1
/* $OpenLDAP: pkg/ldap/libraries/libldap/ppolicy.c,v 1.11.2.4 2008/02/11 23:26:41 kurt Exp $ */
2
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4
* Copyright 2004-2008 The OpenLDAP Foundation.
5
* Portions Copyright 2004 Hewlett-Packard Company.
6
* Portions Copyright 2004 Howard Chu, Symas Corp.
9
* Redistribution and use in source and binary forms, with or without
10
* modification, are permitted only as authorized by the OpenLDAP
13
* A copy of this license is available in the file LICENSE in the
14
* top-level directory of the distribution or, alternatively, at
15
* <http://www.OpenLDAP.org/license.html>.
18
* This work was developed by Howard Chu for inclusion in
19
* OpenLDAP Software, based on prior work by Neil Dunbar (HP).
20
* This work was sponsored by the Hewlett-Packard Company.
26
#include <ac/stdlib.h>
27
#include <ac/string.h>
32
#ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST
34
/* IMPLICIT TAGS, all context-specific */
35
#define PPOLICY_WARNING 0xa0L /* constructed + 0 */
36
#define PPOLICY_ERROR 0x81L /* primitive + 1 */
38
#define PPOLICY_EXPIRE 0x80L /* primitive + 0 */
39
#define PPOLICY_GRACE 0x81L /* primitive + 1 */
42
ldap_create_passwordpolicy_control
44
Create and encode the Password Policy Request
46
ld (IN) An LDAP session handle, as obtained from a call to
49
ctrlp (OUT) A result parameter that will be assigned the address
50
of an LDAPControl structure that contains the
51
passwordPolicyRequest control created by this function.
52
The memory occupied by the LDAPControl structure
53
SHOULD be freed when it is no longer in use by
54
calling ldap_control_free().
57
There is no control value for a password policy request
61
ldap_create_passwordpolicy_control( LDAP *ld,
65
assert( LDAP_VALID( ld ) );
66
assert( ctrlp != NULL );
68
ld->ld_errno = ldap_control_create( LDAP_CONTROL_PASSWORDPOLICYREQUEST,
76
ldap_parse_passwordpolicy_control
78
Decode the passwordPolicyResponse control and return information.
80
ld (IN) An LDAP session handle.
82
ctrl (IN) The address of an
83
LDAPControl structure, either obtained
84
by running thorugh the list of response controls or
85
by a call to ldap_control_find().
87
exptimep (OUT) This result parameter is filled in with the number of seconds before
88
the password will expire, if expiration is imminent
89
(imminency defined by the password policy). If expiration
90
is not imminent, the value is set to -1.
92
gracep (OUT) This result parameter is filled in with the number of grace logins after
93
the password has expired, before no further login attempts
96
errorcodep (OUT) This result parameter is filled in with the error code of the password operation
97
If no error was detected, this error is set to PP_noError.
101
PasswordPolicyResponseValue ::= SEQUENCE {
103
timeBeforeExpiration [0] INTEGER (0 .. maxInt),
104
graceLoginsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL
105
error [1] ENUMERATED {
108
changeAfterReset (2),
109
passwordModNotAllowed (3),
110
mustSupplyOldPassword (4),
111
invalidPasswordSyntax (5),
112
passwordTooShort (6),
113
passwordTooYoung (7),
114
passwordInHistory (8) } OPTIONAL }
119
ldap_parse_passwordpolicy_control(
124
LDAPPasswordPolicyError *errorp )
127
int exp = -1, grace = -1;
131
int err = PP_noError;
133
assert( ld != NULL );
134
assert( LDAP_VALID( ld ) );
135
assert( ctrl != NULL );
137
/* Create a BerElement from the berval returned in the control. */
138
ber = ber_init(&ctrl->ldctl_value);
141
ld->ld_errno = LDAP_NO_MEMORY;
142
return(ld->ld_errno);
145
tag = ber_peek_tag( ber, &berLen );
146
if (tag != LBER_SEQUENCE) goto exit;
148
for( tag = ber_first_element( ber, &berLen, &last );
150
tag = ber_next_element( ber, &berLen, last ) )
153
case PPOLICY_WARNING:
154
ber_skip_tag(ber, &berLen );
155
tag = ber_peek_tag( ber, &berLen );
158
if (ber_get_int( ber, &exp ) == LBER_DEFAULT) goto exit;
161
if (ber_get_int( ber, &grace ) == LBER_DEFAULT) goto exit;
168
if (ber_get_enum( ber, &err ) == LBER_DEFAULT) goto exit;
177
/* Return data to the caller for items that were requested. */
178
if (expirep) *expirep = exp;
179
if (gracep) *gracep = grace;
180
if (errorp) *errorp = err;
182
ld->ld_errno = LDAP_SUCCESS;
183
return(ld->ld_errno);
187
ld->ld_errno = LDAP_DECODING_ERROR;
188
return(ld->ld_errno);
192
ldap_passwordpolicy_err2txt( LDAPPasswordPolicyError err )
195
case PP_passwordExpired: return "Password expired";
196
case PP_accountLocked: return "Account locked";
197
case PP_changeAfterReset: return "Password must be changed";
198
case PP_passwordModNotAllowed: return "Policy prevents password modification";
199
case PP_mustSupplyOldPassword: return "Policy requires old password in order to change password";
200
case PP_insufficientPasswordQuality: return "Password fails quality checks";
201
case PP_passwordTooShort: return "Password is too short for policy";
202
case PP_passwordTooYoung: return "Password has been changed too recently";
203
case PP_passwordInHistory: return "New password is in list of old passwords";
204
case PP_noError: return "No error";
205
default: return "Unknown error code";
209
#endif /* LDAP_CONTROL_PASSWORDPOLICYREQUEST */