I've upgraded from OpenLDAP 2.3.43 to 2.4.13 and I'm getting a server
response that didn't occur with 2.3.43, even though my client code is
unchanged. In particular, my server now complains that a password
policy request control with a zero-length control value is an LDAP
protocol error because the "control value is not absent". Note that
according to section 6.1 of the password policy specification
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-09#section
-6.1), the request control has "no controlValue".
The relevant OpenLDAP code is the ppolicy_parseCtrl method of
servers/slapd/overlays/ppolicy.c. In 2.3.43, that method has the
following check:
if ( ctrl->ldctl_value.bv_len ) {
rs->sr_text = "passwordPolicyRequest control value not empty";
return LDAP_PROTOCOL_ERROR;
}
In 2.4.13, the check is:
if ( !BER_BVISNULL( &ctrl->ldctl_value ) )
rs->sr_text = "passwordPolicyRequest control value not absent";
return LDAP_PROTOCOL_ERROR;
}
Why did this change occur? Was OpenLDAP 2.3.43 too lenient in accepting
a control with zero length?
Kyle Blaney
