Re: ldap_simple_bind_s error codes

[Pierangelo Masarati <ando@sys-net.it>]

Anoob Backer wrote:
> Hi All,
> 
> Is there any way to find out the exact error message in case of bind
> failure
> using any of the OpenLDAP calls?
> 
> What i would like achieve by this is to know exactly why the bind failed?
> either due to password expire or account locked or account disabled or user
> not found etc.
> 
> After googling a bit i found a sol
> 
> 1. http://forum.java.sun.com/thread.jspa?messageID=4227692 ==> says to use
> ldap_get_option() to get the error string and then parse and extract the
> error codes. To my understanding this is an extended error message
> 
> Is it reliable to depend on the error messages?

Assuming you want to use OpenLDAP as DSA, if a bind fails at the server
side, you'll probably just get LDAP_INVALID_CREDENTIALS, with no
indication of what the failure reason was.  If the bind request used the
password policy control, and the ppolicy overlay is in use (see
slapo-ppolicy(5) for details), the client might get a control response
containing the reason of the bind failure, according to
<draft-behera-ldap-password-policy>.  Any other means of detecting the
reason of a bind failure should not be considered.

To use the control, and to understand the control response, your client
will need to either use an asyncronous call, e.g. ldap_sasl_bind(3), and
interpret the control response by using ldap_parse_result(3) on the
message returned by ldap_result(3) to extract the controls from the
response.  The use of ldap_get_option(3) with LDAP_OPT_SERVER_CONTROLS
is deprecated in favor of the above mentioned API.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------