[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4596) Password policy control cannot be critical

Full_Name: Tony Murphy
Version: 2.3.20
OS: Centos 4.3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (


> My custom client provides request controls, setting the password 
> policy control to be critical, i.e. must be supported by the server. 
> However setting password policy control to be critical is not allowed
> by current versions of openldap
> do_bind
> ber_scanf fmt ({imt) ber:
> ber_scanf fmt (m}) ber:
> => get_ctrls
> ber_scanf fmt ({m) ber:
> ber_scanf fmt (b) ber:
> => get_ctrls: oid="" (critical) <= get_ctrls: 
> n=1 rc=2 err="passwordPolicyRequest control invalid criticality"
> send_ldap_result: conn=2 op=0 p=3
> send_ldap_response: msgid=1 tag=97 err=2
> ber_flush: 63 bytes to sd 14
> do_bind: get_ctrls failed
> connection_get(14): got connid=2
> connection_read(14): checking for input on id=2 ber_get_next TLS 
> trace: SSL3 alert read:warning:close notify

There's been a change in the draft; earlier versions didn't allow this control
to be Critical. The current code rejects requests with the control marked
critical, which is the error message you're seeing below. 
The current draft allows the control to be marked critical, so I guess we need
to remove this error check.