As a user who is in the process of setting a new password using a client application I would like the application to provide me with advice indicating why my new password does not satisfy their validation requirements. As a developer of this client application, I would like a way to determine whether a user provided password for a new or existing user satisfies DJ's password validation criteria: DJ should return the advice in the form of a structured response which can be rendered in the UI using the user's locale.
One approach could be to provide "dry run" support for LDAP ADD, MODIFY and password modify operations, where password validation failures would trigger inclusion of an "advice" response control describing why the password does not satisfy the applicable policy. Another JIRA will address the "dry-run" capability: this JIRA will focus on the structured response.
- another possibility is to use an extended operation. However, password policy selection for ADD operations may depend on properties of the added user, such as group membership
- the mechanism must collect the results for all applicable validators rather than exposing them one at a time
- the mechanism should at a minimum indicate the DNs of the failed validators. This may be sufficient to render the UI feedback.