diff --git a/Demo/pyasn1/ppolicy.py b/Demo/pyasn1/ppolicy.py
new file mode 100644
index 0000000..2bb24a2
--- /dev/null
+++ b/Demo/pyasn1/ppolicy.py
@@ -0,0 +1,50 @@
+# -*- coding: utf-8 -*-
+"""
+Demo script for Password Policy Controls
+(see http://tools.ietf.org/html/draft-behera-ldap-password-policy)
+
+This needs the following software:
+Python
+pyasn1
+pyasn1-modules
+python-ldap 2.4+
+"""
+
+import sys,ldap,ldapurl,getpass
+
+from ldap.controls.ppolicy import PasswordPolicyError,PasswordPolicyControl
+
+try:
+  ldap_url = ldapurl.LDAPUrl(sys.argv[1])
+except IndexError,ValueError:
+  print 'Usage: ppolicy.py <LDAP URL>'
+  sys.exit(1)
+
+# Set debugging level
+#ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
+ldapmodule_trace_level = 2
+ldapmodule_trace_file = sys.stderr
+
+ldap_conn = ldap.ldapobject.LDAPObject(
+  ldap_url.initializeUrl(),
+  trace_level=ldapmodule_trace_level,
+  trace_file=ldapmodule_trace_file
+)
+
+if ldap_url.cred is None:
+  print 'Password for %s:' % (repr(ldap_url.who))
+  ldap_url.cred = getpass.getpass()
+
+try:
+  msgid = ldap_conn.simple_bind(ldap_url.who,ldap_url.cred,serverctrls=[PasswordPolicyControl()])
+  res_type,res_data,res_msgid,res_ctrls = ldap_conn.result3(msgid)
+except ldap.INVALID_CREDENTIALS,e:
+  print 'Simple bind failed:',str(e)
+  sys.exit(1)
+else:
+  if res_ctrls[0].controlType==PasswordPolicyControl.controlType:
+    ppolicy_ctrl = res_ctrls[0]
+    print 'PasswordPolicyControl'
+    print 'error',repr(ppolicy_ctrl.error),(ppolicy_ctrl.error!=None)*repr(PasswordPolicyError(ppolicy_ctrl.error))
+    print 'timeBeforeExpiration',repr(ppolicy_ctrl.timeBeforeExpiration)
+    print 'graceAuthNsRemaining',repr(ppolicy_ctrl.graceAuthNsRemaining)