Re: What is the option '-e ppolicy' ?

[Pierangelo Masarati <pierangelo.masarati@polimi.it>]

On 05/01/2014 08:45 PM, Thierry Thelliez wrote:
> I tried with and with the '-e ppolicy' option but that did not make a
> difference in terms of behavior.  It did make a difference for the
> output message.
>
> For:   ldappasswd -x -w oldpassword -a oldpassword -s test -D
> "uid=aUser, ou=MyUsers, dc=xyz, dc=com" -e ppolicy
> The output is:
>
> Result: Constraint violation (19)
> Additional info: Password fails quality checking policy
> control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAOBAQY=
> ppolicy: error=6 (Password is too short for policy)
>
> For:   ldappasswd -x -w oldpassword -a oldpassword -s test -D
> "uid=aUser, ou=MyUsers, dc=xyz, dc=com"
> The ouput is shorter:
>
> Result: Constraint violation (19)
> Additional info: Password fails quality checking policy
>
> They both checked the password policy ('test' was too short).
>
> I am still confused about what this 'extension' does. Is that just about
> giving more details in the error output?
>
> This is in openLDAP 2.4.39 and documented in the man ldapsearch page.
>   The option is used in the ppolicy test code (test022-ppolicy).

With -e ppolicy, the password policy control is used in the request.  As 
such, the response may contain the control response, as described in 
slapo-ppolicy(5).

Otherwise (i.e. if the request does not contain the control request), 
the server will not return the control response.

In your case you're "lucky", i.e. the bind response contains additional 
information.  In other cases, you might just get "invalid credentials" 
without further explanation.

p.

> Thanks,
> Thierry
>
>
>
>
> On Thu, May 1, 2014 at 3:43 AM, Michael StrÃder <michael@stroeder.com
> <mailto:michael@stroeder.com>> wrote:
>
>     Dieter KlÃnter wrote:
>      > Am Wed, 30 Apr 2014 14:56:41 -0600
>      > schrieb Thierry Thelliez <thierry.thelliez.tech@gmail.com
>     <mailto:thierry.thelliez.tech@gmail.com>>:
>      >>
>      >> Looking at the test source code of 2.4.39 for the ppolicy script, I
>      >> can see the ldapsearch is using a '-e ppolicy' option.   The man
>     page
>      >> for ldapsearch lists 'general extensions' under -e and -E options.
>      >> But I cannot figure out what these extensions are.
>      >>
>      >> What is '-e ppolicy' ? and when do you need it?
>      >
>      > man ldapsearch(5)
>      >
>      > -e = general extended operation
>      > -E = search extended operation
>      > passwordPolicy is a general extended operation
>
>     I have no man page like this for OpenLDAP. Which man page is this?
>     It sounds
>     strange to say something about extended operations.
>
>     -e and -E are for specifying extended *controls* along with the LDAP
>     (search)
>     request:
>
>     Excerpt from ldapsearch(1):
>
>             -e [!]ext[=extparam]
>
>             -E [!]ext[=extparam]
>
>                    Specify general extensions with -e and search
>     extensions with
>                    -E.  Â! indicates criticality.
>
>     Ciao, Michael.


--
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano