[jira] [Commented] (DIRSERVER-2347) Incorrect Password Modify response (extended response)

Sat, 15 May 2021 12:15:05 -0700 


    [ 
https://issues.apache.org/jira/browse/DIRSERVER-2347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17345566#comment-17345566
 ] 

Emmanuel Lécharny commented on DIRSERVER-2347:
----------------------------------------------

The thing is that an extendedResponse will contain an opaque value:

{noformat}
        ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
                COMPONENTS OF LDAPResult,
                responseName     [10] LDAPOID OPTIONAL,
                response         [11] OCTET STRING OPTIONAL }  <--- here
{noformat}

This part is always encoded as 0x8B (the [11] tag, don't ask, it's too long to 
explain)) followed by the length of the optional response. So it will be 
something like 0x8B LL ab cd ef...

The 'ab cd ef ...' part is opaque if you don't have a clue on which operation 
you deal with. The operation is given by the responseName, as a OID 
(1.3.6.1.4.1.4203.1.11.1 for the Password Modify Request and Response, as 
stated on https://datatracker.ietf.org/doc/html/rfc3062#section-2).

Now, if you try to expose the content not knowing about the way to decode it, 
you get what Wireshark gives : response 3000 (indeed, 0x30 0x00 does not look 
like 3000, but who knows what Wireshark does?)

I will check with the OpenLDAP guys to see if they expect another encoding, but 
IO don't think so.

Would you be kind enough and gove me the exact version of the OpenLDAP cleint 
you are using? Same for ApacheDS.

Thanks !

> Incorrect Password Modify response (extended response)
> ------------------------------------------------------
>
>                 Key: DIRSERVER-2347
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2347
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: asn1, changepw
>    Affects Versions: 2.0.0.AM26
>            Reporter: Oleksandr Andreiev
>            Priority: Major
>         Attachments: 2021-05-14_09-00.png
>
>
> Hello,
> I'm using ApacheDS as LDAP Server along with Linux PAM.
> When I try to change user's password via `passwd` ApacheDS actually changes 
> it, but sends some extra bytes with ExtendedResp packet. Because these bytes 
> an extra `pam_ldap` library cannot parse it and generates an decoding error.
> The same issue is described here:
>  [https://lists.arthurdejong.org/nss-pam-ldapd-users/2019/msg00030.html]
> Is there a way to handle it or probably some workaround?
> Regards,
> Oleksandr



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to