[python-ldap] Error with expiring accounts

Wed Mar 12 21:46:52 CET 2014

In class PasswordExpiringControl: 

  def decodeControlValue(self,encodedControlValue):
    self.gracePeriod = encodedControlValue
    print repr(encodedControlValue)
    print repr(encodedControlValue[0])
    #self.gracePeriod = struct.unpack('!Q',encodedControlValue)[0]

>>> l.simple_bind_s( un, password)
'349853'
'3'
(97, [], 1, [<ldap.controls.pwdpolicy.PasswordExpiringControl instance at 0x7f1ae5b1f098>])

It looks like 349853 is a tad above 4 days, so it should be the actual number of seconds until password expiration.

Thanks,
Adam

-----Original Message-----
From: Michael Ströder [mailto:michael at stroeder.com]
Sent: Wednesday, March 12, 2014 4:21 PM
To: Polkosnik, Adam; python-ldap at python.org
Subject: Re: [python-ldap] Error with expiring accounts

Polkosnik, Adam wrote:
> 
> I really don’t see where you have those values (they are listed in Lib/ldap/controls/pwdpolicy.py): 
> 
> 2.16.840.1.113730.3.4.4 - Netscape Password Expired LDAPv3 control
> 2.16.840.1.113730.3.4.5 - Netscape Password Expiring LDAPv3 control

Ouch! I've overlooked that you're talking about pwdpolicy and not ppolicy.
Sorry.

http://tools.ietf.org/html/draft-vchu-ldap-pwd-policy

May I ask which LDAP server that is?
Actually the (ancient) I-D above specifies that the server returns this response control with criticality: false.

> Adding the missing imports to pwdpolicy.py makes it almost work:
> 
>     self.gracePeriod = struct.unpack('!Q',encodedControlValue)[0]
> struct.error: unpack requires a string argument of length 8
> 
> So, at this point it's complaining that the encodedControlValue is shorter than 8 bytes?!
> 
> Dow we just get rid of the unpack and assign the value? At least that seemed to work ok.

Hmm, it seems I don't have such a LDAP server to test.

Could you please send repr(encodedControlValue) and determine how many seconds the grace period really is?

Ciao, Michael.

This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential or proprietary information.  If you are not the intended recipient, immediately contact the sender by reply e-mail and destroy all copies of the original message.