Add pwGraceExpiry to gracecheck

minor cleanup
revert Other Operations change from 09
filled in IANA considerations (no longer TBD)
Reference RFC4520, not 3383 (obsolete)

doc/drafts/draft-behera-ldap-password-policy-xx.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
-	<!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
+	<!ENTITY rfc2119 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
 	<!ENTITY rfc2195 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2195.xml'>
 	<!ENTITY rfc4422 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4422.xml'>
 	<!ENTITY rfc4511 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4511.xml'>
@@ -9,7 +9,7 @@
 	<!ENTITY rfc4517 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4517.xml'>
 	<!ENTITY rfc2831 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2831.xml'>
 	<!ENTITY rfc3062 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3062.xml'>
-	<!ENTITY rfc3383 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3383.xml'>
+	<!ENTITY rfc4520 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4520.xml'>
 	<!ENTITY rfc3672 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3672.xml'>
 
 ]>
@@ -807,7 +807,7 @@
    <t>
    pwd-&lt;passwordAttribute></t>
 
-   <t>where passwordAttribute a string following the OID syntax
+   <t>where passwordAttribute is a string following the OID syntax
    (1.3.6.1.4.1.1466.115.121.1.38).  The attribute type descriptor
    (short name) MUST be used.</t>
 
@@ -1181,6 +1181,10 @@
  
  <section anchor="gracecheck" title="Remaining Grace AuthN Check">
 
+   <t>If the pwdGraceExpiry attribute is present, and the current time is
+   greater than the password expiration time plus the pwdGraceExpiry
+   value, zero is returned.</t>
+
    <t>If the pwdGraceUseTime attribute is present, the number of values in
    that attribute subtracted from the value of pwdGraceAuthNLimit is
    returned.  Otherwise zero is returned.  A positive result specifies
@@ -1479,7 +1483,7 @@
       server sends a response message to the client with the resultCode:
       constraintViolation (19), and includes the passwordPolicyResponse
       in the controls field of the response message with the error:
-      insufficientPasswordQuality (5).
+      insufficientPasswordQuality (5).<vspace blankLines="1"/>
       If the server is able to check the password quality, and the check
       fails, the server sends a response message to the client with the
       resultCode: constraintViolation (19), and includes the
@@ -1488,14 +1492,14 @@
 
    <t>checks the value of the pwdMinLength attribute.  If the value is
       non-zero, it ensures that the new password is of at least the
-      minimum length.
+      minimum length.<vspace blankLines="1"/>
       If the server is unable to check the length (due to a hashed
       password or otherwise), the value of pwdCheckQuality is evaluated.
       If the value is 1, operation continues.  If the value is 2, the
       server sends a response message to the client with the resultCode:
       constraintViolation (19), and includes the passwordPolicyResponse
       in the controls field of the response message with the error:
-      passwordTooShort (6).
+      passwordTooShort (6).<vspace blankLines="1"/>
       If the server is able to check the password length, and the check
       fails, the server sends a response message to the client with the
       resultCode: constraintViolation (19), and includes the
@@ -1716,15 +1720,9 @@
 
    <t>For operations other than bind, unbind, abandon or StartTLS, the
    client checks the result code and control to determine if
-   any other actions are needed.
+   the user needs to change the password immediately.
 
 	<list style="symbols">
-   <t>&lt;Response>.resultCode = insufficientAccessRights (50),
-      passwordPolicyResponse.error = accountLocked (1) : The password
-	  failure limit has been reached and the account is locked. The
-	  user needs to retry later or contact the password administrator
-	  to reset the password.</t>
-
    <t>&lt;Response>.resultCode = insufficientAccessRights (50),
       passwordPolicyResponse.error = changeAfterReset (2) : The user
 	  needs to change the password immediately.</t>
@@ -1872,7 +1870,117 @@
 
 <section title="IANA Considerations">
 
-   <t>&lt;&lt;&lt;TBD>>></t>
+   <t>In accordance with <xref target="RFC4520"/> the following
+   registrations are requested.</t>
+ <section title="Object Identifiers">
+   <t>The OIDs used in this specification are derived from
+   iso(1) identified-organization(3) dod(6) internet(1) private(4)
+   enterprise(1) Sun(42) products(2) LDAP(27) ppolicy(8). These
+   OIDs have been in use since at least July 2001 when version 04
+   of this draft was published. No additional OID assignment
+   is being requested.</t>
+ </section>
+ <section title="LDAP Protocol Mechanisms">
+   <t>Registration of the protocol mechanisms specified in this
+   document is requested.
+
+	<list style="empty">
+   <t>Subject: Request for LDAP Protocol Mechanism Registration</t>
+   <t>Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1</t>
+   <t>Description: Password Policy Request and Response Control</t>
+   <t>Person &amp; email address to contact for further information:
+   <list style="empty">
+   <t>Howard Chu &lt;hyc@symas.com></t>
+   </list></t>
+   <t>Usage: Control</t>
+   <t>Specification: (I-D) draft-behera-ldap-password-policy</t>
+   <t>Author/Change Controller: IESG</t>
+   <t>Comments:</t>
+   </list></t>
+ </section>
+ <section title="LDAP Descriptors">
+   <t>Registration of the descriptors specified in this
+   document is requested.
+
+	<list style="empty">
+   <t>Subject: Request for LDAP Descriptor Registration</t>
+   <t>Descriptor (short name): see table</t>
+   <t>Object Identifier: see table</t>
+   <t>Description: see table</t>
+   <t>Person &amp; email address to contact for further information:
+   <list style="empty">
+   <t>Howard Chu &lt;hyc@symas.com></t>
+   </list></t>
+   <t>Specification: (I-D) draft-behera-ldap-password-policy</t>
+   <t>Author/Change Controller: IESG</t>
+   <t>Comments:
+   <figure><artwork>
+   Name                    Type  OID
+   ----------------------- ----  ------------------------------
+   pwdPolicy               O     1.3.6.1.4.1.42.2.27.8.2.1
+   pwdAttribute            A     1.3.6.1.4.1.42.2.27.8.1.1
+   pwdMinAge               A     1.3.6.1.4.1.42.2.27.8.1.2
+   pwdMaxAge               A     1.3.6.1.4.1.42.2.27.8.1.3
+   pwdInHistory            A     1.3.6.1.4.1.42.2.27.8.1.4
+   pwdCheckQuality         A     1.3.6.1.4.1.42.2.27.8.1.5
+   pwdMinLength            A     1.3.6.1.4.1.42.2.27.8.1.6
+   pwdMaxLength            A     1.3.6.1.4.1.42.2.27.8.1.31
+   pwdExpireWarning        A     1.3.6.1.4.1.42.2.27.8.1.7
+   pwdGraceAuthNLimit      A     1.3.6.1.4.1.42.2.27.8.1.8
+   pwdGraceExpiry          A     1.3.6.1.4.1.42.2.27.8.1.30
+   pwdLockout              A     1.3.6.1.4.1.42.2.27.8.1.9
+   pwdLockoutDuration      A     1.3.6.1.4.1.42.2.27.8.1.10
+   pwdMaxFailure           A     1.3.6.1.4.1.42.2.27.8.1.11
+   pwdFailureCountInterval A     1.3.6.1.4.1.42.2.27.8.1.12
+   pwdMustChange           A     1.3.6.1.4.1.42.2.27.8.1.13
+   pwdAllowUserChange      A     1.3.6.1.4.1.42.2.27.8.1.14
+   pwdSafeModify           A     1.3.6.1.4.1.42.2.27.8.1.15
+   pwdMinDelay             A     1.3.6.1.4.1.42.2.27.8.1.24
+   pwdMaxDelay             A     1.3.6.1.4.1.42.2.27.8.1.25
+   pwdMaxIdle              A     1.3.6.1.4.1.42.2.27.8.1.26
+   pwdChangedTime          A     1.3.6.1.4.1.42.2.27.8.1.16
+   pwdAccountLockedTime    A     1.3.6.1.4.1.42.2.27.8.1.17
+   pwdFailureTime          A     1.3.6.1.4.1.42.2.27.8.1.19
+   pwdHistory              A     1.3.6.1.4.1.42.2.27.8.1.20
+   pwdGraceUseTime         A     1.3.6.1.4.1.42.2.27.8.1.21
+   pwdReset                A     1.3.6.1.4.1.42.2.27.8.1.22
+   pwdPolicySubEntry       A     1.3.6.1.4.1.42.2.27.8.1.23
+   pwdStartTime            A     1.3.6.1.4.1.42.2.27.8.1.27
+   pwdEndTime              A     1.3.6.1.4.1.42.2.27.8.1.28
+   pwdLastSuccess          A     1.3.6.1.4.1.42.2.27.8.1.29
+   </artwork></figure>
+   <figure><artwork>
+   Legend
+   --------------------
+   A => Attribute Type
+   O => Object Class
+   </artwork></figure>
+   </t>
+   </list></t>
+
+ </section>
+ <section title="LDAP AttributeDescription Options">
+
+   <t>Registration of the AttributeDescription option specified
+   in this document is requested.
+
+   <list style="empty">
+   <t>Subject: Request for LDAP Attribute Description Option Registration</t>
+   <t>Option Name: pwd-</t>
+   <t>Family of Options: YES</t>
+   <t>Person &amp; email address to contact for further information:
+   <list style="empty">
+   <t>Howard Chu &lt;hyc@symas.com></t>
+   </list></t>
+   <t>Specification: (I-D) draft-behera-ldap-password-policy</t>
+   <t>Author/Change Controller: IESG</t>
+   <t>Comments:
+   <list style="empty">
+   <t>Used with policy state attributes to specify to which password attribute
+   the state belongs.</t></list>
+   </t>
+   </list></t>
+ </section>
 </section>
 <section title="Acknowledgement">
 
@@ -1893,7 +2001,7 @@
 	&rfc4517;
 	&rfc2831;
 	&rfc3062;
-	&rfc3383;
+	&rfc4520;
 	&rfc3672;
 
 	<reference anchor="X.680">