Closed Bug 1409 Opened 26 years ago Closed 26 years ago

LDAP API does not return correct Password Policy controls

Categories

(Directory :: LDAP C SDK, defect, P2)

Sun
Solaris

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: tcozzolino, Assigned: chuckb)

Details

In http://developer1.netscape.com:80/docs/manuals/dirsdk/csdk30/controls.htm, the following is stated: "The Netscape Directory Server 3.0 and later versions use two server response controls to send information back to a client after an LDAP bind operation: The control with the OID 2.16.840.1.113730.3.4.4 (or LDAP_CONTROL_PWEXPIRED, as defined in the ldap.h header file) is the expired password control. This control is used if the server is configured to require users to change their passwords when first logging in and whenever the passwords are reset. If the user is logging in for the first time or if the user's password has been reset, the server sends this control to indicate that the client needs to change the password immediately. At this point, the only operation that the client can perform is to change the user's password. If the client requests any other LDAP operation, the server sends back an LDAP_UNWILLING_TO_PERFORM result code with an expired password control." --- We find, however, that instead, when trying to bind as a user whose password is expired, the ldap_parse_result function returns a "password expired!" message in the errmsgp parameter. The control referenced above is not returned. The bind operation fails.
Assignee: bogus → chuckb
Status: NEW → ASSIGNED
There are some server configurations which need to be set before the password policy is fully activated. Do you have these set? If you don't want to post server config here, please mail me (chuckb@netscape.com) directly. I have a testcase in the QA test suite. I will investigate this more.
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → WORKSFORME
Just a thought.... I ran a bunch of tests using the test code below. In you tests, did you remember to set the ldap version to 3.0? The C SDK defaults to LDAP V2. ------------------- code ----------- /* * Copyright (c) 1998. Netscape Communications Corporation. All * rights reserved. * * Attempt to bind to the directory, and report back any controls received. */ #include <stdio.h> #include "ldap.h" static void doUsage() { printf( "Usage: ppolicy HOST PORT DN PASSWORD\n" ); } static void print_controls( LDAPControl **ctrls, int freeit ) { int i; char buf[256]; if ( ctrls == NULL ) { printf( "No controls returned\n" ); return; } fprintf( stderr, "Controls:\n" ); for ( i = 0; ctrls[ i ] != NULL; ++i ) { if ( i > 0 ) { fputs( "\t-----------\n", stderr ); } fprintf( stderr, "\toid: %s\n", ctrls[ i ]->ldctl_oid ); fprintf( stderr, "\tcritical: %s\n", ctrls[ i ]->ldctl_iscritical ? "YES" : "NO" ); fputs( "\tvalue:\n", stderr ); memcpy( buf, ctrls[ i ]->ldctl_value.bv_val, ctrls[ i ]->ldctl_value.bv_len ); buf[ctrls[ i ]->ldctl_value.bv_len] = 0; printf( "%s\n", buf ); } if ( freeit ) { ldap_controls_free( ctrls ); } } int main( int argc, char **argv ) { LDAP *ld; char *dn; char *password; char *host; int port; int i; int rc = 0; int version; int msgid; LDAPMessage *result; LDAPControl **ctrls; int lderr; char *matcheddn, *errmsg, **refs; if ( argc < 5 ) { doUsage(); return( 1 ); } host = argv[1]; port = atoi( argv[2] ); dn = argv[3]; password = argv[4]; /* get a handle to an LDAP connection */ if ( (ld = ldap_init( host, port )) == NULL ) { perror( "ldap_init" ); return( 1 ); } version = LDAP_VERSION3; if (ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ) != LDAP_SUCCESS) perror( "ldap_setoption"); /* authenticate to the directory */ if ( msgid = ldap_simple_bind( ld, dn, password ) < 0 ) { ldap_perror( ld, "ldap_simple_bind" ); rc = -1; } else { rc = ldap_result( ld, -1, 0, (struct timeval *)NULL, &result ); if ( rc == LDAP_RES_BIND ) { if ( ldap_parse_result( ld, result, &lderr, &matcheddn, &errmsg, &refs, &ctrls, 0 ) != LDAP_SUCCESS ) { ldap_perror( ld, "ldap_parse_result" ); } else { fprintf( stderr, "ldap_parse_result: %s", ldap_err2string( lderr )); if ( lderr == LDAP_CONNECT_ERROR ) { perror( " - " ); } else { fputc( '\n', stderr ); } if ( errmsg != NULL ) { if ( *errmsg != '\0' ) { fprintf( stderr, "Additional info: %s\n", errmsg ); } ldap_memfree( errmsg ); } if ( matcheddn != NULL ) { if ( NAME_ERROR( lderr )) { fprintf( stderr, "Matched DN: %s\n", matcheddn ); } ldap_memfree( matcheddn ); } if ( LDAP_SUCCESS == lderr ) { printf( "Authentication successful\n" ); } print_controls( ctrls, 1 ); rc = 0; } } else { printf( "ldap_result returned %d\n", rc ); ldap_perror( ld, "ldap_result" ); rc = -1; } } ldap_unbind( ld ); return rc; }
You need to log in before you can comment on or make changes to this bug.