4 files changed, 29 insertions, 3 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 82acc49d..f9cff70c 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -461,7 +461,7 @@ parse_req_done:
 	/* check the policy */
 	ret = ipapwd_CheckPolicy(&pwdata);
 	if (ret) {
-		errMesg = "Password Fails to meet minimum strength criteria";
+		errMesg = ipapwd_error2string(ret);
 		if (ret == IPAPWD_POLICY_ERROR) {
 			errMesg = "Internal error";
 			rc = ret;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index a4663c0c..410c536a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -302,7 +302,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
 
     ret = ipapwd_CheckPolicy(&pwdop->pwdata);
     if (ret) {
-        errMesg = "Password Fails to meet minimum strength criteria";
+        errMesg = ipapwd_error2string(ret);
         rc = LDAP_CONSTRAINT_VIOLATION;
         goto done;
     }
@@ -750,7 +750,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
     if (has_krb_keys == 0) {
         ret = ipapwd_CheckPolicy(&pwdop->pwdata);
         if (ret) {
-            errMesg = "Password Fails to meet minimum strength criteria";
+            errMesg = ipapwd_error2string(ret);
             rc = LDAP_CONSTRAINT_VIOLATION;
             goto done;
         }
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index fda6cb34..b6ed929b 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -538,6 +538,26 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
     return IPAPWD_POLICY_OK;
 }
 
+char * IPAPWD_ERROR_STRINGS[] = {
+    "Password is OK",
+    "Account expired",
+    "Too soon to change password",
+    "Password is too short",
+    "Password reuse not permitted",
+    "Password is too simple"
+};
+
+char * IPAPWD_ERROR_STRING_GENERAL = "Password does not meet the policy requirements";
+
+char * ipapwd_error2string(enum ipapwd_error err) {
+   if (err < 0 || err > IPAPWD_POLICY_PWD_COMPLEXITY) {
+       /* IPAPWD_POLICY_ERROR or out of boundary, return general error */
+       return IPAPWD_ERROR_STRING_GENERAL;
+   }
+
+   return IPAPWD_ERROR_STRINGS[err];
+}
+
 /**
 * @brief    Generate a new password history using the new password
 *
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index 7a00b7fc..ecb82108 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -27,6 +27,10 @@
 #define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600)
 #define IPAPWD_DEFAULT_MINLEN 0
 
+/*
+ * IMPORTANT: please update error string table in ipa_pwd.c if you change this
+ * error code table.
+ */
 enum ipapwd_error {
     IPAPWD_POLICY_ERROR = -1,
     IPAPWD_POLICY_OK = 0,
@@ -55,6 +59,8 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
                         time_t last_pwd_change,
                         char **pwd_history);
 
+char * ipapwd_error2string(enum ipapwd_error err);
+
 int ipapwd_generate_new_history(char *password,
                                 time_t cur_time,
                                 int history_length,