Password policy compatibility – Sun Microsystems 8190994 User Manual

■

The password is too young

■

The password already exists in history

The LDAP_CONTROL_PWP control indicates warning and error conditions. The control value is a
BER octet string, with the format {tii}, which has the following meaning:

■

t

is a tag defining which warning is set, if any. The value of t can be one of the following:

LDAP_PWP_WARNING_RESP_NONE (0x00L)

LDAP_PWP_WARNING_RESP_EXP (0x01L)

LDAP_PWP_WARNING_RESP_GRACE (0x02L)

■

The first i indicates warning information.

The warning depends on the value set for t as follows:

■

If t is set to LDAP_PWP_WARNING_RESP_NONE, the warning is -1.

■

If t is set to LDAP_PWP_WARNING_RESP_EX, the warning is the number of seconds before
expiration.

■

If t is set to LDAP_PWP_WARNING_RESP_GRACE, the warning is the number of remaining
grace logins.

■

The second i indicates error information. If t is set to LDAP_PWP_WARNING_RESP_NONE, the
error contains one of the following values:

pwp_resp_no_error (-1)

pwp_resp_expired_error (0)

pwp_resp_locked_error (1)

pwp_resp_need_change_error (2)

pwp_resp_mod_not_allowed_error (3)

pwp_resp_give_old_error (4)

pwp_resp_bad_qa_error (5)

pwp_resp_too_short_error (6)

pwp_resp_too_young_error (7)

pwp_resp_in_hist_error (8)

The LDAP_CONTROL_ACCOUNT_USABLE control provides account status information on LDAP
search operations only.

Password Policy Compatibility

For migration purposes, the new password policy maintains compatibility with previous
Directory Server versions by identifying a compatibility mode. The compatibility mode
determines whether password policy attributes are handled as old attributes or new attributes,
where old refers to Directory Server 5 password policy attributes.

The compatibility mode can be read using dsconf command as follows:

New Password Policy

Chapter 5 • Architectural Changes in Directory Server 6.0

75

Sun Confidential: Registered