2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 2004 The OpenLDAP Foundation.
5 * Portions Copyright 2004 Hewlett-Packard Company.
6 * Portions Copyright 2004 Howard Chu, Symas Corp.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was developed by Howard Chu for inclusion in
19 * OpenLDAP Software, based on prior work by Neil Dunbar (HP).
20 * This work was sponsored by the Hewlett-Packard Company.
26 #include <ac/stdlib.h>
27 #include <ac/string.h>
32 #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
34 #define PPOLICY_WARNING 0xa0L
35 #define PPOLICY_ERROR 0xa1L
37 #define PPOLICY_EXPIRE 0xa0L
38 #define PPOLICY_GRACE 0xa1L
41 ldap_create_passwordpolicy_control
43 Create and encode the Password Policy Request
45 ld (IN) An LDAP session handle, as obtained from a call to
48 ctrlp (OUT) A result parameter that will be assigned the address
49 of an LDAPControl structure that contains the
50 passwordPolicyRequest control created by this function.
51 The memory occupied by the LDAPControl structure
52 SHOULD be freed when it is no longer in use by
53 calling ldap_control_free().
56 There is no control value for a password policy request
60 ldap_create_passwordpolicy_control( LDAP *ld,
66 assert( LDAP_VALID( ld ) );
67 assert( ctrlp != NULL );
69 if ((ber = ldap_alloc_ber_with_options(ld)) == NULL) {
70 ld->ld_errno = LDAP_NO_MEMORY;
71 return(LDAP_NO_MEMORY);
74 ld->ld_errno = ldap_create_control( LDAP_CONTROL_PASSWORDPOLICYREQUEST,
83 ldap_parse_passwordpolicy_control
85 Decode the passwordPolicyResponse control and return information.
87 ld (IN) An LDAP session handle.
89 ctrls (IN) The address of an
90 LDAPControl structure, typically obtained
91 by a call to ldap_find_control().
93 exptimep (OUT) This result parameter is filled in with the number of seconds before
94 the password will expire, if expiration is imminent
95 (imminency defined by the password policy). If expiration
96 is not imminent, the value is set to -1.
98 gracep (OUT) This result parameter is filled in with the number of grace logins after
99 the password has expired, before no further login attempts
102 errorcodep (OUT) This result parameter is filled in with the error code of the password operation
103 If no error was detected, this error is set to PP_noError.
107 PasswordPolicyResponseValue ::= SEQUENCE {
109 timeBeforeExpiration [0] INTEGER (0 .. maxInt),
110 graceLoginsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL
111 error [1] ENUMERATED {
114 changeAfterReset (2),
115 passwordModNotAllowed (3),
116 mustSupplyOldPassword (4),
117 invalidPasswordSyntax (5),
118 passwordTooShort (6),
119 passwordTooYoung (7),
120 passwordInHistory (8) } OPTIONAL }
125 ldap_parse_passwordpolicy_control(
130 LDAPPasswordPolicyError *errorp )
133 int i, exp = -1, grace = -1;
137 LDAPPasswordPolicyError err = PP_noError;
139 assert( ld != NULL );
140 assert( LDAP_VALID( ld ) );
143 /* Create a BerElement from the berval returned in the control. */
144 ber = ber_init(&ctrl->ldctl_value);
147 ld->ld_errno = LDAP_NO_MEMORY;
148 return(ld->ld_errno);
151 tag = ber_peek_tag( ber, &berLen );
152 if (tag != LBER_SEQUENCE) goto exit;
154 for( tag = ber_first_element( ber, &berLen, &last );
156 tag = ber_next_element( ber, &berLen, last ) ) {
158 case PPOLICY_WARNING:
159 ber_skip_tag(ber, &berLen );
160 tag = ber_peek_tag( ber, &berLen );
163 if (ber_get_int( ber, &exp ) == LBER_DEFAULT) goto exit;
166 if (ber_get_int( ber, &grace ) == LBER_DEFAULT) goto exit;
175 if (ber_get_enum( ber, (int *)&err ) == LBER_DEFAULT) goto exit;
184 /* Return data to the caller for items that were requested. */
185 if (expirep) *expirep = exp;
186 if (gracep) *gracep = grace;
187 if (errorp) *errorp = err;
189 ld->ld_errno = LDAP_SUCCESS;
190 return(ld->ld_errno);
194 ld->ld_errno = LDAP_DECODING_ERROR;
195 return(ld->ld_errno);
199 ldap_passwordpolicy_err2txt( LDAPPasswordPolicyError err )
202 case PP_passwordExpired: return "Password expired";
203 case PP_accountLocked: return "Account locked";
204 case PP_changeAfterReset: return "Password must be changed";
205 case PP_passwordModNotAllowed: return "Policy prevents password modification";
206 case PP_mustSupplyOldPassword: return "Policy requires old password in order to change password";
207 case PP_insufficientPasswordQuality: return "Password fails quality checks";
208 case PP_passwordTooShort: return "Password is too short for policy";
209 case PP_passwordTooYoung: return "Password has been changed too recently";
210 case PP_passwordInHistory: return "New password is in list of old passwords";
211 case PP_noError: return "No error";
212 default: return "Unknown error code";
216 #endif /* LDAP_CONTROL_PASSWORDPOLICYREQUEST */