mhardin@symas.com wrote:
Some clients, like Oracle SGD, incorrectly implement the password polic=
y request
control by including a zero-length control value with the request contr=
ol.
OpenLDAP reports "passwordPolicyRequest control value not absent" and f=
ails the
operation with a Protocol Error (2). While this behavior follows the le=
tter of
RFC 4511, the control value in this case is zero-length and therefore h=
armless.
Failing in this case seems merely punctilious, and has no real benefit.=
For
reference, OpenLDAP 2.3 allowed a zero-length control value.
For the very same reason I've added a work-around in upcoming python-ldap=
2.4.11 to handle non-decodable control response values as being absent in= case CRITICAL flag is False. (Apache DS 2.0.0M7 also returns such an invalid zero-length value in password policy response control.)
I'd appreciate to discuss a bit further whether that's the right approach= =2E Maybe we should take this to ietf-ldapbis mailing list as interop issue?
Occasionally, we handled malformed or non-standard control values (I recall something about the many versions of the proxiedAuthz control). Our usual policy was to be "tolerant" about what comes in, possibly by requiring an explicit configuration statement to enable "tolerance" (usually, an admin knows when his system works in a broken environment, and wants to be able to decide whether being tolerant or not). So I favour allowing the administrator to explicitly enable tolerance with respect to malformed controls (my 2c).
p.