ITS#9156 Document corner cases and omissions

doc/drafts/draft-behera-ldap-password-policy-xx.txt

@@ -829,7 +829,7 @@ Internet-Draft    Password Policy for LDAP Directories         July 2014
    the value is 0, there is no time limit on the grace authentications.
 
          ( 1.3.6.1.4.1.42.2.27.8.1.30
-         NAME 'pwdGraceExpire'
+         NAME 'pwdGraceExpiry'
          EQUALITY integerMatch
          ORDERING integerOrderingMatch
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

doc/drafts/draft-behera-ldap-password-policy-xx.xml

@@ -296,7 +296,7 @@
   </section>
 
 
-  <section title="Password Quality and Minimum length">
+  <section title="Password Quality and length constraints">
 
    <t>In order to prevent users from creating or updating passwords that
    are easy to guess, a password quality policy may be employed.  This
@@ -800,6 +800,23 @@
       SINGLE-VALUE )
 	</artwork></figure>
   </section>
+
+
+  <section title="pwdMaxRecordedFailure">
+
+   <t>This attribute specifies the number of failures kept on record
+   for each user and should be equal to or higher than pwdMaxFailure.
+   If not set or is 0, it is deemed equal to pwdMaxFailure.</t>
+
+	<figure><artwork>
+      ( 1.3.6.1.4.1.42.2.27.8.1.32
+      NAME 'pwdMaxRecordedFailure'
+      EQUALITY integerMatch
+      ORDERING integerOrderingMatch
+      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+      SINGLE-VALUE )
+	</artwork></figure>
+  </section>
  </section>
 
 
@@ -1106,7 +1123,8 @@
          insufficientPasswordQuality (5),
          passwordTooShort            (6),
          passwordTooYoung            (7),
-         passwordInHistory           (8) } OPTIONAL }
+         passwordInHistory           (8),
+         passwordTooLong             (9) } OPTIONAL }
 	</artwork></figure>
 
    <t>The timeBeforeExpiration warning specifies the number of seconds
@@ -1159,7 +1177,8 @@
 
    <t>The current time is greater than or equal to the value of the
    pwdLastSuccess attribute added to the value of the pwdMaxIdle
-   attribute.</t>
+   attribute. If pwdLastSuccess attribute is not present, pwdChangedTime
+   value is used instead.</t>
 
    <t>The current time is less than the value of the
       pwdAccountLockedTime attribute added to the value of the
@@ -1520,6 +1539,22 @@
       resultCode: constraintViolation (19), and includes the
       passwordPolicyResponse in the controls field of the response
       message with the error: passwordTooShort (6).</t>
+
+   <t>checks the value of the pwdMaxLength attribute.  If the value is
+      non-zero, it ensures that the new password is of at most the
+      maximum length.<vspace blankLines="1"/>
+      If the server is unable to check the length (due to a hashed
+      password or otherwise), the value of pwdCheckQuality is evaluated.
+      If the value is 1, operation continues.  If the value is 2, the
+      server sends a response message to the client with the resultCode:
+      constraintViolation (19), and includes the passwordPolicyResponse
+      in the controls field of the response message with the error:
+      passwordTooLong (9).<vspace blankLines="1"/>
+      If the server is able to check the password length, and the check
+      fails, the server sends a response message to the client with the
+      resultCode: constraintViolation (19), and includes the
+      passwordPolicyResponse in the controls field of the response
+      message with the error: passwordTooLong (9).</t>
 	</list></t>
   </section>
 
@@ -1557,8 +1592,8 @@
    set to TRUE.  Otherwise, the pwdReset is removed from the user's
    entry if it exists.</t>
 
-   <t>The pwdFailureTime and pwdGraceUseTime attributes is removed from the
+   <t>The pwdFailureTime, pwdGraceUseTime, pwdLastSuccess attributes are
-   user's entry if they exist.</t>
+   removed from the user's entry if they exist.</t>
   </section>
  </section>
 
@@ -1672,6 +1707,10 @@
    <t>pwdModResponse.resultCode = constraintViolation (19),
       passwordPolicyResponse.error = passwordInHistory (8): The password
       has already been used; the user must choose a different one.</t>
+
+   <t>pwdModResponse.resultCode = constraintViolation (19),
+      passwordPolicyResponse.error = passwordTooLong (9): The length of
+      the password is too long.</t>
 	</list></t>
   </section>
  </section>
@@ -1695,6 +1734,10 @@
    <t>addResponse.resultCode = constraintViolation (19),
       passwordPolicyResponse.error = passwordTooShort (6): The length of
       the password is too short.</t>
+
+   <t>addResponse.resultCode = constraintViolation (19),
+      passwordPolicyResponse.error = passwordTooLong (9): The length of
+      the password is too long.</t>
 	</list></t>
  </section>
 
@@ -1806,10 +1849,10 @@
    doesn't have to be replicated to a read-only replica, since the
    password will never be directly modified on this server.</t>
 
-   <t>The pwdAccountLockedTime, pwdFailureTime and pwdGraceUseTime
+   <t>The pwdAccountLockedTime, pwdFailureTime, pwdGraceUseTime and
-   attributes SHOULD be replicated to writable replicas, making the
+   pwdLastSuccess attributes SHOULD be replicated to writable replicas,
-   password policy global for all servers.  When the user entry is
+   making the password policy global for all servers.  When the user entry
-   replicated to a read-only replica, these attributes SHOULD NOT be
+   is replicated to a read-only replica, these attributes SHOULD NOT be
    replicated.  This means that the number of failures, of grace
    authentications and the locking will take place on each replicated
    server.  For example, the effective number of failed attempts on a