[python-ldap] Error with expiring accounts

Polkosnik, Adam adam.polkosnik at ny.frb.org
Wed Mar 12 18:34:40 CET 2014

I did have pyasn1 and pyasn1_modules imported, as well as ldap.controls.ppolicy, but still this is what it throws for accounts with a password expiration warning. 
To me, it looks like that the OIDs from pwdpolicy.py are not making it into KNOWN_RESPONSE_CONTROLS.

>>> l.simple_bind_s( username, password)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/ldap/ldapobject.py", line 208, in simple_bind_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/site-packages/ldap/ldapobject.py", line 469, in result3
  File "/usr/lib/python2.7/site-packages/ldap/ldapobject.py", line 487, in result4
    decoded_resp_ctrls = DecodeControlTuples(resp_ctrls,resp_ctrl_classes)
  File "/usr/lib/python2.7/site-packages/ldap/controls/__init__.py", line 143, in DecodeControlTuples
    raise ldap.UNAVAILABLE_CRITICAL_EXTENSION('Received unexpected critical response control with controlType %s' % (repr(controlType)))
ldap.UNAVAILABLE_CRITICAL_EXTENSION: Received unexpected critical response control with controlType '2.16.840.1.113730.3.4.5'

To me, it looks like that the classes/OIDs from pwdpolicy.py are not making it into KNOWN_RESPONSE_CONTROLS.

>>> from  ldap.controls import KNOWN_RESPONSE_CONTROLS
{'': <class ldap.controls.simple.RelaxRulesControl at 0x7f79539f9668>, '': <class ldap.controls.libldap.AssertionControl at 0x7f79539f9870>, '2.16.840.1.113730.3.4.2': <class ldap.controls.simple.ManageDSAITControl at 0x7f79539f9600>, '': <class ldap.controls.ppolicy.PasswordPolicyControl at 0x7f794733aa10>, '1.2.840.113556.1.4.319': <class ldap.controls.libldap.SimplePagedResultsControl at 0x7f79539f9940>, '1.2.826.0.1.3344810.2.3': <class ldap.controls.libldap.MatchedValuesControl at 0x7f79539f98d8>, '2.16.840.1.113730.3.4.15': <class ldap.controls.simple.AuthorizationIdentityResponseControl at 0x7f79539f97a0>}

-----Original Message-----
From: Michael Ströder [mailto:michael at stroeder.com]
Sent: Tuesday, March 04, 2014 4:23 PM
To: Polkosnik, Adam; python-ldap at python.org
Subject: Re: [python-ldap] Error with expiring accounts

Polkosnik, Adam wrote:
> I've not seen any mucking of any of those things, it goes something like this:
>                import ldap, ldapurl
>                 try:
>                      ...
>                     l = ldap.initialize('ldap://myldapserver:1390')
>                     l.protocol_version = 3
>                     l.set_option(ldap.OPT_REFERRALS,0)
>                     l.set_option(ldap.OPT_TIMEOUT, app_timeout)
>                     ...
>                     logger.info("Logging in username: %s" % usern)
>                     l.simple_bind_s(usern, userp)
>                     ...
>                     return usern
>                 except ldap.INVALID_CREDENTIALS:
>                     logger.info("Invalid credentials: %s" % usern)
>                 except Exception, err:
>                     logger.info("LDAP Auth error: %s" % err)

You have to import ldap.controls.ppolicy and you need pyasn1 and pyasn1_modules to be installed for that to work.

Ciao, Michael.

P.S.: Please subscribe to the really low-traffic mailing list so I don't have to manually approve all your postings.

This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential or proprietary information.  If you are not the intended recipient, immediately contact the sender by reply e-mail and destroy all copies of the original message.

More information about the python-ldap mailing list