
WITH SYNTAX INTEGER (1 .. MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdExpiryAge"}
ID id-oa-pwdExpiryAge }
pwdMinLength ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdMinLength"}
ID id-oa-pwdMinLength }
pwdVocabulary ATTRIBUTE ::= {
WITH SYNTAX PwdVocabulary
EQUALITY MATCHING RULE bitStringMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX pwdVocabularyDescription.&id
LDAP-NAME {"pwdVocabulary"}
ID id-oa-pwdVocabulary }
PwdVocabulary ::= BIT STRING {
noDictionaryWords (0),
noPersonNames (1),
noGeographicalNames (2) }
pwdAlphabet ATTRIBUTE ::= {
WITH SYNTAX PwdAlphabet
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX pwdAlphabetDescription.&id
LDAP-NAME {"pwdAlphabet"}
ID id-oa-pwdAlphabet }
PwdAlphabet ::= SEQUENCE OF UTF8String
pwdDictionaries ATTRIBUTE ::= {
SUBTYPE OF uri
USAGE directoryOperation
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"pwdDictionaries"}
ID id-oa-pwdDictionaries }
pwdExpiryWarning ATTRIBUTE ::= {
WITH SYNTAX INTEGER (1..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdExpiryWarning"}
ID id-oa-pwdExpiryWarning }
pwdGraces ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdGraces"}
ID id-oa-pwdGraces }
pwdFailureDuration ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdFailureDuration"}
ID id-oa-pwdFailureDuration }
pwdLockoutDuration ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdLockoutDuration"}
ID id-oa-pwdLockoutDuration }
pwdMaxFailures ATTRIBUTE ::= {
WITH SYNTAX INTEGER (1..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdMaxFailures"}
ID id-oa-pwdMaxFailures }
pwdMaxTimeInHistory ATTRIBUTE ::= {
WITH SYNTAX INTEGER (1..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdMaxTimeInHistory"}
ID id-oa-pwdMaxTimeInHistory }
pwdMinTimeInHistory ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdMinTimeInHistory"}
ID id-oa-pwdMinTimeInHistory }
pwdHistorySlots ATTRIBUTE ::= {
WITH SYNTAX INTEGER (2..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdHistorySlots"}
ID id-oa-pwdHistorySlots }
pwdRecentlyExpiredDuration ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdRecentlyExpiredDuration"}
ID id-oa-pwdRecentlyExpiredDuration }
pwdEncAlg ATTRIBUTE ::= {
WITH SYNTAX PwdEncAlg
EQUALITY MATCHING RULE pwdEncAlgMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX pwdEncAlgDescription.&id
LDAP-NAME {"pwdEncAlg"}
ID id-oa-pwdEncAlg }
PwdEncAlg ::= AlgorithmIdentifier{{SupportedAlgorithms}}
userPwdMatch MATCHING-RULE ::= {
SYNTAX UserPwd
LDAP-SYNTAX userPwdDescription.&id
LDAP-NAME {"userPwdMatch"}
ID id-mr-userPwdMatch }
pwdEncAlgMatch MATCHING-RULE ::= {
SYNTAX PwdEncAlg
LDAP-SYNTAX pwdEncAlgDescription.&id
LDAP-NAME {"pwdEncAlgMatch"}
ID id-mr-pwdEncAlgMatch }
userPwdHistoryMatch MATCHING-RULE ::= pwdHistoryMatch{userPwd,id-mr-userPwdHistoryMatch}
-- LDAP syntaxes defined by this Directory Specification
userPwdDescription SYNTAX-NAME ::= {
LDAP-DESC "User Password Description"
DIRECTORY SYNTAX UserPwd
ID id-asx-userPwdDescription }
pwdVocabularyDescription SYNTAX-NAME ::= {
LDAP-DESC "Password Vocabulary Description"
DIRECTORY SYNTAX PwdVocabulary
ID id-asx-pwdVocabularyDescription }
pwdAlphabetDescription SYNTAX-NAME ::= {
LDAP-DESC "Password Alphabet Description"
DIRECTORY SYNTAX PwdAlphabet
ID id-asx-pwdAlphabetDescription }
pwdEncAlgDescription SYNTAX-NAME ::= {
LDAP-DESC "Password Alphabet Description"
DIRECTORY SYNTAX PwdEncAlg
ID id-asx-pwdEncAlgDescription }
-- object identifier assignments
-- directory attributes
id-at-userPwd OBJECT IDENTIFIER ::= {id-at 85}
-- operational attributes --
id-oa-pwdStartTime OBJECT IDENTIFIER ::= {id-oa 22}
id-oa-pwdExpiryTime OBJECT IDENTIFIER ::= {id-oa 23}
id-oa-pwdEndTime OBJECT IDENTIFIER ::= {id-oa 24}
id-oa-pwdFails OBJECT IDENTIFIER ::= {id-oa 25}
id-oa-pwdFailureTime OBJECT IDENTIFIER ::= {id-oa 26}
id-oa-pwdGracesUsed OBJECT IDENTIFIER ::= {id-oa 27}
id-oa-userPwdHistory OBJECT IDENTIFIER ::= {id-oa 28}
id-oa-userPwdRecentlyExpired OBJECT IDENTIFIER ::= {id-oa 29}
id-oa-pwdModifyEntryAllowed OBJECT IDENTIFIER ::= {id-oa 30}
id-oa-pwdChangeAllowed OBJECT IDENTIFIER ::= {id-oa 31}
id-oa-pwdMaxAge OBJECT IDENTIFIER ::= {id-oa 32}
id-oa-pwdExpiryAge OBJECT IDENTIFIER ::= {id-oa 33}
id-oa-pwdMinLength OBJECT IDENTIFIER ::= {id-oa 34}
id-oa-pwdVocabulary OBJECT IDENTIFIER ::= {id-oa 35}
id-oa-pwdAlphabet OBJECT IDENTIFIER ::= {id-oa 36}
id-oa-pwdDictionaries OBJECT IDENTIFIER ::= {id-oa 37}
id-oa-pwdExpiryWarning OBJECT IDENTIFIER ::= {id-oa 38}
id-oa-pwdGraces OBJECT IDENTIFIER ::= {id-oa 39}
id-oa-pwdFailureDuration OBJECT IDENTIFIER ::= {id-oa 40}
id-oa-pwdLockoutDuration OBJECT IDENTIFIER ::= {id-oa 41}
id-oa-pwdMaxFailures OBJECT IDENTIFIER ::= {id-oa 42}
id-oa-pwdMaxTimeInHistory OBJECT IDENTIFIER ::= {id-oa 43}
id-oa-pwdMinTimeInHistory OBJECT IDENTIFIER ::= {id-oa 44}
id-oa-pwdHistorySlots OBJECT IDENTIFIER ::= {id-oa 45}
id-oa-pwdRecentlyExpiredDuration OBJECT IDENTIFIER ::= {id-oa 46}
id-oa-pwdEncAlg OBJECT IDENTIFIER ::= {id-oa 47}
-- matching rules
id-mr-userPwdMatch OBJECT IDENTIFIER ::= {id-mr 71}
id-mr-userPwdHistoryMatch OBJECT IDENTIFIER ::= {id-mr 72}
id-mr-pwdEncAlgMatch OBJECT IDENTIFIER ::= {id-mr 73}
-- syntaxes
id-asx-userPwdDescription OBJECT IDENTIFIER ::= {id-asx 0}
id-asx-pwdVocabularyDescription OBJECT IDENTIFIER ::= {id-asx 1}
id-asx-pwdAlphabetDescription OBJECT IDENTIFIER ::= {id-asx 2}
id-asx-pwdEncAlgDescription OBJECT IDENTIFIER ::= {id-asx 3}
END -- Password policy