[Date Prev][Date Next] [Chronological] [Thread] [Top]

Password policy request control parsing



I've upgraded from OpenLDAP 2.3.43 to 2.4.13 and I'm getting a server
response that didn't occur with 2.3.43, even though my client code is
unchanged.  In particular, my server now complains that a password
policy request control with a zero-length control value is an LDAP
protocol error because the "control value is not absent".  Note that
according to section 6.1 of the password policy specification
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-09#section
-6.1), the request control has "no controlValue".

The relevant OpenLDAP code is the ppolicy_parseCtrl method of
servers/slapd/overlays/ppolicy.c.  In 2.3.43, that method has the
following check:

if ( ctrl->ldctl_value.bv_len ) {
      rs->sr_text = "passwordPolicyRequest control value not empty";
      return LDAP_PROTOCOL_ERROR;
}

In 2.4.13, the check is:

if ( !BER_BVISNULL( &ctrl->ldctl_value ) )
      rs->sr_text = "passwordPolicyRequest control value not absent";
      return LDAP_PROTOCOL_ERROR;
}

Why did this change occur?  Was OpenLDAP 2.3.43 too lenient in accepting
a control with zero length?

Kyle Blaney