Error "ldap_modify: Constraint violation" when changing eDirectory user's password or binding via LDAP

  • Document ID:7010589
  • Creation Date:08-Aug-2012
  • Modified Date:28-Sep-2020
    • Micro Focus Products:
      eDirectory
      Self Service Password Reset

Environment

eDirectory 9 for All Platforms
Novell eDirectory 8.8 for All Platforms
Novell eDirectory 8.7.3 for All Platforms

Situation

An administrator trying to set a user's password to a string longer than 128 characters receives an LDAP Constraint Violation (error 19) from eDirectory.  The same password can be set for the user using the 'Set Universal Password' task as part of the 'Passwords' role in iManager.

When trying to bind with a user having a password longer than 128 characters an LDAP Constraint Violation (error 19) is returned even though the password is correct.

Resolution

In order to follow RFC 2256, eDirectory does not permit the use of passwords during a bind or a set password operation when that password is longer than the length limit defined by the RFC, or 128 characters.  Other methods can be used to change passwords in eDirectory, such as NDAP via iManager, but the LDAP interface blocks this password length in order to comply with the RFC.

This restriction happens regardless of the password length allowance defined elsewhere in eDirectory such as in the Universal Password (UP) policy.


This limitation is documented in eDirectory 8.8.SP8 and later documentation as follows:

NOTE:In compliance with RFC 2256, the LDAP interface of eDirectory only allows binds to occur with passwords up to 128 characters in length. Also, passwords can only be set to have up to 128 characters when set through LDAP.

Cause

This limitation is intentionally coded to follow the RFC and only affects the LDAP interface and the password attribute.

Status

Reported to Engineering

Additional Information

An enhancement request was entered in Bug# 775042 to change this behavior to comply with a newer RFC# 4519. The decision on this enhancement request was to retain current LDAP design to follow RFC 2256 and to document this limitation on LDAP in eDirectory documentation.

This is documented in the eDirectory 9.2 Administration Guide | Understanding LDAP Services for NetIQ eDirectory | Using LDAP Tools on Linux | LDAP Tools
https://www.netiq.com/documentation/edirectory-92/edir_admin/data/a6qjdjx.html