0

I have a question concerning Openldap. I'm using a solution(PingFederate) that gets errors from openldap to do different things depending on the filter. For example i can say : detect the invalid DN Error and when you get it do something.

I've set olcPPolicyUseLockout to true in ppolicy to get more information when there is invalid credentials; so that Pingfederate would catch it. But it doesn't work

When i use the ldapwhoami with -e ppolicy i get the following: ldap_bind: Invalid credentials (49); Password expired ldap_bind: Invalid credentials (49); Account locked

So my question is the following : What does the semicolon mean in Openldap ? Is the message after the semicolon taken into account ? Does Openldap communicate the whole error to the other solutions that it is integrated with ?

Improve this question

1 Answer 1

Reset to default
0

First note that the OpenLDAP command-line tools output some textual representation of result code and diagnostic message which is not the exact on-the-wire protocol encoding.

The LDAP PDUs are ASN.1 encoded messages. To understand the response structure you can look into RFC 4511 section 4.1.9. To observe LDAP PDUs actually sent by LDAP components the LDAP dissector in Wireshark is very useful.

Mainly OpenLDAP's overlay slapo-ppolicy implements draft-behera-ldap-password-policy-09. This Internet draft specifys so-called extended controls, both for requests and the responses, which extend the protocol semantics of the bind operation.

This means that each ppolicy-aware LDAP client has to 1. send the password policy request control and 2. decode and interpret the response control.

See also python-ldap demo code as an example.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .