[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] ppolicy decoding error
From:       Andreas Hasenack <ahasenack () terra ! com ! br>
Date:       2006-04-25 18:57:37
Message-ID: 20060425185737.GE8039 () mandriva ! com
[Download RAW message or body]

On Fri, Apr 21, 2006 at 03:58:05PM -0700, Howard Chu wrote:
> Andreas wrote:
> >I'm testing pam_ldap-180 with openldap-2.3.19's password policy overlay.
> >I set an user account with a policy that mandates a password change
> >using pwdReset and pwdMustChange. pam_ldap is having trouble decoding
> >this. I get:
> >
> >pam_ldap: error trying to bind as user 
> >"uid=carlos,ou=Pessoas,dc=exemplo,dc=com,dc=br" (Decoding error)
> >
> >I added a debug statement to _get_password_policy_response_value() and I
> >see that the tag value is 161, and not 160 or 129 as the code expects.
> >
> >Sniffing the wire (ethereal), I get this as the "control value" in the 
> >server's
> >response: 30 03 A1 01 02 00 00
> 
> It looks like OpenLDAP is generating the control value incorrectly. I've 
> just patched this in libldap and slapd/overlays in CVS HEAD.

Works much better now, thanks. For example:

[fulano@cc ~]$ passwd
Changing password for user fulano.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Can't contact LDAP server
Password fails quality checking policy
passwd: Permission denied
[fulano@cc ~]$

Only that error message is a bit misleading, I'll test further with
other scenarios.

[prev in list] [next in list] [prev in thread] [next in thread]