Effective password policy
- Name: Effective password policy
- Description: Used to query the effective password policy for a user or group entry and lists the policies used in determining its effective password policy.
- Assigned object identifier: 1.3.18.0.2.12.75
- Values: The following ASN.1 syntax describes the BER encoding
of the request value.
where,RequestValue ::= SEQUENCE { entryDN LDAPDN }
entryDN
- A distinguished name (DN) containing the entry whose effective password policies and password policy attribute values are being queried. - Detailed description: The Effective password policy extended operation is only allowed when bound as an LDAP root or directory data administrator, or as a user querying its own effective password policy. An LDAP root or directory data administrator is allowed to query the effective password policy of other users and groups in the directory. When a user entry is queried, this extended operation shows the effective password policy entries and values that are used to control the user's authentication and password modifications. When a group entry is queried, this extended operation provides the effective password policy that is a combination of the group's password policy attributes and the global password policy entry, cn=pwdpolicy,cn=ibmpolicies.
- Response object identifier: 1.3.18.0.2.12.77
- Response description: When a user entry is queried, this
extended response shows the effective password entries and values
used to control the user's authentication and password modifications.
When a group entry is queried, this extended operation provides the
effective password policy that is a combination of the group's password
policy attributes and the global password policy entry, cn=pwdpolicy,cn=ibmpolicies.
If a user is querying their own effective password policy, the
objectNames
are not returned. - Response values: The following describes the response
value.
ResponseValue ::= SEQUENCE { attributes SEQUENCE OF SEQUENCE { attributeType AttributeDescription, values SET OF AttributeValue } objectNames [0] SEQUENCE { objectName LDAPDN OPTIONAL } }
Where,
attributes
- The password policy attribute types and values that are contained in the user's or group's effective password policy.objectName
- The distinguished names of all password policy entries from where the effective password policy attribute values are derived. TheobjectName
field is only returned in the extended operation response when bound as an LDAP root or directory data administrator. It is not returned when bound as a normal user. - Response detailed description:
The following table summarizes some different error scenarios and the Effective password policy response returned for such scenarios.
Error scenario Effective password policy response An unauthorized user tries to perform the extended operation Returns an LDAP_INSUFFICIENT ACCESS return code Syntax of DN specified is not correct Returns an LDAP_INVALID_DN_SYNTAX return code Insufficient memory to perform the operation Returns an LDAP_NO_MEMORY return code entryDN
does not existReturns an LDAP_NO_SUCH_OBJECT return code Internal server error Returns an LDAP_OPERATIONS_ERROR return code LDAP server is unable to decode the request Returns an LDAP_PROTOCOL_ERROR return code Returned for errors not covered by previously documented return codes. Check the corresponding error message for further details. Returns an LDAP_OTHER return code