Full_Name: Matthew Hardin Version: 2.4.32 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (69.43.206.100) Some clients, like Oracle SGD, incorrectly implement the password policy request control by including a zero-length control value with the request control. OpenLDAP reports "passwordPolicyRequest control value not absent" and fails the operation with a Protocol Error (2). While this behavior follows the letter of RFC 4511, the control value in this case is zero-length and therefore harmless. Failing in this case seems merely punctilious, and has no real benefit. For reference, OpenLDAP 2.3 allowed a zero-length control value. While I don't believe it's acceptable for clients to present malformed controls, I do think it's sufficient, at least in this case, to log a warning and continue processing the request. For reference, the BER dump below shows the bind request containing the incorrectly-formatted password policy request control as well as the various stages of parsing. The request in this case comes from Oracle SGD 4.62.913. ber_get_next: tag 0x30 len 89 contents: ber_dump: buf=101fd8f00 ptr=101fd8f00 end=101fd8f59 len=89 0000: 02 01 01 60 33 02 01 03 04 27 63 6e 3d 70 70 6f ...`3....'cn=ppo 0010: 6c 69 63 79 74 73 74 2c 6f 75 3d 50 6f 6c 69 63 licytst,ou=Polic 0020: 69 65 73 2c 64 63 3d 76 73 6f 2c 64 63 3d 63 6f ies,dc=vso,dc=co 0030: 6d 80 05 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e m..aaaaa..0...1. 0040: 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 3.6.1.4.1.42.2.2 0050: 37 2e 38 2e 35 2e 31 04 00 7.8.5.1.. 502a936b op tag 0x60, time 1344967531 ber_get_next 502a936b conn=1001 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=101fd8f00 ptr=101fd8f03 end=101fd8f59 len=86 0000: 60 33 02 01 03 04 27 63 6e 3d 70 70 6f 6c 69 63 `3....'cn=ppolic 0010: 79 74 73 74 2c 6f 75 3d 50 6f 6c 69 63 69 65 73 ytst,ou=Policies 0020: 2c 64 63 3d 76 73 6f 2c 64 63 3d 63 6f 6d 80 05 ,dc=vso,dc=com.. 0030: 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e 33 2e 36 aaaaa..0...1.3.6 0040: 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 2e 38 .1.4.1.42.2.27.8 0050: 2e 35 2e 31 04 00 .5.1.. ber_scanf fmt (m}) ber: ber_dump: buf=101fd8f00 ptr=101fd8f31 end=101fd8f59 len=40 0000: 00 05 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e 33 ..aaaaa..0...1.3 0010: 2e 36 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 .6.1.4.1.42.2.27 0020: 2e 38 2e 35 2e 31 04 00 .8.5.1.. 502a936b => get_ctrls ber_scanf fmt ({m) ber: ber_dump: buf=101fd8f00 ptr=101fd8f3a end=101fd8f59 len=31 0000: 30 1d 04 19 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 0...1.3.6.1.4.1. 0010: 34 32 2e 32 2e 32 37 2e 38 2e 35 2e 31 04 00 42.2.27.8.5.1.. ber_scanf fmt (m) ber: ber_dump: buf=101fd8f00 ptr=101fd8f57 end=101fd8f59 len=2 0000: 00 00 .. 502a936b => get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical) 502a936b <= get_ctrls: n=1 rc=2 err="passwordPolicyRequest control value not absent" 502a936b send_ldap_result: conn=1001 op=0 p=3 502a936b send_ldap_response: msgid=1 tag=97 err=2 As an aside, the error text left me scratching my head and reading the source code to figure out what was meant. Each of the other request control handlers that doesn't require/allow a control value has a similar message. Could we change these messages to: {Warning|Error}: Spurious <control name here> control value found in request. Comments?
mhardin@symas.com wrote: > Some clients, like Oracle SGD, incorrectly implement the password policy request > control by including a zero-length control value with the request control. > OpenLDAP reports "passwordPolicyRequest control value not absent" and fails the > operation with a Protocol Error (2). While this behavior follows the letter of > RFC 4511, the control value in this case is zero-length and therefore harmless. > Failing in this case seems merely punctilious, and has no real benefit. For > reference, OpenLDAP 2.3 allowed a zero-length control value. For the very same reason I've added a work-around in upcoming python-ldap 2.4.11 to handle non-decodable control response values as being absent in case CRITICAL flag is False. (Apache DS 2.0.0M7 also returns such an invalid zero-length value in password policy response control.) I'd appreciate to discuss a bit further whether that's the right approach. Maybe we should take this to ietf-ldapbis mailing list as interop issue? Ciao, Michael.
> mhardin@symas.com wrote: >> Some clients, like Oracle SGD, incorrectly implement the password polic= > y request >> control by including a zero-length control value with the request contr= > ol. >> OpenLDAP reports "passwordPolicyRequest control value not absent" and f= > ails the >> operation with a Protocol Error (2). While this behavior follows the le= > tter of >> RFC 4511, the control value in this case is zero-length and therefore h= > armless. >> Failing in this case seems merely punctilious, and has no real benefit.= > For >> reference, OpenLDAP 2.3 allowed a zero-length control value. > > For the very same reason I've added a work-around in upcoming python-ldap= > > 2.4.11 to handle non-decodable control response values as being absent in= > case > CRITICAL flag is False. (Apache DS 2.0.0M7 also returns such an invalid > zero-length value in password policy response control.) > > I'd appreciate to discuss a bit further whether that's the right approach= > =2E > Maybe we should take this to ietf-ldapbis mailing list as interop issue? Occasionally, we handled malformed or non-standard control values (I recall something about the many versions of the proxiedAuthz control). Our usual policy was to be "tolerant" about what comes in, possibly by requiring an explicit configuration statement to enable "tolerance" (usually, an admin knows when his system works in a broken environment, and wants to be able to decide whether being tolerant or not). So I favour allowing the administrator to explicitly enable tolerance with respect to malformed controls (my 2c). p.
moved from Incoming to Software Bugs
ppolicy following the spec, no real complaints for 8 years.