Support standardized Password Policy Control

Description

CAS LPPE currently examines OpenLDAP or AD attributes to determine when the password expires.

Unfortunately, the IBM Tivoli Directory Server I'm using doesn't support these attributes.
It does however support the proposed LDAP Password Policy standard, see:
http://tools.ietf.org/html/draft-behera-ldap-password-policy-10

I propose creating an LdapPasswordPolicyExaminer (for CAS 4) that examines the passwordPolicyRequest control response to determine account state.

Support for this control type is already in the spring-security-ldap library.

The ContextSource and/or LdapPasswordPolicyAwareAuthenticationHandler will need to be modified too to send the control request and to store the control response so the examiner can access it.

AFAIK both OpenLDAP and AD support this method too, so I would even recommend making this the default LPPE implementation.

Environment

IBM i V7R1

Status

Assignee

Misagh Moayyed

Reporter

Menno Avegaart

Labels

None

Estimated End Date

None

Audience

None

Components

Fix versions

Affects versions

3.5.2
4.0 RC1
4.0 RC2

Priority

Major