Guillaume.Rousse@inria.fr wrote:

Full_Name: Guillaume Rousse Version: 2.4.16 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (195.83.212.136)

Current implementation of password checker doesn't allow exact errors returned by the external module to be returned to the client, for security reason. They are only available in server logs. Quoting man page:

If the password is unacceptable, the server will return an error to the client, and ppErrStr may be used to return a human-readable textual explanation of the error.

As it is already difficult to have strong password policies accepted by users, making this behaviour configurable, exactly the same way the ppolicy_use_lockout option allows the servers to return more information if wanted to the client, would be desirable.

Hmm. Perhaps the default behavior here is overly paranoid; I think it's fair to explain to a user why their password was rejected in a PasswordModify request. If they've already provided the correct old password, it doesn't seem that there's any security exposure here.