[python-ldap] Error with expiring accounts

Michael Ströder michael at stroeder.com
Wed Mar 12 22:01:02 CET 2014

Polkosnik, Adam wrote:
> In class PasswordExpiringControl: 
>   def decodeControlValue(self,encodedControlValue):
>     self.gracePeriod = encodedControlValue
>     print repr(encodedControlValue)
>     print repr(encodedControlValue[0])
>     #self.gracePeriod = struct.unpack('!Q',encodedControlValue)[0]
>>>> l.simple_bind_s( un, password)
> '349853'
> '3'
> (97, [], 1, [<ldap.controls.pwdpolicy.PasswordExpiringControl instance at 0x7f1ae5b1f098>])
> It looks like 349853 is a tad above 4 days, so it should be the actual number of seconds until password expiration.

Hmm, a string of digits indicating the seconds...that's not how I read

IMO there are two server-side bugs here (not unusual for the vendor you
mentioned off-list):

1. In violation to the I-D it sends the response control with criticality=true
so clients cannot safely ignore it.

2. The response control value has wrong encoding.

For a quick solution I'd suggest that you sub-class
ldap.controls.pwdpolicy.PasswordExpiringControl overriding method
decodeControlValue() to implement whatever is needed for that particular
server implementation.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2398 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20140312/87e391be/attachment.bin>

More information about the python-ldap mailing list