On 05/01/2014 08:45 PM, Thierry Thelliez wrote:
I tried with and with the '-e ppolicy' option but that did not make a difference in terms of behavior. It did make a difference for the output message.
For: ldappasswd -x -w oldpassword -a oldpassword -s test -D "uid=aUser, ou=MyUsers, dc=xyz, dc=com" -e ppolicy The output is:
Result: Constraint violation (19) Additional info: Password fails quality checking policy control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAOBAQY= ppolicy: error=6 (Password is too short for policy)
For: ldappasswd -x -w oldpassword -a oldpassword -s test -D "uid=aUser, ou=MyUsers, dc=xyz, dc=com" The ouput is shorter:
Result: Constraint violation (19) Additional info: Password fails quality checking policy
They both checked the password policy ('test' was too short).
I am still confused about what this 'extension' does. Is that just about giving more details in the error output?
This is in openLDAP 2.4.39 and documented in the man ldapsearch page. The option is used in the ppolicy test code (test022-ppolicy).
With -e ppolicy, the password policy control is used in the request. As such, the response may contain the control response, as described in slapo-ppolicy(5).
Otherwise (i.e. if the request does not contain the control request), the server will not return the control response.
In your case you're "lucky", i.e. the bind response contains additional information. In other cases, you might just get "invalid credentials" without further explanation.
p.
Thanks, Thierry
On Thu, May 1, 2014 at 3:43 AM, Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com> wrote:
Dieter Klünter wrote: > Am Wed, 30 Apr 2014 14:56:41 -0600 > schrieb Thierry Thelliez <thierry.thelliez.tech@gmail.com <mailto:thierry.thelliez.tech@gmail.com>>: >> >> Looking at the test source code of 2.4.39 for the ppolicy script, I >> can see the ldapsearch is using a '-e ppolicy' option. The man page >> for ldapsearch lists 'general extensions' under -e and -E options. >> But I cannot figure out what these extensions are. >> >> What is '-e ppolicy' ? and when do you need it? > > man ldapsearch(5) > > -e = general extended operation > -E = search extended operation > passwordPolicy is a general extended operation I have no man page like this for OpenLDAP. Which man page is this? It sounds strange to say something about extended operations. -e and -E are for specifying extended *controls* along with the LDAP (search) request: Excerpt from ldapsearch(1): -e [!]ext[=extparam] -E [!]ext[=extparam] Specify general extensions with -e and search extensions with -E. ´!´ indicates criticality. Ciao, Michael.