I've upgraded from OpenLDAP 2.3.43 to 2.4.13 and I'm getting a server response that didn't occur with 2.3.43, even though my client code is unchanged. In particular, my server now complains that a password policy request control with a zero-length control value is an LDAP protocol error because the "control value is not absent". Note that according to section 6.1 of the password policy specification (http://tools.ietf.org/html/draft-behera-ldap-password-policy-09#section -6.1), the request control has "no controlValue".

The relevant OpenLDAP code is the ppolicy_parseCtrl method of servers/slapd/overlays/ppolicy.c. In 2.3.43, that method has the following check:

if ( ctrl->ldctl_value.bv_len ) { rs->sr_text = "passwordPolicyRequest control value not empty"; return LDAP_PROTOCOL_ERROR; }

In 2.4.13, the check is:

if ( !BER_BVISNULL( &ctrl->ldctl_value ) ) rs->sr_text = "passwordPolicyRequest control value not absent"; return LDAP_PROTOCOL_ERROR; }

Why did this change occur? Was OpenLDAP 2.3.43 too lenient in accepting a control with zero length?

Kyle Blaney