[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: PPolicy Control Decoding
At 02:35 AM 6/26/2006, TJ wrote:
>I'm having difficulty processing the response from the password policy control
>returned by slapd
>
>here is an extract of the log:
>
>send_ldap_result: conn=45 op=4 p=3
>send_ldap_result: err=19 matched="" text="Password is in history of old
>passwords"
>send_ldap_response: msgid=5 tag=103 err=19
>ldap_write: want=91, written=91
> 0000: 30 59 02 01 05 67 2e 0a 01 13 04 00 04 27 50 61 0Y...g.......
>'Pa
> 0010: 73 73 77 6f 72 64 20 69 73 20 69 6e 20 68 69 73 ssword is in
>his
> 0020: 74 6f 72 79 20 6f 66 20 6f 6c 64 20 70 61 73 73 tory of old
>pass
> 0030: 77 6f 72 64 73 a0 24 30 22 04 19 31 2e 33 2e 36 words.$0"..1.3.6
> 0040: 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 2e 38 .1.4.1.42.2.27.8
> 0050: 2e 35 2e 31 04 05 30 03 81 01 08 .5.1..0....
>conn=45 op=4 RESULT tag=103 err=19 text=Password is in history of old passwords
>daemon: activity on 1 descriptor
>
>Looing at:
> 0050: 2e 35 2e 31 04 05 30 03 81 01 08 .5.1..0....
>0x81 is a Sequence repersenting Error from what I can see in ldap-int.h
>01 lenght, 08 value
ldap-int.h says nothing about how instances of the
PasswordPolicyResponesValue should be encoded.
>Think value field 08 is incorrect, it is not a type.
>Should it be
>81 01 02 01 08
>[TYPE = Sequence, LENGTH = 1, VALUE [ TYPE = Integer, LENGTH = 1, VALUE
>= 8 ]]
No, the proper LDAP-BER [RFC4511, 5.1] encoding of the PasswordPolicyResponseValue(no warning, error=8) is
30 03 81 01 08 (using the ASN.1 below).
30 03 is SEQUENCE length=3
81 01 08 is a CONTEXT-SPECIFIC, PRIMATIVE [1]
of length=1 of value=8
>PasswordPolicyResponseValue ::= SEQUENCE {
> warning [0] CHOICE OPTIONAL {
> timeBeforeExpiration [0] INTEGER (0 .. maxInt),
> graceLoginsRemaining [1] INTEGER (0 .. maxInt)
> }
>
> error [1] ENUMERATED OPTIONAL {
> passwordExpired (0),
> accountLocked (1),
> changeAfterReset (2),
> passwordModNotAllowed (3),
> mustSupplyOldPassword (4),
> invalidPasswordSyntax (5),
> passwordTooShort (6),
> passwordTooYoung (7),
> passwordInHistory (8)
> }
>}