PasswordPolicy

Name: PasswordPolicy
Description: Used by client applications on add, bind, compare, and modify requests to obtain additional warning or error information about a user's password value.
Assigned object identifier: 1.3.6.1.4.1.42.2.27.8.5.1
Target of control: Server
Control criticality: Never critical
Request values: There is no value; the controlValue field is absent.

Response values: The following ASN.1 (Abstract Syntax Notation One) syntax describes the BER (Basic Encoding Rules) encoding of the control value.

ControlValue ::= SEQUENCE {
   warning [0] CHOICE OPTIONAL {
      timeBeforeExpiration  [0] INTEGER (0 .. maxInt),
      graceLoginsRemaining  [1] INTEGER (0 .. maxInt) }
   error   [1] ENUMERATED OPTIONAL   {
      passwordExpired               (0),
      accountLocked                 (1),
      changeAfterReset              (2),
      passwordModNotAllowed         (3),
      mustSupplyOldPassword         (4),
      insufficientPasswordQuality   (5),
      passwordTooShort              (6),
      passwordTooYoung              (7),
      passwordInHistory             (8) } 
}

Where,

warning - An optional field that indicates the password policy warning code. If timeBeforeExpiration is set, the integer indicates the number of seconds before the bound user's password expires. If graceLoginsRemaining is specified, it indicates the remaining number of log ins the bound user has before the password expires.
error - An optional field that indicates the password policy error code.

Detailed description: This control is valid when sent on an LDAP client's add, bind, compare, or modify request to the LDAP server. The LDAP server returns the PasswordPolicy response control to the client that contains additional warning and error information about a user's password value. For example, on bind and compare requests, the LDAP server may send a PasswordPolicy response control to the client that indicates that the bound user's password is about to expire, has expired, or must be changed after being reset by an LDAP administrator. While on add and modify requests of password values, the LDAP server may send a PasswordPolicy response control that indicates the password is too short, does not meet password policy quality standards, or the password value exists in the password history of the entry being modified. This information is sent to the client on the add, bind, compare, or modify response.
Note:
1. The LDAP server does not send a PasswordPolicy response control when a Kerberos (GSSAPI) or EXTERNAL bind is done.
2. The LDAP client utilities automatically send the PasswordPolicy control as a noncritical control on add, bind, compare, and modify requests to the targeted LDAP server. See z/OS IBM Tivoli Directory Server Client Programming for z/OS for more information.