[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PPolicy Control Decoding

To: "tj.murphy@virgin.net" <tj.murphy@virgin.net>
Subject: Re: PPolicy Control Decoding
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 27 Jun 2006 07:37:21 -0700
Cc: openldap-software@OpenLDAP.org

At 02:35 AM 6/26/2006, TJ wrote:
>I'm having difficulty processing the response from the password policy control 
>returned by slapd
>
>here is an extract of the log:
>
>send_ldap_result: conn=45 op=4 p=3
>send_ldap_result: err=19 matched="" text="Password is in history of old 
>passwords"
>send_ldap_response: msgid=5 tag=103 err=19
>ldap_write: want=91, written=91
>  0000:  30 59 02 01 05 67 2e 0a  01 13 04 00 04 27 50 61   0Y...g.......
>'Pa
>  0010:  73 73 77 6f 72 64 20 69  73 20 69 6e 20 68 69 73   ssword is in 
>his
>  0020:  74 6f 72 79 20 6f 66 20  6f 6c 64 20 70 61 73 73   tory of old 
>pass
>  0030:  77 6f 72 64 73 a0 24 30  22 04 19 31 2e 33 2e 36   words.$0"..1.3.6
>  0040:  2e 31 2e 34 2e 31 2e 34  32 2e 32 2e 32 37 2e 38   .1.4.1.42.2.27.8
>  0050:  2e 35 2e 31 04 05 30 03  81 01 08                  .5.1..0....
>conn=45 op=4 RESULT tag=103 err=19 text=Password is in history of old passwords
>daemon: activity on 1 descriptor
>
>Looing at:
>  0050:  2e 35 2e 31 04 05 30 03  81 01 08                  .5.1..0....
>0x81 is a Sequence repersenting Error from what I can see in ldap-int.h 
>01 lenght, 08 value

ldap-int.h says nothing about how instances of the
PasswordPolicyResponesValue should be encoded.

>Think value field 08 is incorrect, it is not a type. 
>Should it be 
>81 01 02 01 08
>[TYPE = Sequence, LENGTH = 1, VALUE [ TYPE = Integer, LENGTH = 1, VALUE 
>= 8 ]]

No, the proper LDAP-BER [RFC4511, 5.1] encoding of the PasswordPolicyResponseValue(no warning, error=8) is
30 03 81 01 08 (using the ASN.1 below).

30 03 is SEQUENCE length=3
 81 01 08 is a CONTEXT-SPECIFIC, PRIMATIVE [1]
        of length=1 of value=8


>PasswordPolicyResponseValue ::= SEQUENCE {
>   warning [0] CHOICE OPTIONAL {
>     timeBeforeExpiration [0] INTEGER (0 .. maxInt),
>     graceLoginsRemaining [1] INTEGER (0 .. maxInt)
>   }
>
>   error [1] ENUMERATED OPTIONAL {
>      passwordExpired       (0),
>      accountLocked         (1),
>      changeAfterReset      (2),
>      passwordModNotAllowed (3),
>      mustSupplyOldPassword (4),
>      invalidPasswordSyntax (5),
>      passwordTooShort      (6),
>      passwordTooYoung      (7),
>      passwordInHistory     (8)
>    }
>}

Prev by Date: Re: ppolicy asking for password change
Next by Date: Re: my ldap hangup every time I used slapcat
Index(es):
- Chronological
- Thread