[python-ldap] Error with expiring accounts
Michael Ströder
michael at stroeder.com
Wed Mar 12 22:01:02 CET 2014
Polkosnik, Adam wrote:
> In class PasswordExpiringControl:
>
> def decodeControlValue(self,encodedControlValue):
> self.gracePeriod = encodedControlValue
> print repr(encodedControlValue)
> print repr(encodedControlValue[0])
> #self.gracePeriod = struct.unpack('!Q',encodedControlValue)[0]
>
>
>
>>>> l.simple_bind_s( un, password)
> '349853'
> '3'
> (97, [], 1, [<ldap.controls.pwdpolicy.PasswordExpiringControl instance at 0x7f1ae5b1f098>])
>
>
> It looks like 349853 is a tad above 4 days, so it should be the actual number of seconds until password expiration.
Hmm, a string of digits indicating the seconds...that's not how I read
draft-vchu-ldap-pwd-policy.
IMO there are two server-side bugs here (not unusual for the vendor you
mentioned off-list):
1. In violation to the I-D it sends the response control with criticality=true
so clients cannot safely ignore it.
2. The response control value has wrong encoding.
For a quick solution I'd suggest that you sub-class
ldap.controls.pwdpolicy.PasswordExpiringControl overriding method
decodeControlValue() to implement whatever is needed for that particular
server implementation.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2398 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20140312/87e391be/attachment.bin>
More information about the python-ldap
mailing list