[python-ldap] python-ldap and password policies

Michael Ströder michael at stroeder.com
Wed May 30 18:07:58 CEST 2012

Бажал Дмитрий wrote:
> The question of my request is about to work with password policies described
> at http://www.openldap.org/doc/admin24/overlays.html (12.10. Password Policies).

There's a deficiency in the current API which does not return response
controls in case the LDAP error code was not 0.

See text in file TODO:

- Attach response controls to LDAPError instances to deliver the
  controls to the calling application in case of an error

> For example, using command-line utilities shown below we get an "Additional info".
> # ldappasswd -a password1 -s password1 -D uid=user,ou=users,dc=corp -H
> ldap://devel.ldap -w password1 -v -x -ZZ
> ldap_initialize( ldap://devel.ldap:389/??base )
> Result: Constraint violation (19)
> Additional info: Password is not being changed from existing value

But in this case above LDAPv3 extended controls are not part of the game since
you're not using command-line option -e.

What's printed after "Additional info:" by OpenLDAP's client tool is simply
the diagnosticMessage (formerly info) extracted from the LDAP response. This
is also returned in LDAPError object instances as seen in your example.

> CONSTRAINT_VIOLATION: {'info': 'modify breaks constraint on userPassword',
> 'desc': 'Constraint violation'}

Since 'info' differs these are not the very same error cases I guess.

You would extract those fields by accessing:


Don't know why these strings are not accessible via simple class attributes
though. This is very old code in Modules/errors.c and surely could be improved.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2317 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20120530/6847a110/attachment-0001.bin>

More information about the python-ldap mailing list