[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password policy messages - how can I pass back

To: Clément OUDOT <clement.oudot@worteks.com>
Subject: Re: Password policy messages - how can I pass back
From: Ervin Hegedüs <airween@gmail.com>
Date: Fri, 12 Oct 2018 17:32:13 +0200
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=FbMn0Pj3V9k83cteqkwzOgZq9Dg++1bGHiZoe572VzE=; b=BVusdOxjOZ1YkbPfG/1fCTvwOBrXpioaxjdfkBcdOqGy4coYkOCcCTCgb9Z1hJfcuK bDxcoiiKHW8ylTbM3RgQ/aaPGIlIWKTTWgGKOJGjmLQMLvkUdfcH8A4gDMFkhBscE8KY s5yNn8VmmtM7SxcuYMF1wPelvrLOL4b2zImY3pxblHCRDrChhQzlYwyC0NcR4F9NZg2x elv9Ez6Fih6dvl4mPqNqGUFfV5Vc+FsR8cWyHkTfOn7em9yiCa4hjuNsgdD+6JuLlpfG M3DojREMDFSho0fQpENyQHCMzIhUmQUUbKYXMx83GB4oz1m7vDWTBaGwBZ2PD44du648 r88w==
In-reply-to: <8825489d-e259-7288-0bd7-0c77a0470844@worteks.com>
References: <20181010181610.GA17760@arxnet.hu> <8825489d-e259-7288-0bd7-0c77a0470844@worteks.com>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi all,

On Thu, Oct 11, 2018 at 09:12:56AM +0200, Clément OUDOT wrote:
> 
> Le 10/10/2018 à 20:16, Ervin Hegedüs a écrit :
> > I mean:
> >
> > # /usr/bin/ldappasswd -H ldaps://dev-ldap-01 -w "secret" -D "UID="dminuser,dc=hu" -s "abcdefghijkl" "uid=airween,ou=Users,dc=hu" 
> > Result: Constraint violation (19)
> >
> 
> With LDAP clients like ldappasswd, you need to send the ppolicy client
> control with "-e ppolcy"

it works:
Result: Constraint violation (19)
Additional info: Password is not being changed from existing value
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAOBAQg=
ppolicy: error=8 (New password is in list of old passwords)

> > Note, that in PHP side I'm using:
> >
> > ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $_err);
> >
> > and $_err variable is empty.
> 
> 
> This should be possible in PHP 7.3, see
> https://bugs.php.net/bug.php?id=69437

could anybody helps me, how can I catch the correct and accurate
error message?

if (PHP_VERSION_ID >= 70300) {
    $ctrl1 = array('oid' => LDAP_CONTROL_PASSWORDPOLICYREQUEST, 'value' => NULL, 'iscritical' => 0);
    $src = ldap_set_option($this->ldapconn, LDAP_OPT_SERVER_CONTROLS, array($ctrl1));
    $option = (LDAP_OPT_DIAGNOSTIC_MESSAGE | LDAP_OPT_ERROR_STRING); 
}
else {
    $option = LDAP_OPT_DIAGNOSTIC_MESSAGE;
}
ldap_get_option($this->ldapconn, $option, $_err);

but the $_err is a string:

string(49) "Password is not being changed from existing value"

There isn't the ppolicy error.

I've tried with values in ldap_set_option $ctrl:
value => 0, value => 0, iscritical => 1, and combinations of
these.



a.

Follow-Ups:
- Re: Password policy messages - how can I pass back
  - From: Ervin Hegedüs <airween@gmail.com>

References:
- Password policy messages - how can I pass back
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Password policy messages - how can I pass back
  - From: Clément OUDOT <clement.oudot@worteks.com>

Prev by Date: Re: How to add a new schema on N-way multi-master with legacy config
Next by Date: Re: Password policy messages - how can I pass back
Index(es):
- Chronological
- Thread