perl-ldap-dev

set-password extended operation error

[Darryl C P. <da...@co...>]

I have a script that I'm running to test support for the set-password extended 
operation.  Funny thing is that OpenLDAP always seems to return an error and 
I'm beginning to think the encoding is incorrect.  When I look at the hex 
encoded (identical) request from the ldappassword tool  that comes with 
openldap it looks like:

30 56 02 01 01 60 51 02  01 03 04 42 63 6e 3d 50   0V...`Q....Bcn=P  
61 75 6c 20 43 65 7a 61  6e 6e 65 2c 20 64 63 3d   aul Cezanne, dc=  
43 6c 69 65 6e 74 31 2c  20 64 63 3d 56 65 6e 64   Client1, dc=Vend  
6f 72 31 2c 20 64 63 3d  4d 6f 64 69 66 79 2c 20   or1, dc=Modify,   
64 63 3d 49 4d 43 2c 20  64 63 3d 6f 72 67 80 08   dc=IMC, dc=org..  
50 61 75 6c 30 30 30 35                            Paul0005     


But when I look at the message sent by the extension method I see:

30 56 02 01 01 60 51 02 01 03 04 42 63 6E 3D 50 0V...`Q....Bcn=P
61 75 6C 20 43 65 7A 61 6E 6E 65 2C 20 64 63 3D aul Cezanne, dc=
43 6C 69 65 6E 74 31 2C 20 64 63 3D 56 65 6E 64 Client1, dc=Vend
6F 72 31 2C 20 64 63 3D 4D 6F 64 69 66 79 2C 20 or1, dc=Modify, 
64 63 3D 49 4D 43 2C 20 64 63 3D 6F 72 67 80 08 dc=IMC, dc=org..
50 61 75 6C 30 30 30 35 __ __ __ __ __ __ __ __ Paul0005

Looks like 8 extra bytes of pad data that got slipped in here somehow.  Am I 
doing something wrong? Is there any way of avoiding this?  ldappasswd always 
succeeds, by the way.  I've attached the script ... ignore the sock stuff, it's 
just configuration commands for mirapoint's administration protocol.


===Darryl

Darryl C Price
Conversant Systems, LLC
Email:  da...@co...
Phone:  (513)768-3120
Mobile: (513)225-8528
Web:    http://www.convsys.com

Re: set-password extended operation error

[Chris R. <chr...@me...>]

Darryl C Price <da...@co...> wrote:
> I have a script that I'm running to test support for the set-password
> extended  operation.  Funny thing is that OpenLDAP always seems to return
> an error and  I'm beginning to think the encoding is incorrect.  When I
> look at the hex  encoded (identical) request from the ldappassword tool
> that comes with  openldap it looks like:
> 
> 30 56 02 01 01 60 51 02  01 03 04 42 63 6e 3d 50   0V...`Q....Bcn=P  
> 61 75 6c 20 43 65 7a 61  6e 6e 65 2c 20 64 63 3d   aul Cezanne, dc=  
> 43 6c 69 65 6e 74 31 2c  20 64 63 3d 56 65 6e 64   Client1, dc=Vend  
> 6f 72 31 2c 20 64 63 3d  4d 6f 64 69 66 79 2c 20   or1, dc=Modify,   
> 64 63 3d 49 4d 43 2c 20  64 63 3d 6f 72 67 80 08   dc=IMC, dc=org..  
> 50 61 75 6c 30 30 30 35                            Paul0005     
> 
> 
> But when I look at the message sent by the extension method I see:
> 
> 30 56 02 01 01 60 51 02 01 03 04 42 63 6E 3D 50 0V...`Q....Bcn=P
> 61 75 6C 20 43 65 7A 61 6E 6E 65 2C 20 64 63 3D aul Cezanne, dc=
> 43 6C 69 65 6E 74 31 2C 20 64 63 3D 56 65 6E 64 Client1, dc=Vend
> 6F 72 31 2C 20 64 63 3D 4D 6F 64 69 66 79 2C 20 or1, dc=Modify, 
> 64 63 3D 49 4D 43 2C 20 64 63 3D 6F 72 67 80 08 dc=IMC, dc=org..
> 50 61 75 6C 30 30 30 35 __ __ __ __ __ __ __ __ Paul0005
> 
> Looks like 8 extra bytes of pad data that got slipped in here somehow.

The underscore characters are just there to pad out Convert::ASN1's
display, ie they aren't sent across the wire.

Given that, I can't see any differences between what ldappassword's sending
and what your script's sending...

> Am I  doing something wrong? Is there any way of avoiding this?
> ldappasswd always  succeeds, by the way.  I've attached the script ...
> ignore the sock stuff, it's  just configuration commands for mirapoint's
> administration protocol.

If you look at a complete transcript of the packets sent by the
ldappassword program, and your script, can you spot any obvious
differences? Like what other operations is ldappassword doing before using
this extension?

> 
> ===Darryl
> 
> Darryl C Price
> Conversant Systems, LLC
> Email:  da...@co...
> Phone:  (513)768-3120
> Mobile: (513)225-8528
> Web:    http://www.convsys.com



Cheers,

Chris

Re: set-password extended operation error

[Graham B. <gb...@po...>]

On Tue, Jun 18, 2002 at 03:56:14AM -0400, Darryl C Price wrote:

I think the problem is in your encoding that you are sending

>    $passwdModReq = Convert::ASN1->new;
>    $passwdModReq->prepare(q<SEQUENCE {
>                        userIdentity [1] STRING OPTIONAL,
>                        newPasswd    [2] STRING OPTIONAL

userIdentity should be [0], RFC 30962 shows

   PasswdModifyRequestValue ::= SEQUENCE {
     userIdentity    [0]  OCTET STRING OPTIONAL
     oldPasswd       [1]  OCTET STRING OPTIONAL
     newPasswd       [2]  OCTET STRING OPTIONAL }


Graham.