[python-ldap] How to use the PasswordPolicy Control

lanjelot lanjelot at gmail.com
Fri Nov 4 16:13:14 CET 2011

How to use the PasswordPolicy Control

Hi list,

When I provide a PasswordPolicyControl during a bind(), I fail to
understand how to read the PasswordPolicy response.

Below is the code:
import sys
import ldap
from ldap.controls.ppolicy import PasswordPolicyControl
binddn = 'cn=mec,dc=blah,dc=com'
bindpw = 'password1'

pwctrl = PasswordPolicyControl()
l = ldap.initialize('ldap://localhost')
l.set_option(ldap.OPT_SERVER_CONTROLS, [pwctrl])
  msgid = l.simple_bind_s(binddn, bindpw, serverctrls=[pwctrl])
except ldap.LDAPError as e:
  print 'exc:', sys.exc_info()
r = l.get_option(ldap.OPT_SERVER_CONTROLS)

Below is its execution output:
$ python edit.py
'Invalid credentials'},), <traceback object at 0x81f598c>)
Traceback (most recent call last):
  File "edit.py", line 14, in <module>
    r = l.get_option(ldap.OPT_SERVER_CONTROLS)
  File "/usr/lib/python2.6/site-packages/ldap/ldapobject.py", line
600, in get_option
    result = DecodeControlTuples(result)
  File "/usr/lib/python2.6/site-packages/ldap/controls/__init__.py",
line 141, in DecodeControlTuples
  File "/usr/lib/python2.6/site-packages/ldap/controls/ppolicy.py",
line 65, in decodeControlValue
    ppolicyValue,_ =
  File "/usr/lib/python2.6/site-packages/pyasn1/codec/ber/decoder.py",
line 560, in __call__
    'Short octet stream on tag decoding'
pyasn1.error.SubstrateUnderrunError: Short octet stream on tag decoding

I get the same error with python-ldap-2.4.3 or python-ldap-2.4.4.

And I am sure that my openldap-2.4.24 server is properly setup because
I do get the "Account locked" message as expected when using
$ ldapsearch -h -D 'cn=joe,dc=blah,dc=com' -w bad_password -e ppolicy
ldap_bind: Invalid credentials (49); Account locked

What am i missing?

More information about the python-ldap mailing list