Closed
Bug 1409
Opened 26 years ago
Closed 26 years ago
LDAP API does not return correct Password Policy controls
Categories
(Directory :: LDAP C SDK, defect, P2)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: tcozzolino, Assigned: chuckb)
Details
In http://developer1.netscape.com:80/docs/manuals/dirsdk/csdk30/controls.htm,
the following is stated:
"The Netscape Directory Server 3.0 and later versions use two server response
controls to send information back to a client after an LDAP bind operation:
The control with the OID 2.16.840.1.113730.3.4.4 (or LDAP_CONTROL_PWEXPIRED, as
defined in the ldap.h header file) is the expired password control.
This control is used if the server is configured to require users to change
their passwords when first logging in and whenever the passwords are reset.
If the user is logging in for the first time or if the user's password has been
reset, the server sends this control to indicate that the client needs to change
the password immediately.
At this point, the only operation that the client can perform is to change the
user's password. If the client requests any other LDAP operation, the server
sends back an LDAP_UNWILLING_TO_PERFORM result code with an expired password
control."
---
We find, however, that instead, when trying to bind as a user whose password is
expired, the ldap_parse_result function returns a "password expired!" message
in the errmsgp parameter. The control referenced above is not returned. The
bind operation fails.
Updated•26 years ago
|
Assignee: bogus → chuckb
There are some server configurations which need to be set before the password
policy is fully activated. Do you have these set? If you don't want to post
server config here, please mail me (chuckb@netscape.com) directly.
I have a testcase in the QA test suite. I will investigate this more.
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → WORKSFORME
Just a thought....
I ran a bunch of tests using the test code below. In you tests, did you
remember to set the ldap version to 3.0? The C SDK defaults to LDAP V2.
------------------- code -----------
/*
* Copyright (c) 1998. Netscape Communications Corporation. All
* rights reserved.
*
* Attempt to bind to the directory, and report back any controls received.
*/
#include <stdio.h>
#include "ldap.h"
static void doUsage() {
printf( "Usage: ppolicy HOST PORT DN PASSWORD\n" );
}
static void
print_controls( LDAPControl **ctrls, int freeit ) {
int i;
char buf[256];
if ( ctrls == NULL ) {
printf( "No controls returned\n" );
return;
}
fprintf( stderr, "Controls:\n" );
for ( i = 0; ctrls[ i ] != NULL; ++i ) {
if ( i > 0 ) {
fputs( "\t-----------\n", stderr );
}
fprintf( stderr, "\toid: %s\n", ctrls[ i ]->ldctl_oid );
fprintf( stderr, "\tcritical: %s\n",
ctrls[ i ]->ldctl_iscritical ? "YES" : "NO" );
fputs( "\tvalue:\n", stderr );
memcpy( buf, ctrls[ i ]->ldctl_value.bv_val,
ctrls[ i ]->ldctl_value.bv_len );
buf[ctrls[ i ]->ldctl_value.bv_len] = 0;
printf( "%s\n", buf );
}
if ( freeit ) {
ldap_controls_free( ctrls );
}
}
int
main( int argc, char **argv ) {
LDAP *ld;
char *dn;
char *password;
char *host;
int port;
int i;
int rc = 0;
int version;
int msgid;
LDAPMessage *result;
LDAPControl **ctrls;
int lderr;
char *matcheddn, *errmsg, **refs;
if ( argc < 5 ) {
doUsage();
return( 1 );
}
host = argv[1];
port = atoi( argv[2] );
dn = argv[3];
password = argv[4];
/* get a handle to an LDAP connection */
if ( (ld = ldap_init( host, port )) == NULL ) {
perror( "ldap_init" );
return( 1 );
}
version = LDAP_VERSION3;
if (ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) !=
LDAP_SUCCESS)
perror( "ldap_setoption");
/* authenticate to the directory */
if ( msgid = ldap_simple_bind( ld, dn, password ) < 0 ) {
ldap_perror( ld, "ldap_simple_bind" );
rc = -1;
} else {
rc = ldap_result( ld, -1, 0, (struct timeval *)NULL, &result );
if ( rc == LDAP_RES_BIND ) {
if ( ldap_parse_result( ld, result, &lderr, &matcheddn,
&errmsg, &refs,
&ctrls,
0 ) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_parse_result" );
} else {
fprintf( stderr, "ldap_parse_result: %s",
ldap_err2string( lderr ));
if ( lderr == LDAP_CONNECT_ERROR ) {
perror( " - " );
} else {
fputc( '\n', stderr );
}
if ( errmsg != NULL ) {
if ( *errmsg != '\0' ) {
fprintf( stderr, "Additional
info: %s\n",
errmsg );
}
ldap_memfree( errmsg );
}
if ( matcheddn != NULL ) {
if ( NAME_ERROR( lderr )) {
fprintf( stderr, "Matched DN:
%s\n",
matcheddn );
}
ldap_memfree( matcheddn );
}
if ( LDAP_SUCCESS == lderr ) {
printf( "Authentication successful\n" );
}
print_controls( ctrls, 1 );
rc = 0;
}
} else {
printf( "ldap_result returned %d\n", rc );
ldap_perror( ld, "ldap_result" );
rc = -1;
}
}
ldap_unbind( ld );
return rc;
}
You need to log in
before you can comment on or make changes to this bug.
Description
•