This control may be included in an add, modify, or password modify extended response in request that included a password validation request control, and it may provide details about the validation performed on the proposed password. The control has an OID of 1.3.6.1.4.1.30221.2.5.41, and it takes a value. The following fields may be present in the value-json representation of the value:
response-type: A string field that indicates the result of the password validation processing for the attempt. The value will be one of the following:
validation-performed: Indicates that the server performed validation processing for the proposed new password.
no-password-provided: Indicates that the request did not include a new password to be validated.
multiple-passwords-provided: Indicates that the request included multiple new passwords. This control may only be used in cases where a single new password is provided.
no-validation-attempted: Indicates that the server did not attempt any validation for the new password (for example, because it was an administrative password reset and the server has been configured to skip password validation for administrative resets).
validation-details: An optional array field whose values are JSON objects with information about the types of validation performed for the new password. The fields that may be present in these JSON objects include:
password-quality-requirement: A JSON object field whose value provides information about a password quality requirement that was evaluated. The fields that may be present in these JSON objects include:
description: A string field whose value is a user-friendly description of the requirement that the proposed new password is expected to satisfy.
client-side-validation-type: An optional string field whose value is an identifier that the client can use to determine what type of validation is being performed. The client may use this information to attempt client-side validation of the password so that known-bad passwords can be rejected without needing to interact with the server.
client-side-validation-properties: An optional array field whose values are JSON objects with additional properties that are associated with the validation. Each of these JSON objects will include a “name” field with the property name and a “value” field with the property value.
requirement-satisfied: A Boolean field that indicates whether the provided new password satisfied the associated requirement.
additional-information: An optional string field with additional information about the validation for the associated requirement.
missing-current-password: A Boolean field that indicates whether the server requires the user’s current password to be provided as part of a password change, but that password was not provided. If this is false, then it indicates that either the user’s current password was provided or that it was not required.
must-change-password: A Boolean field that indicates whether the user will be required to choose a new password the next time they authenticate.
seconds-until-expiration: An optional integer field whose value is the number of seconds until the user’s password expires.
The following represents an example JSON encoding for the control:
{
"oid":"1.3.6.1.4.1.30221.2.5.41",
"control-name":"Password Validation Details Response Control",
"criticality":false,
"value-json":
{
"response-type":"validation-performed",
"validation-details":
[
{
"password-quality-requirement":
{
"description":"The new password must be at least 10 characters long.",
"client-side-validation-type":"length",
"client-side-validation-properties":
[
{
"name":"min-password-length",
"value":"10"
}
],
},
"requirement-satisfied":true
},
{
"password-quality-requirement":
{
"description":"The new password must not match the current password.",
"client-side-validation-type":"not-current-password"
},
"requirement-satisfied":true
}
],
"missing-current-password":false,
"must-change-password":false,
"seconds-until-expiration":7776000
}
}