2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 2004 The OpenLDAP Foundation.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
19 #include <ac/stdlib.h>
20 #include <ac/string.h>
25 #define PPOLICY_WARNING 0xa0L
26 #define PPOLICY_ERROR 0xa1L
28 #define PPOLICY_EXPIRE 0xa0L
29 #define PPOLICY_GRACE 0xa1L
32 ldap_create_passwordpolicy_control
34 Create and encode the Password Policy Request
36 ld (IN) An LDAP session handle, as obtained from a call to
39 ctrlp (OUT) A result parameter that will be assigned the address
40 of an LDAPControl structure that contains the
41 passwordPolicyRequest control created by this function.
42 The memory occupied by the LDAPControl structure
43 SHOULD be freed when it is no longer in use by
44 calling ldap_control_free().
47 There is no control value for a password policy request
51 ldap_create_passwordpolicy_control( LDAP *ld,
57 assert( LDAP_VALID( ld ) );
58 assert( ctrlp != NULL );
60 if ((ber = ldap_alloc_ber_with_options(ld)) == NULL) {
61 ld->ld_errno = LDAP_NO_MEMORY;
62 return(LDAP_NO_MEMORY);
65 ld->ld_errno = ldap_create_control( LDAP_CONTROL_PASSWORDPOLICYREQUEST,
74 ldap_parse_passwordpolicy_control
76 Decode the passwordPolicyResponse control and return information.
78 ld (IN) An LDAP session handle.
80 ctrls (IN) The address of an
81 LDAPControl structure, typically obtained
82 by a call to ldap_find_control().
84 exptimep (OUT) This result parameter is filled in with the number of seconds before
85 the password will expire, if expiration is imminent
86 (imminency defined by the password policy). If expiration
87 is not imminent, the value is set to -1.
89 gracep (OUT) This result parameter is filled in with the number of grace logins after
90 the password has expired, before no further login attempts
93 errorcodep (OUT) This result parameter is filled in with the error code of the password operation
94 If no error was detected, this error is set to PP_noError.
98 PasswordPolicyResponseValue ::= SEQUENCE {
100 timeBeforeExpiration [0] INTEGER (0 .. maxInt),
101 graceLoginsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL
102 error [1] ENUMERATED {
105 changeAfterReset (2),
106 passwordModNotAllowed (3),
107 mustSupplyOldPassword (4),
108 invalidPasswordSyntax (5),
109 passwordTooShort (6),
110 passwordTooYoung (7),
111 passwordInHistory (8) } OPTIONAL }
116 ldap_parse_passwordpolicy_control(
121 LDAPPasswordPolicyError *errorp )
124 int i, exp = -1, grace = -1;
128 LDAPPasswordPolicyError err = PP_noError;
130 assert( ld != NULL );
131 assert( LDAP_VALID( ld ) );
134 /* Create a BerElement from the berval returned in the control. */
135 ber = ber_init(&ctrl->ldctl_value);
138 ld->ld_errno = LDAP_NO_MEMORY;
139 return(ld->ld_errno);
142 tag = ber_peek_tag( ber, &berLen );
143 if (tag != LBER_SEQUENCE) goto exit;
145 for( tag = ber_first_element( ber, &berLen, &last );
147 tag = ber_next_element( ber, &berLen, last ) ) {
149 case PPOLICY_WARNING:
150 ber_skip_tag(ber, &berLen );
151 tag = ber_peek_tag( ber, &berLen );
154 if (ber_get_int( ber, &exp ) == LBER_DEFAULT) goto exit;
157 if (ber_get_int( ber, &grace ) == LBER_DEFAULT) goto exit;
166 if (ber_get_enum( ber, (int *)&err ) == LBER_DEFAULT) goto exit;
175 /* Return data to the caller for items that were requested. */
176 if (expirep) *expirep = exp;
177 if (gracep) *gracep = grace;
178 if (errorp) *errorp = err;
180 ld->ld_errno = LDAP_SUCCESS;
181 return(ld->ld_errno);
185 ld->ld_errno = LDAP_DECODING_ERROR;
186 return(ld->ld_errno);
190 ldap_passwordpolicy_err2txt( LDAPPasswordPolicyError err )
193 case PP_passwordExpired: return "Password expired";
194 case PP_accountLocked: return "Account locked";
195 case PP_changeAfterReset: return "Password must be changed";
196 case PP_passwordModNotAllowed: return "Policy prevents password modification";
197 case PP_mustSupplyOldPassword: return "Policy requires old password in order to change password";
198 case PP_insufficientPasswordQuality: return "Password fails quality checks";
199 case PP_passwordTooShort: return "Password is too short for policy";
200 case PP_passwordTooYoung: return "Password has been changed too recently";
201 case PP_passwordInHistory: return "New password is in list of old passwords";
202 case PP_noError: return "No error";
203 default: return "Unknown error code";