search

ldapjs / node-ldapjs

LDAP Client and Server API for node.js
http://ldapjs.org
MIT License
1.61k stars 448 forks source link

How can I obtain detailed information about the password policy? #946

Closed taru3004 closed 1 year ago

taru3004 commented 1 year ago

It appears that we can obtain detailed information regarding password policy in version 3 through the following issues:

https://github.com/ldapjs/node-ldapjs/issues/186 https://github.com/ldapjs/node-ldapjs/issues/770

https://github.com/ldapjs/node-ldapjs/issues/839 (version 3 clean slate notification)

However, i was unable to obtain any detailed information during the bind process. Could you please provide a sample code if possible?

jsumners commented 1 year ago

It sounds like you are asking about support for the controls described in https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10#anchor52 (§6,6.1,6.2). That doc is a draft doc and I cannot find an accepted "RFC" version of it. However, servers, including OpenLDAP, have implemented the proposed spec regardless of the draft status. Thus, we are not opposed to it being added here.

The controls we currently support are plainly listed at https://github.com/ldapjs/controls/tree/9718b85dc8eae4522e5d879a603a13422d6e245a/lib/controls. The controls in question are not in that list. If you would like support for them, you are welcome to work on the feature. At a minimum, such work is likely to require:

  1. An update to the @ldapjs/controls module linked above.
  2. An update to the ldapjs module to recognize the new response controls.
  3. An update to https://github.com/ldapjs/docker-test-openldap to include the overlay.
  4. Tests to prove the functionality and guard against regression.

Would you like to work on this?

taru3004 commented 1 year ago

@jsumners

For example, when I enter the following command as a shell command, the rejection reason is displayed through the Additional Info message:

ldappasswd -H ldapi:/// -x -D <user DN> -W -S Result: Constraint violation (19) Additional info: Password is too young to change

However, when I use ldapjs to call the modify operation for the userPassword value, only the following error is generated: { "lde_message":"Constraint Violation", "lde_dn":null }

would like to obtain additional information like "Password is too young to change." Is it currently not supported by ldapjs?

jsumners commented 1 year ago

Did you read my previous reply?

taru3004 commented 1 year ago

@jsumners Of course, I have read your message. However, since English is not my native language, I have a little confusion.

  1. Do I need to update the controls module myself?
  2. Or is it a matter that requires future updates because it is currently not supported by ldapjs?
  3. Is it already supported in version 3?

Based on your previous answer, it looks like the second case is correct. If so, is the closure of issues 186 or 770 unrelated to the support of password policy related controls in version 3?

jsumners commented 1 year ago

The requested feature is not implemented. I outlined the minimum of what would need to be done to implement the feature.

taru3004 commented 1 year ago

I understand. :) Thank you for your response, and may I ask if you have any implementation plans?

jsumners commented 1 year ago

No. You are welcome to work on it.

taru3004 commented 1 year ago

Try and if it works well, I'll share it.

jsumners commented 1 year ago

Being worked on in #949.

jsumners commented 1 year ago

Solved by #949.