<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is the response to a valid [PasswordPolicyRequest] 

If the client has sent a [passwordPolicyRequest] [SupportedControl], the server (when solicited by the inclusion of the request control) sends this control with the following operation responses: 
* [Bind Response]
* [Modify Response]
* [Add Response]
* [Compare Response]
* [Extended Response] - possibly to inform of various conditions, and MAY be sent with other operations (in the case of the changeAfterReset error).The controlType is 1.3.6.1.4.1.42.2.27.8.5.1 and the controlValue is the BER encoding of the following type:
%%prettify 
{{{
PasswordPolicyResponseValue ::= SEQUENCE {
   warning [0] CHOICE {
      timeBeforeExpiration [0] INTEGER (0 .. maxInt),
      graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
   error   [1] ENUMERATED {
      passwordExpired             (0),
      accountLocked               (1),
      changeAfterReset            (2),
      passwordModNotAllowed       (3),
      mustSupplyOldPassword       (4),
      insufficientPasswordQuality (5),
      passwordTooShort            (6),
      passwordTooYoung            (7),
      passwordInHistory           (8) } OPTIONAL }
}}} /% 

! timeBeforeExpiration 
The timeBeforeExpiration warning specifies the number of seconds before a password will expire.  

! graceAuthNsRemaining
The graceAuthNsRemaining warningspecifies the remaining number of times a user will be allowed toauthenticate with an expired password.  

! passwordExpired
The passwordExpired error signifies that the password has expired and must be reset.  

! changeAfterReset
The changeAfterReset error signifies that the password must be changedbefore the user will be allowed to perform any operation other thanbind and modify.  

! passwordModNotAllowed
The passwordModNotAllowed error is set when a user is restricted from changing her password.  

! insufficientPasswordQuality 
The insufficientPasswordQuality error is set when a password doesn't passquality checking.  

! passwordTooYoung 
The passwordTooYoung error is set if the age of the password to be modified is not yet old enough.

! passwordInHistory           
The passwordInHistory error indicates the this password exists in the entry's [pwdHistory] attribute or in the current password attribute.  If the password does exist in the [pwdHistory] attribute or in the current password attribute, the server sends a response message to the client with the resultCode: [LDAP_CONSTRAINT_VIOLATION] (19), and includes the  [{$pagename}] in the controls field of the response message with the error: passwordInHistory.
   
Typically, only either a warning or an error will be encoded though there may be exceptions.  

For example, if the user is required to change a password after the password administrator set it, and the password will expire in a short amount of time, the control may include the timeBeforeExpiration warning and the changeAfterReseterror.!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>