Full_Name: Mar.a Rojo Gonz.lez Version: 2.4.44 OS: CentOS Linux release 7.6.1810 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (212.0.110.2)

Hello,

We installed a fresh OpenLDAP server and created the following test backend:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 a008278f dn: olcDatabase={3}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {3}hdb olcDbDirectory: /var/lib/ldap2 olcSuffix: dc=example,dc=org olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym ous auth by dn="cn=admin,dc=example,dc=org" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=org" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=org olcRootPW:: e1NTSEF9RnZwTERwWkFQRlhId012TnhBWXpkemY3b0JUN2tNR3M= olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq structuralObjectClass: olcHdbConfig entryUUID: 238efe88-303a-1039-97b5-d1f261d139b7 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20190701105301Z entryCSN: 20190701105301.031755Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20190701105301Z

Then we added the following constraint using ldapadd:

dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap/ olcModuleLoad: constraint.la

dn: olcOverlay=constraint,olcDatabase={3}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcConstraintConfig olcOverlay: constraint olcConstraintAttribute: userPassword regex ^[^{].*

Finally, we tested some combinations of passwords and constraints (replacing the previous olcConstraintAttribute) and these are the results:

# Operation Password Constraint Result 1 ldapmodify hola ^[^{].* err=0 2 ldapmodify {hola ^[^{].* err=19 3 ldappasswd hola ^[^{].* err=19 4 ldappasswd {hola ^[^{].* err=19 5 ldapmodify hola ^[^H].* err=0 6 ldapmodify Hola ^[^H].* err=19 7 ldappasswd hola ^[^H].* err=0 8 ldappasswd Hola ^[^H].* err=0

where the ldapmodify was executed as follows:

ldapmodify -x -D "cn=person1,ou=people,dc=example,dc=org" -W Enter LDAP Password: dn: cn=person1,ou=people,dc=example,dc=org changetype: modify replace: userPassword userPassword: hola

modifying entry "cn=person1,ou=people,dc=example,dc=org"

and ldappasswd was run as such:

ldappasswd -x -D "cn=person1,ou=people,dc=example,dc=org" -w pass -a pass -s hola Result: Constraint violation (19)

The unexpected results were:

# Operation Password Constraint Result 3 ldappasswd hola ^[^{].* err=19 8 ldappasswd Hola ^[^H].* err=0

Here is some sample output from the slapd log files:

Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 fd=26 ACCEPT from IP=[::1]:33328 (IP=[::]:389) Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=0 BIND dn="cn=person1,ou=people,dc=example,dc=org" method=128 Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=0 BIND dn="cn=person1,ou=people,dc=example,dc=org" mech=SIMPLE ssf=0 Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=0 RESULT tag=97 err=0 text= Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=1 PASSMOD old new Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=1 RESULT oid= err=19 text=(#001 Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=2 UNBIND Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 fd=26 closed

Note the strange text on the RESULT. We consistently found the same error text when we executed executing test #3.

Do you know what may be causing this behaviour?

Thank you in advance.