I tried with and with the '-e ppolicy' option but that did not make a difference in terms of behavior.  It did make a difference for the output message.

For:   ldappasswd -x -w oldpassword -a oldpassword -s test -D "uid=aUser, ou=MyUsers, dc=xyz, dc=com" -e ppolicy
The output is: 

Result: Constraint violation (19)
Additional info: Password fails quality checking policy
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAOBAQY=
ppolicy: error=6 (Password is too short for policy) 

For:   ldappasswd -x -w oldpassword -a oldpassword -s test -D "uid=aUser, ou=MyUsers, dc=xyz, dc=com"
The ouput is shorter:

Result: Constraint violation (19)
Additional info: Password fails quality checking policy 

They both checked the password policy ('test' was too short).

I am still confused about what this 'extension' does. Is that just about giving more details in the error output?

This is in openLDAP 2.4.39 and documented in the man ldapsearch page.  The option is used in the ppolicy test code (test022-ppolicy).

Thanks,
Thierry




On Thu, May 1, 2014 at 3:43 AM, Michael Ströder <michael@stroeder.com> wrote:
Dieter Klünter wrote:
> Am Wed, 30 Apr 2014 14:56:41 -0600
> schrieb Thierry Thelliez <thierry.thelliez.tech@gmail.com>:
>>
>> Looking at the test source code of 2.4.39 for the ppolicy script, I
>> can see the ldapsearch is using a '-e ppolicy' option.   The man page
>> for ldapsearch lists 'general extensions' under -e and -E options.
>> But I cannot figure out what these extensions are.
>>
>> What is '-e ppolicy' ? and when do you need it?
>
> man ldapsearch(5)
>
> -e = general extended operation
> -E = search extended operation
> passwordPolicy is a general extended operation

I have no man page like this for OpenLDAP. Which man page is this? It sounds
strange to say something about extended operations.

-e and -E are for specifying extended *controls* along with the LDAP (search)
request:

Excerpt from ldapsearch(1):

       -e [!]ext[=extparam]

       -E [!]ext[=extparam]

              Specify general extensions with -e and search extensions with
              -E.  ´!´ indicates criticality.

Ciao, Michael.