Anoob Backer wrote: > Hi All, > > Is there any way to find out the exact error message in case of bind > failure > using any of the OpenLDAP calls? > > What i would like achieve by this is to know exactly why the bind failed? > either due to password expire or account locked or account disabled or user > not found etc. > > After googling a bit i found a sol > > 1. http://forum.java.sun.com/thread.jspa?messageID=4227692 ==> says to use > ldap_get_option() to get the error string and then parse and extract the > error codes. To my understanding this is an extended error message > > Is it reliable to depend on the error messages?
Assuming you want to use OpenLDAP as DSA, if a bind fails at the server side, you'll probably just get LDAP_INVALID_CREDENTIALS, with no indication of what the failure reason was. If the bind request used the password policy control, and the ppolicy overlay is in use (see slapo-ppolicy(5) for details), the client might get a control response containing the reason of the bind failure, according to <draft-behera-ldap-password-policy>. Any other means of detecting the reason of a bind failure should not be considered. To use the control, and to understand the control response, your client will need to either use an asyncronous call, e.g. ldap_sasl_bind(3), and interpret the control response by using ldap_parse_result(3) on the message returned by ldap_result(3) to extract the controls from the response. The use of ldap_get_option(3) with LDAP_OPT_SERVER_CONTROLS is deprecated in favor of the above mentioned API. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] ---------------------------------------
