1.0 Introduction ================ This document explains how Password Policy is applied by the Likewise Security and Authentication Subsystem (LSASS). 2.0 Password Policies for Local Users ===================================== Password Policies for Local Users are applied in the Local Authentication Provider. 2.1 Account is disabled ======================= The local account is considered being disabled when the LW_ACCOUNT_DISABLED (0x0001) bit of the user info flags is set. Under this circumstance, the user must not be allowed to login. This property can be reset by a privileged account (root). 2.2 User cannot change password =============================== If the LW_CANNOT_CHANGE_PASSWORD bit (0x0002) of the user info flags is set the user should not be allowed to change their password. In this case, the password can be reset only by a privileged (root) account. This property can be reset by a privileged account (root). 2.3 Password will not expire ============================ If the LW_PASSWORD_CANNOT_EXPIRE bit (0x0004) of the user info flags is set, the password age policy would not apply to such a user record. If this flag is not set, the user account will be subject to password aging. If the password is set to expire within a grace period, at each subsequent login, the user must be prompted to optionally change their password. After the password expires, the user must not be allowed to login. The password can be reset by a privileged account (root). 2.4 Account is locked out ========================= If a user fails to enter the correct password consecutively for a number of times, greater than a threshold value (for instance 3 times), the account will be locked out. Once an account is set to be locked out, the user will not be allowed to login even after entering the correct password. Also, the user will not be allowed to change the password. The account is effectively inoperative until it is unlocked by a privileged user (root). This account is locked out if the LW_ACCOUNT_LOCKED_OUT (0x0008) bit of the user info flags is set. 2.5 User must change password at next logon =========================================== If the PasswdChangeTime field on the user account is 0, the user will be required to change his/her password. If this value is -1, the user is not required to change his/her password. If this scenario was true, and the root user changed the password, the flag should not be cleared. Thus it will be effective at the actual user login. 2.6 Password Complexity ======================= -- TODO -- 3.0 Password Policies for Active Directory Users ================================================ Password Policies for Local Users are applied in the Active Directory Authentication Provider. 3.1 Account is disabled ======================= If the UF_ACCOUNT_DISABLE (0x0002) is set in the "User-Account-Control" attribute of the user object, the corresponding account is disabled and the user must not be allowed to login. 3.2 User cannot change password =============================== If the UF_PASSWD_CANT_CHANGE (0x0040) is set in the "User-Account-Control" attribute of the user object, the corresponding user will not be allowed to change his/her password. 3.3 Password will not expire ============================ If the UF_DONT_EXPIRE_PASSWD (0x10000) is set in the "User-Account-Control" attribute of the user object, the password aging policy will not apply to this user account. If this flag was not set, the value of the "max-pwd-age" attribute on the user's domain is added to the "Pwd-Last-Set" attribute on the user's account, in order to determine if the password expired. If the password expired, the user is prompted to change his/her password. 3.4 Account is locked out ========================= If the UF_LOCKOUT (0x0010) is set in the "User-Account-Control" attribute of the user object, the corresponding account is locked out and the user should not be allowed to login, until the account is unlocked by a privileged user. 3.5 User must change password at next logon =========================================== If the "Pwd-Last-Set" attribute on the user object is "0", the user must change his/her password at the next logon. If the value of the "Pwd-Last-Set" attribute is "-1", the user does not have to change his/her password at the next logon. 3.6 Password Complexity ======================= -- TODO --