Novell is now a part of Micro Focus

eDirectory, LDAP and Password Policy Controls

Articles and Tips: tip

Karl Bunnel
Novell, Inc.

01 Apr 2002

LDAP controls provide a mechanism for additional information to be supplied as part of an LDAP operation. One example of an LDAP control is a Password Policy Control. A Password Policy Control can be used to return information during a bind request concerning the user's password expiration state.

For example, the Password Policy Control can warn users that their password is about to expire, how long until the password expires, or that a password has already expired.

The LDAP server included with eDirectory v8.5 and v8.6 does not support a Password Policy Control. In the absence of a Password Policy Control, the eDirectory LDAP server returns an error code and uses the message portion of the LDAP reply to provide specific information about the nature of the bind failure.

The bind reply identifies each singular error condition with a unique error code. The password policy for the eDirectory LDAP server are defined using the ConsoleOne utility on the User Property page, under the "Password Restrictions" tab. The password policy includes password restriction parameters, such as the password expiration date, password expiration interval and the number of grace logins.

The error code combined with the message portion of the LDAP reply defines the state of the password policy. Following is the password policy, followed by the corresponding error code / LDAP message combinations.

Password Policy LDAP Error Code
LDAP Message

Bad password, expired account password 49

"NDS error: failed authentication (-669)"

Good password, expired account password,

grace logins disabled 0

"NDS error: password expired (-223)"

Grace count is ignored, failure is ignored. Good password, expired account password, grace > 0 0

"NDS error: password expired (-223)"

Grace is decremented by 1.

Any password, expired account password,

grace = 0 49

"NDS error: bad password (-222)"

No login of any kind is allowed on the account.

* Originally published in Novell AppNotes


The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates