[python-ldap] Error with expiring accounts

Polkosnik, Adam adam.polkosnik at ny.frb.org
Wed Mar 12 20:53:20 CET 2014


I really don’t see where you have those values (they are listed in Lib/ldap/controls/pwdpolicy.py): 

2.16.840.1.113730.3.4.4 - Netscape Password Expired LDAPv3 control
2.16.840.1.113730.3.4.5 - Netscape Password Expiring LDAPv3 control

(OIDs descriptions from: http://www.alvestrand.no/objectid/2.16.840.1.113730.3.4.html)

I can see that you have this:
'2.16.840.1.113730.3.4.2': <class ldap.controls.simple.ManageDSAITControl at 0x7fb74dca6d50>
And that comes from Lib/ldap/controls/simple.py:78

So, now I understand that out of the box the __init__.py imports only:
# Import the standard sub-modules
from ldap.controls.simple import *
from ldap.controls.libldap import *

and I have to import ldap.controls.pwdpolicy manually, but there's a problem:

It seems that there was a line missing in Setup.py (I guess since that module is borked):

In py_modules[] (towards the bottom)

'ldap.controls.pwdpolicy'

But after that fix, it seems that it really was broken...

>>> import ldap.controls.pwdpolicy
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/ldap/controls/pwdpolicy.py", line 20, in <module>
    class PasswordExpiringControl(OctetStringInteger):
NameError: name 'OctetStringInteger' is not defined

Adding the missing imports to pwdpolicy.py makes it almost work:

import struct
from ldap.controls.simple import OctetStringInteger

>>> l.simple_bind_s( un, password)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/ldap/ldapobject.py", line 208, in simple_bind_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/site-packages/ldap/ldapobject.py", line 469, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib/python2.7/site-packages/ldap/ldapobject.py", line 487, in result4
    decoded_resp_ctrls = DecodeControlTuples(resp_ctrls,resp_ctrl_classes)
  File "/usr/lib/python2.7/site-packages/ldap/controls/__init__.py", line 147, in DecodeControlTuples
    control.decodeControlValue(encodedControlValue)
  File "/usr/lib/python2.7/site-packages/ldap/controls/pwdpolicy.py", line 30, in decodeControlValue
    self.gracePeriod = struct.unpack('!Q',encodedControlValue)[0]
struct.error: unpack requires a string argument of length 8

So, at this point it's complaining that the encodedControlValue is shorter than 8 bytes?!

Dow we just get rid of the unpack and assign the value? At least that seemed to work ok.


-----Original Message-----
From: Michael Ströder [mailto:michael at stroeder.com]
Sent: Wednesday, March 12, 2014 1:41 PM
To: python-ldap at python.org; Polkosnik, Adam
Subject: Re: [python-ldap] Error with expiring accounts

On Wed, 12 Mar 2014 17:34:40 +0000 "Polkosnik, Adam"
<adam.polkosnik at ny.frb.org> wrote
> To me, it looks like that the classes/OIDs from pwdpolicy.py are not 
> making it into KNOWN_RESPONSE_CONTROLS.

Works for me (first case without class PasswordPolicyControl as expected):

Python 2.7.3 (default, Apr 14 2012, 08:58:41) [GCC] on linux2 Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap.controls
>>> ldap.controls.KNOWN_RESPONSE_CONTROLS
{'1.3.6.1.4.1.4203.666.5.12': <class ldap.controls.simple.RelaxRulesControl at
0x7fb74dca6db8>, '1.3.6.1.1.12': <class 
0x7fb74dca6db8>ldap.controls.libldap.AssertionControl
at 0x7fb74dcaf0b8>, '2.16.840.1.113730.3.4.2': <class ldap.controls.simple.ManageDSAITControl at 0x7fb74dca6d50>,
'1.2.840.113556.1.4.319': <class
ldap.controls.libldap.SimplePagedResultsControl at 0x7fb74dcaf188>,
'1.2.826.0.1.3344810.2.3': <class ldap.controls.libldap.MatchedValuesControl at
0x7fb74dcaf120>, '2.16.840.1.113730.3.4.15': <class
ldap.controls.simple.AuthorizationIdentityResponseControl at 0x7fb74dca6ef0>}

>>> import ldap.controls.ppolicy
>>> ldap.controls.KNOWN_RESPONSE_CONTROLS
{'1.3.6.1.4.1.4203.666.5.12': <class ldap.controls.simple.RelaxRulesControl at
0x7fb74dca6db8>, '1.3.6.1.1.12': <class 
0x7fb74dca6db8>ldap.controls.libldap.AssertionControl
at 0x7fb74dcaf0b8>, '2.16.840.1.113730.3.4.2': <class ldap.controls.simple.ManageDSAITControl at 0x7fb74dca6d50>,
'1.3.6.1.4.1.42.2.27.8.5.1': <class ldap.controls.ppolicy.PasswordPolicyControl
at 0x7fb74d6096d0>, '1.2.840.113556.1.4.319': <class ldap.controls.libldap.SimplePagedResultsControl at 0x7fb74dcaf188>,
'1.2.826.0.1.3344810.2.3': <class ldap.controls.libldap.MatchedValuesControl at
0x7fb74dcaf120>, '2.16.840.1.113730.3.4.15': <class
ldap.controls.simple.AuthorizationIdentityResponseControl at 0x7fb74dca6ef0>}

Anyway you could even register the class in ldap.controls.KNOWN_RESPONSE_CONTROLS yourself.

Ciao, Michael.





This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential or proprietary information.  If you are not the intended recipient, immediately contact the sender by reply e-mail and destroy all copies of the original message.


More information about the python-ldap mailing list