Catch situations where attributes cannot be read due to required password change #25
Conversation
|
the file changed is specific to eDir, although the OpenLDAP factory class references EdirErrors here: so it's kinda correct, but we definitly shouldn't be putting OpenLDAP error codes in the edir error map. Instead what we need is a new error map file specific for OpenLDAP and change the reference in the factory to the new map. Are you able to do this and add basic list of OpenLDAP error codes? |
|
I see your point; unfortunately, I don't know the operational error codes well enough to feel I can wholesale replace the current setup. Would a wrapper approach be acceptable? i.e., a |
|
Theres not much point in falling back on edir error, those codes don't exist in OpenLDAP. Even if it has only a handful of codes as long as the error catch mechanism is working we can expand the list later. I think this might be the list of OpenLDAP error codes here: https://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html |
hsartoris-bard
force-pushed
the
master
branch
from
7729963 to
214c474
Compare
|
Fair point! I did my best; let me know if there's anything obviously awry. |
|
@jrivard anything else that you'd like to see happen with this? |
|
@hsartoris-bard looks great, I was hoping to get a chance to test this against a real open-ldap system, but I just havent had a chance, so I'll go ahead and merge based on its appearence. If u find any further bugs please send another pull request. Thanks for contributing! |
|
Welcome; will do! |
When
slapo-ppolicyis active on an OpenLDAP server, the relevant password policy specifiespasswordMustChange: TRUE, and a given account haspwdReset: TRUE, then, although it is possible to bind as the user, the only operation of substance allowed once bound is password reset. This change catches the resulting error code when another action is attempted, such as querying the user's own attributes.More details at https://linux.die.net/man/5/slapo-ppolicy