ldap_use_exop_passwd causes an empty mod after the extop

[mistotebe]

Hi,
configuring self-service-password against OpenLDAP with constraint overlay enabled, I get this error:

PHP Warning:  ldap_mod_replace(): Modify: Invalid syntax in /usr/share/self-service-password/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 101
LDAP - Modify password error 21 (Invalid syntax)

SSP is set up with ldap_use_exop_passwd = true so the ldap_mod_replace is suspect, looking into this further, it seems that SSP sends the passmod extop first (as expected), then it sends a modify with no mods, but if the admin has configured the constraint overlay, this is not allowed and gets an LDAP_INVALID_SYNTAX.

I don't see why the empty modify is necessary for SSP's function, so while constraint's behaviour might not be great, it should probably be avoided on the client side - i.e. here?

Thanks

[coudot]

Could you send the logs of LDAP server? I don't think SSP is doing a second modify if exop is failing.

Could you also give the constraint overlay configuration?

[mistotebe]

No, the exop is successful, then as far as I can see, SSP somehow issues a second request immediately after, which is this empty modify and that's the one that's being logged as failing. Is there a way to get more a more detailed trace I could post here?

It's enough to have overlay constraint enabled on the database, the constraint_update callback always rejects all modifies with no mods before it tries to figure out if there's anything to enforce.