Re: password-policy configuration problems: cannot change passwords

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Friday, 23 December 2011 09:59:00 Chris Jacobs wrote:
> If that's true, would there be anyway to change the error text? Perhaps
> "Password policy overlay only allows one password value in dn - more than
> one found". If there's a clear reason for an error, I think the added text
> would be valuable to an administrator.

Sure:

$ grep -r 'Password policy only allows one password value' openldap-2.4.28
openldap-2.4.28/servers/slapd/overlays/ppolicy.c:                       
send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, "Password policy only 
allows one password value" );
openldap-2.4.28/servers/slapd/overlays/ppolicy.c:                                   
rs->sr_text = "Password policy only allows one password value";

Note that there are two cases that have the same error text:
1)Multiple values for userPassword exist in the entry in the directory
2)An add is being performed with two values for userPassword in the entry 
being added

However, for English speakers who are marginally familiar with OpenLDAP, 
surely the existing error message is enough to point the user to look at:
-the LDIF they are adding
-the entry they are modifying
?

Maybe the issue is that error messages need to be internationalised and 
localised (but, how do you determine the locale to use when providing error 
messages over the wire?).

Regards,
Buchan