New Password Policy

The password is too young

The password already exists in history

The LDAP_CONTROL_PWP control indicates warning and error conditions. The control value is a BER octet string, with the format {tii}, which has the following meaning:

t is a tag defining which warning is set, if any. The value of t can be one of the following:

LDAP_PWP_WARNING_RESP_NONE (0x00L) LDAP_PWP_WARNING_RESP_EXP (0x01L) LDAP_PWP_WARNING_RESP_GRACE (0x02L)

The firsti indicates warning information.

The warning depends on the value set for t as follows:

If t is set to LDAP_PWP_WARNING_RESP_NONE, the warning is -1.

If t is set to LDAP_PWP_WARNING_RESP_EX, the warning is the number of seconds before expiration.

If t is set to LDAP_PWP_WARNING_RESP_GRACE, the warning is the number of remaining grace logins.

The second i indicates error information. If t is set to LDAP_PWP_WARNING_RESP_NONE, the error contains one of the following values:

pwp_resp_no_error (-1)

pwp_resp_expired_error (0) pwp_resp_locked_error (1) pwp_resp_need_change_error (2) pwp_resp_mod_not_allowed_error (3) pwp_resp_give_old_error (4) pwp_resp_bad_qa_error (5) pwp_resp_too_short_error (6) pwp_resp_too_young_error (7) pwp_resp_in_hist_error (8)

The LDAP_CONTROL_ACCOUNT_USABLE control provides account status information on LDAP search operations only.

Password Policy Compatibility

For migration purposes, the new password policy maintains compatibility with previous Directory Server versions by identifying a compatibility mode. The compatibility mode determines whether password policy attributes are handled as old attributes or new attributes, where old refers to Directory Server 5 password policy attributes.

The compatibility mode can be read using dsconf command as follows:

Chapter 5 • Architectural Changes in Directory Server 6.0

75

Sun Confidential: Registered

Page 75
Image 75
Sun Microsystems 8190994 manual Password Policy Compatibility