diff --git a/include/ldap.h b/include/ldap.h
index a009ec144c..5c70c2b27e 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -392,6 +392,10 @@ typedef struct ldapcontrol {
 #define LDAP_TAG_X_ACCOUNT_USABILITY_REMAINING_GRACE	((ber_tag_t) 0x83U)	/* primitive + 3 */
 #define LDAP_TAG_X_ACCOUNT_USABILITY_UNTIL_UNLOCK	((ber_tag_t) 0x84U)	/* primitive + 4 */
 
+/* Netscape Password policy response controls */
+#define LDAP_CONTROL_X_PASSWORD_EXPIRED		"2.16.840.1.113730.3.4.4"
+#define LDAP_CONTROL_X_PASSWORD_EXPIRING	"2.16.840.1.113730.3.4.5"
+
 /* LDAP Unsolicited Notifications */
 #define	LDAP_NOTICE_OF_DISCONNECTION	"1.3.6.1.4.1.1466.20036" /* RFC 4511 */
 #define LDAP_NOTICE_DISCONNECT LDAP_NOTICE_OF_DISCONNECTION
@@ -2402,6 +2406,12 @@ LDAP_F( const char * )
 ldap_passwordpolicy_err2txt LDAP_P(( LDAPPasswordPolicyError ));
 #endif /* LDAP_CONTROL_PASSWORDPOLICYREQUEST */
 
+LDAP_F( int )
+ldap_parse_password_expiring_control LDAP_P((
+	LDAP           *ld,
+	LDAPControl    *ctrl,
+	long           *secondsp ));
+
 /*
  * LDAP Dynamic Directory Services Refresh -- RFC 2589
  *	in dds.c
diff --git a/libraries/libldap/ppolicy.c b/libraries/libldap/ppolicy.c
index 9afbcf3dc8..1ba2a8c43f 100644
--- a/libraries/libldap/ppolicy.c
+++ b/libraries/libldap/ppolicy.c
@@ -213,3 +213,55 @@ ldap_passwordpolicy_err2txt( LDAPPasswordPolicyError err )
 }
 
 #endif /* LDAP_CONTROL_PASSWORDPOLICYREQUEST */
+
+#ifdef LDAP_CONTROL_X_PASSWORD_EXPIRING
+
+int
+ldap_parse_password_expiring_control(
+	LDAP           *ld,
+	LDAPControl    *ctrl,
+	long           *secondsp )
+{
+	BerElement  *ber;
+	struct berval time_string;
+	long seconds = 0;
+	char *next;
+
+	assert( ld != NULL );
+	assert( LDAP_VALID( ld ) );
+	assert( ctrl != NULL );
+
+	if ( !ctrl->ldctl_value.bv_val ) {
+		ld->ld_errno = LDAP_DECODING_ERROR;
+		return(ld->ld_errno);
+	}
+
+	/* Create a BerElement from the berval returned in the control. */
+	ber = ber_init(&ctrl->ldctl_value);
+
+	if (ber == NULL) {
+		ld->ld_errno = LDAP_NO_MEMORY;
+		return(ld->ld_errno);
+	}
+
+	if ( ber_get_stringbv( ber, &time_string, 0 ) == LBER_ERROR ) goto exit;
+
+	seconds = strtol( time_string.bv_val, &next, 10 );
+	if ( next == time_string.bv_val || next[0] != '\0' ) goto exit;
+
+	if ( secondsp != NULL ) {
+		*secondsp = seconds;
+	}
+
+	ber_free(ber, 1);
+
+	ld->ld_errno = LDAP_SUCCESS;
+	return(ld->ld_errno);
+
+  exit:
+	ber_free(ber, 1);
+	ld->ld_errno = LDAP_DECODING_ERROR;
+	return(ld->ld_errno);
+}
+
+#endif /* LDAP_CONTROL_X_PASSWORD_EXPIRING */