PasswordPolicyResponse is the response to a valid PasswordPolicyRequest

If the client has sent a passwordPolicyRequest SupportedControl, the server (when solicited by the inclusion of the request control) sends this control with the following operation responses:

The controlType is and the controlValue is the BER encoding of the following type:

PasswordPolicyResponseValue ::= SEQUENCE {
   warning [0] CHOICE {
      timeBeforeExpiration [0] INTEGER (0 .. maxInt),
      graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
   error   [1] ENUMERATED {
      passwordExpired             (0),
      accountLocked               (1),
      changeAfterReset            (2),
      passwordModNotAllowed       (3),
      mustSupplyOldPassword       (4),
      insufficientPasswordQuality (5),
      passwordTooShort            (6),
      passwordTooYoung            (7),
      passwordInHistory           (8) } OPTIONAL }

timeBeforeExpiration #

The timeBeforeExpiration warning specifies the number of seconds before a password will expire.


The graceAuthNsRemaining warningspecifies the remaining number of times a user will be allowed toauthenticate with an expired password.


The passwordExpired error signifies that the password has expired and must be reset.


The changeAfterReset error signifies that the password must be changedbefore the user will be allowed to perform any operation other thanbind and modify.


The passwordModNotAllowed error is set when a user is restricted from changing her password.

insufficientPasswordQuality #

The insufficientPasswordQuality error is set when a password doesn't passquality checking.

passwordTooYoung #

The passwordTooYoung error is set if the age of the password to be modified is not yet old enough.

passwordInHistory #

The passwordInHistory error indicates the this password exists in the entry's pwdHistory attribute or in the current password attribute. If the password does exist in the pwdHistory attribute or in the current password attribute, the server sends a response message to the client with the resultCode: LDAP_CONSTRAINT_VIOLATION (19), and includes the PasswordPolicyResponse in the controls field of the response message with the error: passwordInHistory. Typically, only either a warning or an error will be encoded though there may be exceptions.

For example, if the user is required to change a password after the password administrator set it, and the password will expire in a short amount of time, the control may include the timeBeforeExpiration warning and the changeAfterReseterror.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 02-Oct-2014 11:37 by jim