(ITS#8701) account usability control for password less logins

[manikya.prabhu.salveru@oracle.com]

Full_Name: Manikya
Version: 2.4.44
OS: Solaris 11.3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (141.143.213.56)


Solaris ldap clients are configured for pam_ldap and requires a control to
validate users for password less logins.

http://docs.oracle.com/cd/E19253-01/816-4556/schemas-250/index.html

>From open-ds documentation.

account usability control

The account usability control provides a pair of request and response controls
that can be used to determine whether a user account may be used for
authenticating to the server.

The request control has an OID of 1.3.6.1.4.1.42.2.27.9.5.8 and does not include
a value. It should only be included in search request messages.

The corresponding response control has an OID of 1.3.6.1.4.1.42.2.27.9.5.8 (the
same as the request control), and it will be included in any search result entry
messages for a search request that includes the account usability request
control.

The value for the account usability response control is encoded as follows:

ACCOUNT_USABLE_RESPONSE ::= CHOICE {
     is_available           [0] INTEGER, -- Seconds before expiration --
     is_not_available       [1] MORE_INFO }

     MORE_INFO ::= SEQUENCE {
     inactive               [0] BOOLEAN DEFAULT FALSE,
     reset                  [1] BOOLEAN DEFAULT FALSE,
     expired                [2] BOOLEAN DEFAULT_FALSE,
     remaining_grace        [3] INTEGER OPTIONAL,
     seconds_before_unlock  [4] INTEGER OPTIONAL }

If the user account is available, then the control will include the number of
seconds until the user's password expires, or -1 if password expiration is not
enabled. If the user's account is not available, then the control will provide
the reason it is unavailable.