| Subject: | Util::ldap_error_name returns PP messages for non-PP actions |
&Net::LDAP::Util::ldap_error_name
This subroutine (and possibly others) is broken since the introduction
of Control::PasswordPolicy.
This code searches through the POD-formatted list of error codes
underneath __DATA__ at the base of Net/LDAP/Constant.pm and parses each
one into an array in this format:
IF FOUND:
=item<SPACE>LDAP_<STRING $1> (<DIGIT $2>)
ADD TO ARRAY:
@err2name[$2] = [$1]
However, since the introduction of Password Policy protocol errors which
have been entered in numerical code order after each corresponding
NORMAL ldap code, once the array has been loaded with the correct error
name, the error code entry gets overridden with the corresponding
password policy error.
This means that, for example, the result of a successful bind which is
code 0 is not returned as LDAP_SUCCESS, but instead
LDAP_PP_PASSWORD_EXPIRED.
This is a critical error because many applications determine LDAP
success by performing if($ldap->code == LDAP_SUCCESS) and, because it is
now returning LDAP_PP_PASSWORD_EXPIRED, it is not only causing
widespread confusion, but also causing everything to break.
I discovered this in troubleshooting a failure in
RT::Authen::ExternalAuth reported to me by a user who couldn't
understand why Active Directory might think his password was expired.