-- ASN module extracted from ITU-T X.520 (10/2016)
PasswordPolicy {joint-iso-itu-t ds(5) module(1) passwordPolicy(39) 8}
DEFINITIONS ::=
BEGIN
-- EXPORTS All
-- The types and values defined in this module are exported for use in the other ASN.1
-- modules contained within the Directory Specifications, and for the use of other
-- applications which will use them to access Directory services. Other applications may
-- use them for their own purposes, but this will not constrain extensions and
-- modifications needed to maintain or improve the Directory service.
IMPORTS
authenticationFramework, id-asx, id-at, id-mr, id-oa, informationFramework,
selectedAttributeTypes
FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
usefulDefinitions(0) 7}
AlgorithmIdentifier{}, ALGORITHM, EXTENSION, SupportedAlgorithms
FROM AuthenticationFramework authenticationFramework
ATTRIBUTE, MATCHING-RULE, pwdHistory{}, pwdRecentlyExpired{},
pwdHistoryMatch{}, SYNTAX-NAME
FROM InformationFramework informationFramework
bitStringMatch, boolean, booleanMatch, directoryString, generalizedTime,
generalizedTimeMatch,
generalizedTimeOrderingMatch, integer, integerMatch, integerOrderingMatch, uri
FROM SelectedAttributeTypes selectedAttributeTypes;
userPwd ATTRIBUTE ::= {
WITH SYNTAX UserPwd
EQUALITY MATCHING RULE userPwdMatch
SINGLE VALUE TRUE
LDAP-SYNTAX userPwdDescription.&id
LDAP-NAME {"userPwd"}
ID id-at-userPwd }
UserPwd ::= CHOICE {
clear UTF8String,
encrypted SEQUENCE {
algorithmIdentifier AlgorithmIdentifier{{SupportedAlgorithms}},
encryptedString OCTET STRING,
...},
...}
-- Operational attributes
pwdStartTime ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
EQUALITY MATCHING RULE generalizedTimeMatch
ORDERING MATCHING RULE generalizedTimeOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX generalizedTime.&id
LDAP-NAME {"pwdStartTime"}
ID id-oa-pwdStartTime }
pwdExpiryTime ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
EQUALITY MATCHING RULE generalizedTimeMatch
ORDERING MATCHING RULE generalizedTimeOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX generalizedTime.&id
LDAP-NAME {"pwdExpiryTime"}
ID id-oa-pwdExpiryTime }
pwdEndTime ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
EQUALITY MATCHING RULE generalizedTimeMatch
ORDERING MATCHING RULE generalizedTimeOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX generalizedTime.&id
LDAP-NAME {"pwdEndTime"}
ID id-oa-pwdEndTime }
pwdFails ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE dSAOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdFails"}
ID id-oa-pwdFails }
pwdFailureTime ATTRIBUTE ::= {
WITH SYNTAX GeneralizedTime
EQUALITY MATCHING RULE generalizedTimeMatch
ORDERING MATCHING RULE generalizedTimeOrderingMatch
SINGLE VALUE TRUE
USAGE dSAOperation
LDAP-SYNTAX generalizedTime.&id
LDAP-NAME {"pwdFailureTime"}
ID id-oa-pwdFailureTime }
pwdGracesUsed ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE dSAOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdGracesUsed"}
ID id-oa-pwdGracesUsed }
userPwdHistory ATTRIBUTE ::=
pwdHistory{userPwd,userPwdHistoryMatch,id-oa-userPwdHistory}
userPwdRecentlyExpired ATTRIBUTE ::=
pwdRecentlyExpired{userPwd,id-oa-userPwdRecentlyExpired}
pwdModifyEntryAllowed ATTRIBUTE ::= {
WITH SYNTAX BOOLEAN
EQUALITY MATCHING RULE booleanMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX boolean.&id
LDAP-NAME {"pwdModifyEntryAllowed"}
ID id-oa-pwdModifyEntryAllowed }
pwdChangeAllowed ATTRIBUTE ::= {
WITH SYNTAX BOOLEAN
EQUALITY MATCHING RULE booleanMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX boolean.&id
LDAP-NAME {"pwdChangeAllowed"}
ID id-oa-pwdChangeAllowed }
pwdMaxAge ATTRIBUTE ::= {
WITH SYNTAX INTEGER (1 .. MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdMaxAge"}
ID id-oa-pwdMaxAge }
pwdExpiryAge ATTRIBUTE ::= {
WITH SYNTAX INTEGER (1 .. MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdExpiryAge"}
ID id-oa-pwdExpiryAge }
pwdMinLength ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdMinLength"}
ID id-oa-pwdMinLength }
pwdVocabulary ATTRIBUTE ::= {
WITH SYNTAX PwdVocabulary
EQUALITY MATCHING RULE bitStringMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX pwdVocabularyDescription.&id
LDAP-NAME {"pwdVocabulary"}
ID id-oa-pwdVocabulary }
PwdVocabulary ::= BIT STRING {
noDictionaryWords (0),
noPersonNames (1),
noGeographicalNames (2) }
pwdAlphabet ATTRIBUTE ::= {
WITH SYNTAX PwdAlphabet
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX pwdAlphabetDescription.&id
LDAP-NAME {"pwdAlphabet"}
ID id-oa-pwdAlphabet }
PwdAlphabet ::= SEQUENCE OF UTF8String
pwdDictionaries ATTRIBUTE ::= {
SUBTYPE OF uri
USAGE directoryOperation
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"pwdDictionaries"}
ID id-oa-pwdDictionaries }
pwdExpiryWarning ATTRIBUTE ::= {
WITH SYNTAX INTEGER (1..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdExpiryWarning"}
ID id-oa-pwdExpiryWarning }
pwdGraces ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdGraces"}
ID id-oa-pwdGraces }
pwdFailureDuration ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdFailureDuration"}
ID id-oa-pwdFailureDuration }
pwdLockoutDuration ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdLockoutDuration"}
ID id-oa-pwdLockoutDuration }
pwdMaxFailures ATTRIBUTE ::= {
WITH SYNTAX INTEGER (1..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdMaxFailures"}
ID id-oa-pwdMaxFailures }
pwdMaxTimeInHistory ATTRIBUTE ::= {
WITH SYNTAX INTEGER (1..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdMaxTimeInHistory"}
ID id-oa-pwdMaxTimeInHistory }
pwdMinTimeInHistory ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdMinTimeInHistory"}
ID id-oa-pwdMinTimeInHistory }
pwdHistorySlots ATTRIBUTE ::= {
WITH SYNTAX INTEGER (2..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdHistorySlots"}
ID id-oa-pwdHistorySlots }
pwdRecentlyExpiredDuration ATTRIBUTE ::= {
WITH SYNTAX INTEGER (0..MAX)
EQUALITY MATCHING RULE integerMatch
ORDERING MATCHING RULE integerOrderingMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX integer.&id
LDAP-NAME {"pwdRecentlyExpiredDuration"}
ID id-oa-pwdRecentlyExpiredDuration }
pwdEncAlg ATTRIBUTE ::= {
WITH SYNTAX PwdEncAlg
EQUALITY MATCHING RULE pwdEncAlgMatch
SINGLE VALUE TRUE
USAGE directoryOperation
LDAP-SYNTAX pwdEncAlgDescription.&id
LDAP-NAME {"pwdEncAlg"}
ID id-oa-pwdEncAlg }
PwdEncAlg ::= AlgorithmIdentifier{{SupportedAlgorithms}}
userPwdMatch MATCHING-RULE ::= {
SYNTAX UserPwd
LDAP-SYNTAX userPwdDescription.&id
LDAP-NAME {"userPwdMatch"}
ID id-mr-userPwdMatch }
pwdEncAlgMatch MATCHING-RULE ::= {
SYNTAX PwdEncAlg
LDAP-SYNTAX pwdEncAlgDescription.&id
LDAP-NAME {"pwdEncAlgMatch"}
ID id-mr-pwdEncAlgMatch }
userPwdHistoryMatch MATCHING-RULE ::= pwdHistoryMatch{userPwd,id-mr-userPwdHistoryMatch}
-- LDAP syntaxes defined by this Directory Specification
userPwdDescription SYNTAX-NAME ::= {
LDAP-DESC "User Password Description"
DIRECTORY SYNTAX UserPwd
ID id-asx-userPwdDescription }
pwdVocabularyDescription SYNTAX-NAME ::= {
LDAP-DESC "Password Vocabulary Description"
DIRECTORY SYNTAX PwdVocabulary
ID id-asx-pwdVocabularyDescription }
pwdAlphabetDescription SYNTAX-NAME ::= {
LDAP-DESC "Password Alphabet Description"
DIRECTORY SYNTAX PwdAlphabet
ID id-asx-pwdAlphabetDescription }
pwdEncAlgDescription SYNTAX-NAME ::= {
LDAP-DESC "Password Alphabet Description"
DIRECTORY SYNTAX PwdEncAlg
ID id-asx-pwdEncAlgDescription }
-- object identifier assignments
-- directory attributes
id-at-userPwd OBJECT IDENTIFIER ::= {id-at 85}
-- operational attributes --
id-oa-pwdStartTime OBJECT IDENTIFIER ::= {id-oa 22}
id-oa-pwdExpiryTime OBJECT IDENTIFIER ::= {id-oa 23}
id-oa-pwdEndTime OBJECT IDENTIFIER ::= {id-oa 24}
id-oa-pwdFails OBJECT IDENTIFIER ::= {id-oa 25}
id-oa-pwdFailureTime OBJECT IDENTIFIER ::= {id-oa 26}
id-oa-pwdGracesUsed OBJECT IDENTIFIER ::= {id-oa 27}
id-oa-userPwdHistory OBJECT IDENTIFIER ::= {id-oa 28}
id-oa-userPwdRecentlyExpired OBJECT IDENTIFIER ::= {id-oa 29}
id-oa-pwdModifyEntryAllowed OBJECT IDENTIFIER ::= {id-oa 30}
id-oa-pwdChangeAllowed OBJECT IDENTIFIER ::= {id-oa 31}
id-oa-pwdMaxAge OBJECT IDENTIFIER ::= {id-oa 32}
id-oa-pwdExpiryAge OBJECT IDENTIFIER ::= {id-oa 33}
id-oa-pwdMinLength OBJECT IDENTIFIER ::= {id-oa 34}
id-oa-pwdVocabulary OBJECT IDENTIFIER ::= {id-oa 35}
id-oa-pwdAlphabet OBJECT IDENTIFIER ::= {id-oa 36}
id-oa-pwdDictionaries OBJECT IDENTIFIER ::= {id-oa 37}
id-oa-pwdExpiryWarning OBJECT IDENTIFIER ::= {id-oa 38}
id-oa-pwdGraces OBJECT IDENTIFIER ::= {id-oa 39}
id-oa-pwdFailureDuration OBJECT IDENTIFIER ::= {id-oa 40}
id-oa-pwdLockoutDuration OBJECT IDENTIFIER ::= {id-oa 41}
id-oa-pwdMaxFailures OBJECT IDENTIFIER ::= {id-oa 42}
id-oa-pwdMaxTimeInHistory OBJECT IDENTIFIER ::= {id-oa 43}
id-oa-pwdMinTimeInHistory OBJECT IDENTIFIER ::= {id-oa 44}
id-oa-pwdHistorySlots OBJECT IDENTIFIER ::= {id-oa 45}
id-oa-pwdRecentlyExpiredDuration OBJECT IDENTIFIER ::= {id-oa 46}
id-oa-pwdEncAlg OBJECT IDENTIFIER ::= {id-oa 47}
-- matching rules
id-mr-userPwdMatch OBJECT IDENTIFIER ::= {id-mr 71}
id-mr-userPwdHistoryMatch OBJECT IDENTIFIER ::= {id-mr 72}
id-mr-pwdEncAlgMatch OBJECT IDENTIFIER ::= {id-mr 73}
-- syntaxes
id-asx-userPwdDescription OBJECT IDENTIFIER ::= {id-asx 0}
id-asx-pwdVocabularyDescription OBJECT IDENTIFIER ::= {id-asx 1}
id-asx-pwdAlphabetDescription OBJECT IDENTIFIER ::= {id-asx 2}
id-asx-pwdEncAlgDescription OBJECT IDENTIFIER ::= {id-asx 3}
END -- Password policy