Skip to content

Supplying Control during SimpleBind results in a panic in the response #538

Open
Open
Supplying Control during SimpleBind results in a panic in the response#538
Assignees
cpuschma
Labels
bugtriage
@srisuman

Description

@srisuman
srisuman
opened on Dec 4, 2024

package main

import (
"fmt"
"log"

"github.com/go-ldap/ldap/v3"

)

func main() {

ldapServer := "localhost"

l, err := ldap.DialURL(fmt.Sprintf("ldap://%s:389", ldapServer))
if err != nil {
	panic(err)
}
defer l.Close()
bindDN := "cn=testuser3"
bindPassword := "Passw0rd"
controls := []ldap.Control{}
controls = append(controls, ldap.NewControlBeheraPasswordPolicy())

// Set up the bind request
bindRequest := ldap.NewSimpleBindRequest(bindDN, bindPassword, controls)

r, err := l.SimpleBind(bindRequest)

ppolicyControl := ldap.FindControl(r.Controls, ldap.ControlTypeBeheraPasswordPolicy)

var ppolicy *ldap.ControlBeheraPasswordPolicy
if ppolicyControl != nil {
	ppolicy = ppolicyControl.(*ldap.ControlBeheraPasswordPolicy)
} else {
	log.Printf("ppolicyControl response not available.\n")
}
if err != nil {
	errStr := "ERROR: Cannot bind: " + err.Error()
	if ppolicy != nil && ppolicy.Error >= 0 {
		errStr += ":" + ppolicy.ErrorString
	}
	log.Print(errStr)
} else {
	logStr := "Login Ok"
	if ppolicy != nil {
		if ppolicy.Expire >= 0 {
			logStr += fmt.Sprintf(". Password expires in %d seconds\n", ppolicy.Expire)
		} else if ppolicy.Grace >= 0 {
			logStr += fmt.Sprintf(". Password expired, %d grace logins remain\n", ppolicy.Grace)
		}
	}
	log.Print(logStr)
}
passwordMustChangeControl := ldap.FindControl(r.Controls, ldap.ControlTypeVChuPasswordMustChange)
var passwordMustChange *ldap.ControlVChuPasswordMustChange
if passwordMustChangeControl != nil {
	passwordMustChange = passwordMustChangeControl.(*ldap.ControlVChuPasswordMustChange)
}

if passwordMustChange != nil && passwordMustChange.MustChange {
	log.Printf("Password Must be changed.\n")
}

if err != nil {
	panic(err)
}

fmt.Println("Bind successful!")

}
This results in a panic
ppolicyControl := ldap.FindControl(r.Controls, ldap.ControlTypeBeheraPasswordPolicy)

The error when the program was run without the above line
panic: failed to decode child control: failed to decode data bytes: invalid PasswordPolicyResponse enum value

ldapsearch -s sub -D cn=testuser3 -w Passw0rd -b "objectclass=*" ++
ldap_simple_bind: DSA is unwilling to perform --- Error, Account is locked

Metadata

Metadata

Assignees

Labels

bugtriage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions