PasswordPolicy
- Name: PasswordPolicy
- Description: Used by client applications on add, bind, compare, and modify requests to obtain additional warning or error information about a user's password value.
- Assigned object identifier: 1.3.6.1.4.1.42.2.27.8.5.1
- Target of control: Server
- Control criticality: Never critical
- Request values: There is no value; the controlValue field is absent.
- Response values: The following ASN.1 (Abstract Syntax
Notation One) syntax describes the BER (Basic Encoding Rules) encoding
of the control value.
Where,ControlValue ::= SEQUENCE { warning [0] CHOICE OPTIONAL { timeBeforeExpiration [0] INTEGER (0 .. maxInt), graceLoginsRemaining [1] INTEGER (0 .. maxInt) } error [1] ENUMERATED OPTIONAL { passwordExpired (0), accountLocked (1), changeAfterReset (2), passwordModNotAllowed (3), mustSupplyOldPassword (4), insufficientPasswordQuality (5), passwordTooShort (6), passwordTooYoung (7), passwordInHistory (8) } }
warning
- An optional field that indicates the password policy warning code. IftimeBeforeExpiration
is set, the integer indicates the number of seconds before the bound user's password expires. IfgraceLoginsRemaining
is specified, it indicates the remaining number of log ins the bound user has before the password expires.error
- An optional field that indicates the password policy error code.
- Detailed description: This control is valid when sent
on an LDAP client's add, bind, compare, or modify request to the LDAP
server. The LDAP server returns the PasswordPolicy response
control to the client that contains additional warning and error information
about a user's password value. For example, on bind and compare
requests, the LDAP server may send a PasswordPolicy response
control to the client that indicates that the bound user's password
is about to expire, has expired, or must be changed after being reset
by an LDAP administrator. While on add and modify requests of password
values, the LDAP server may send a PasswordPolicy response
control that indicates the password is too short, does not meet password
policy quality standards, or the password value exists in the password
history of the entry being modified. This information is sent to the
client on the add, bind, compare, or modify response.Note:
- The LDAP server does not send a PasswordPolicy response control when a Kerberos (GSSAPI) or EXTERNAL bind is done.
- The LDAP client utilities automatically send the PasswordPolicy control as a noncritical control on add, bind, compare, and modify requests to the targeted LDAP server. See z/OS IBM Tivoli Directory Server Client Programming for z/OS for more information.