Subject: Client-Server Interaction -- Bind Operation
Author: SteveHB
In response to: Response Control
Posted on: 02/16/2010 10:14:04 PM
(As in SunOne Directory or OpenDS)
Action #1 Client send bindRequest (wrong password) with NO control
Client: server:
bindRequest.name: <bindDn> -->
bindRequest.credential: <wrong password and expired>
pwdPolicyRequestControl: none
<== bindResponse.resultCode: 49
bindResponse.errorMessage: Invalid Credentials
PasswordExpiredControl: 2.16.840.1.113730.3.4.4
Action #2 Client send bindRequest (expired password) with NO control
Client: server:
bindRequest.name: <bindDn> -->
bindRequest.credential: <correct password but expired>
pwdPolicyRequestControl: none
<== bindResponse.resultCode: 49
bindResponse.errorMessage: Password has expired
PasswordExpiredControl: 2.16.840.1.113730.3.4.4
Action #3 Client send bindRequest (wrong password) with control
Client: server:
bindRequest.name: <bindDn> -->
bindRequest.credential: <wrong password and expired>
pwdPolicyRequestControl: 1.3.6.1.4.1.42.2.27.8.5.1
<== bindResponse.resultCode: 49
bindResponse.errorMessage: Invalid Credentials
PasswordPolicyResponseControl: 1.3.6.1.4.1.42.2.27.8.5.1
Action #4 Client send bindRequest (expired password) with control
Client: server:
bindRequest.name: <bindDn> -->
bindRequest.credential: <correct password but expired>
pwdPolicyRequestControl: 1.3.6.1.4.1.42.2.27.8.5.1
<== bindResponse.resultCode: 49
bindResponse.errorMessage: Password has expired
PasswordPolicyResponseControl: 1.3.6.1.4.1.42.2.27.8.5.1
>
> On 02/16/2010 09:31:02 PM
SteveHB wrote:
If the client has sent a passwordPolicyRequest control, the server (when solicited by the inclusion of the request control) sends this control with the following operation responses: bindResponse, modifyResponse, addResponse, compareResponse and possibly extendedResponse, to inform of various conditions, and MAY be sent with other operations (in the case of the changeAfterReset error).
The controlType is 1.3.6.1.4.1.42.2.27.8.5.1
The criticality can be either TRUE or FALSE
The controlValue is the BER encoding of the following type:
PasswordPolicyResponseValue ::= SEQUENCE {
warning [0] CHOICE {
timeBeforeExpiration [0] INTEGER (0 .. maxInt),
graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
error [1] ENUMERATED {
passwordExpired (0),
accountLocked (1),
changeAfterReset (2),
passwordModNotAllowed (3),
mustSupplyOldPassword (4),
insufficientPasswordQuality (5),
passwordTooShort (6),
passwordTooYoung (7),
passwordInHistory (8) } OPTIONAL }
timeBeforeExpiration warning specifies the number of seconds
before a password will expire.
graceAuthNsRemaining warning specifies the remaining number of times a user will be allowed to authenticate with an expired password.
passwordExpired error signifies that the password has expired and must be reset.
changeAfterReset error signifies that the password must be changed before the user will be allowed to perform any operation other than bind and modify.
passwordModNotAllowed error is set when a user is restricted from changing her password.
insufficientPasswordQuality error is set when a password doesn't pass
quality checking.
passwordTooYoung error is set if the age of the password to be modified is not yet old enough.
Typically, only either a warning or an error will be encoded though there may be exceptions. For example, if the user is required to change a password after the password administrator set it, and the password will expire in a short amount of time, the control may include the timeBeforeExpiration warning and the changeAfterReset error.
References:
