PP_passwordTooShort = 6,
PP_passwordTooYoung = 7,
PP_passwordInHistory = 8,
+ PP_passwordTooLong = 9,
PP_noError = 65535
} LDAPPasswordPolicyError;
case PP_passwordTooShort: return "Password is too short for policy";
case PP_passwordTooYoung: return "Password has been changed too recently";
case PP_passwordInHistory: return "New password is in list of old passwords";
+ case PP_passwordTooLong: return "Password is too long for policy";
case PP_noError: return "No error";
default: return "Unknown error code";
}
int pwdCheckQuality; /* 0 = don't check quality, 1 = check if possible,
2 = check mandatory; fail if not possible */
int pwdMinLength; /* minimum number of chars in password */
+ int pwdMaxLength; /* maximum number of chars in password */
int pwdExpireWarning; /* number of seconds that warning controls are
sent before a password expires */
int pwdGraceExpiry; /* number of seconds after expiry grace logins are
if ( ( a = attr_find( pe->e_attrs, ad_pwdMinLength ) )
&& lutil_atoi( &pp->pwdMinLength, a->a_vals[0].bv_val ) != 0 )
goto defaultpol;
+ if ( ( a = attr_find( pe->e_attrs, ad_pwdMaxLength ) )
+ && lutil_atoi( &pp->pwdMaxLength, a->a_vals[0].bv_val ) != 0 )
+ goto defaultpol;
if ( ( a = attr_find( pe->e_attrs, ad_pwdMaxFailure ) )
&& lutil_atoi( &pp->pwdMaxFailure, a->a_vals[0].bv_val ) != 0 )
goto defaultpol;
return rc;
}
+ if ( pp->pwdMaxLength && cred->bv_len > pp->pwdMaxLength ) {
+ rc = LDAP_CONSTRAINT_VIOLATION;
+ if ( err ) *err = PP_passwordTooLong;
+ return rc;
+ }
+
/*
* We need to know if the password is already hashed - if so
* what scheme is it. The reason being that the "hash" of
projects / thirdparty / openldap.git / commitdiff
