[Date Prev][Date Next] [Chronological] [Thread] [Top]

Password policy request control parsing

To: <openldap-software@openldap.org>
Subject: Password policy request control parsing
From: "Kyle Blaney" <kblaney@nortel.com>
Date: Fri, 13 Feb 2009 10:43:35 -0500
Content-class: urn:content-classes:message
Thread-index: AcmN8dTOpLV+CzfnTu2WGZdUJt4bqA==
Thread-topic: Password policy request control parsing

I've upgraded from OpenLDAP 2.3.43 to 2.4.13 and I'm getting a server
response that didn't occur with 2.3.43, even though my client code is
unchanged.  In particular, my server now complains that a password
policy request control with a zero-length control value is an LDAP
protocol error because the "control value is not absent".  Note that
according to section 6.1 of the password policy specification
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-09#section
-6.1), the request control has "no controlValue".

The relevant OpenLDAP code is the ppolicy_parseCtrl method of
servers/slapd/overlays/ppolicy.c.  In 2.3.43, that method has the
following check:

if ( ctrl->ldctl_value.bv_len ) {
      rs->sr_text = "passwordPolicyRequest control value not empty";
      return LDAP_PROTOCOL_ERROR;
}

In 2.4.13, the check is:

if ( !BER_BVISNULL( &ctrl->ldctl_value ) )
      rs->sr_text = "passwordPolicyRequest control value not absent";
      return LDAP_PROTOCOL_ERROR;
}

Why did this change occur?  Was OpenLDAP 2.3.43 too lenient in accepting
a control with zero length?

Kyle Blaney

Prev by Date: Re: Supplemental information regarding an recent(-ish) post to the openldap mailing list.
Next by Date: configure's --program-suffix
Index(es):
- Chronological
- Thread