1.0 Introduction
================

This document explains how Password Policy is applied by the
Likewise Security and Authentication Subsystem (LSASS).

2.0 Password Policies for Local Users
=====================================

    Password Policies for Local Users are applied in the Local Authentication
    Provider.

    2.1 Account is disabled
    =======================

    The local account is considered being disabled when the 
    LW_ACCOUNT_DISABLED (0x0001) bit of the user info flags is set. Under this
    circumstance, the user must not be allowed to login.

    This property can be reset by a privileged account (root).

    2.2 User cannot change password
    ===============================

    If the LW_CANNOT_CHANGE_PASSWORD bit (0x0002) of the user info flags is set
    the user should not be allowed to change their password.

    In this case, the password can be reset only by a privileged (root) account.

    This property can be reset by a privileged account (root).

    2.3 Password will not expire
    ============================

    If the LW_PASSWORD_CANNOT_EXPIRE bit (0x0004) of the user info flags is
    set, the password age policy would not apply to such a user record.

    If this flag is not set, the user account will be subject to password aging.
    If the password is set to expire within a grace period, at each subsequent
    login, the user must be prompted to optionally change their password. After
    the password expires, the user must not be allowed to login. The password
    can be reset by a privileged account (root).

    2.4	Account is locked out
    =========================

    If a user fails to enter the correct password consecutively for a number
    of times, greater than a threshold value (for instance 3 times), the
    account will be locked out.

    Once an account is set to be locked out, the user will not be allowed to
    login even after entering the correct password. Also, the user will not be
    allowed to change the password.

    The account is effectively inoperative until it is unlocked by a
    privileged user (root).

    This account is locked out if the LW_ACCOUNT_LOCKED_OUT (0x0008) bit of
    the user info flags is set.

    2.5	User must change password at next logon
    ===========================================

    If the PasswdChangeTime field on the user account is 0, the user will be
    required to change his/her password. If this value is -1, the user is not
    required to change his/her password.

    If this scenario was true, and the root user changed the password, the
    flag should not be cleared. Thus it will be effective at the actual user
    login.

    2.6 Password Complexity
    =======================

    -- TODO --

3.0 Password Policies for Active Directory Users
================================================

    Password Policies for Local Users are applied in the Active Directory
    Authentication Provider.
			
    3.1	Account is disabled
    =======================

    If the UF_ACCOUNT_DISABLE (0x0002) is set in the "User-Account-Control"
    attribute of the user object, the corresponding account is disabled and
    the user must not be allowed to login.

    3.2	User cannot change password
    ===============================

    If the UF_PASSWD_CANT_CHANGE (0x0040) is set in the "User-Account-Control"
    attribute of the user object, the corresponding user will not be allowed
    to change his/her password.

    3.3	Password will not expire
    ============================

    If the UF_DONT_EXPIRE_PASSWD (0x10000) is set in the "User-Account-Control"
    attribute of the user object, the password aging policy will not apply to
    this user account.

    If this flag was not set, the value of the "max-pwd-age" attribute on the
    user's domain is added to the "Pwd-Last-Set" attribute on the user's
    account, in order to determine if the password expired. If the password
    expired, the user is prompted to change his/her password.

    3.4	Account is locked out
    =========================

    If the UF_LOCKOUT (0x0010) is set in the "User-Account-Control" attribute
    of the user object, the corresponding account is locked out and the user
    should not be allowed to login, until the account is unlocked by a
    privileged user.

    3.5	User must change password at next logon
    ===========================================

    If the "Pwd-Last-Set" attribute on the user object is "0", the user must
    change his/her password at the next logon.

    If the value of the "Pwd-Last-Set" attribute is "-1", the user does not
    have to change his/her password at the next logon.

    3.6 Password Complexity
    =======================

    -- TODO --

