[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Password policy request control parsing
- To: <openldap-software@openldap.org>
- Subject: Password policy request control parsing
- From: "Kyle Blaney" <kblaney@nortel.com>
- Date: Fri, 13 Feb 2009 10:43:35 -0500
- Content-class: urn:content-classes:message
- Thread-index: AcmN8dTOpLV+CzfnTu2WGZdUJt4bqA==
- Thread-topic: Password policy request control parsing
I've upgraded from OpenLDAP 2.3.43 to 2.4.13 and I'm getting a server
response that didn't occur with 2.3.43, even though my client code is
unchanged. In particular, my server now complains that a password
policy request control with a zero-length control value is an LDAP
protocol error because the "control value is not absent". Note that
according to section 6.1 of the password policy specification
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-09#section
-6.1), the request control has "no controlValue".
The relevant OpenLDAP code is the ppolicy_parseCtrl method of
servers/slapd/overlays/ppolicy.c. In 2.3.43, that method has the
following check:
if ( ctrl->ldctl_value.bv_len ) {
rs->sr_text = "passwordPolicyRequest control value not empty";
return LDAP_PROTOCOL_ERROR;
}
In 2.4.13, the check is:
if ( !BER_BVISNULL( &ctrl->ldctl_value ) )
rs->sr_text = "passwordPolicyRequest control value not absent";
return LDAP_PROTOCOL_ERROR;
}
Why did this change occur? Was OpenLDAP 2.3.43 too lenient in accepting
a control with zero length?
Kyle Blaney