Anoob Backer wrote:
Hi All,
Is there any way to find out the exact error message in case of bind failure using any of the OpenLDAP calls?
What i would like achieve by this is to know exactly why the bind failed? either due to password expire or account locked or account disabled or user not found etc.
After googling a bit i found a sol
- http://forum.java.sun.com/thread.jspa?messageID=4227692 ==> says to use
ldap_get_option() to get the error string and then parse and extract the error codes. To my understanding this is an extended error message
Is it reliable to depend on the error messages?
Assuming you want to use OpenLDAP as DSA, if a bind fails at the server side, you'll probably just get LDAP_INVALID_CREDENTIALS, with no indication of what the failure reason was. If the bind request used the password policy control, and the ppolicy overlay is in use (see slapo-ppolicy(5) for details), the client might get a control response containing the reason of the bind failure, according to <draft-behera-ldap-password-policy>. Any other means of detecting the reason of a bind failure should not be considered.
To use the control, and to understand the control response, your client will need to either use an asyncronous call, e.g. ldap_sasl_bind(3), and interpret the control response by using ldap_parse_result(3) on the message returned by ldap_result(3) to extract the controls from the response. The use of ldap_get_option(3) with LDAP_OPT_SERVER_CONTROLS is deprecated in favor of the above mentioned API.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------