draft-behera-ldap-password-policy-11 has just been released, which is the first update to the “Password Policy for LDAP Directories” draft since 2009. The primary differences between versions 10 and 11 of this draft include:

  • The new draft specifies that several attribute types with an integer syntax should use the integerOrderingMatch ordering matching rule.
  • The new draft defines a pwdMaxRecordedFailure attribute type to allow holding information about additional failed authentication attempts beyond the number specified by pwdMaxFailure.
  • The new draft defines a passwordTooLong error type that may be included in the password policy response control.