Bug 178867
| Summary: | Need to enhance password syntax checking | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Nathan Kinder <nkinder> | ||||||
| Component: | Security - Password Policy | Assignee: | Nathan Kinder <nkinder> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 1.0 | ||||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | 1.0.2 | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-12-07 16:36:59 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 152373, 183369, 240316 | ||||||||
| Attachments: |
|
||||||||
Created attachment 123641 [details]
CVS DIffs
These diffs implement everything outlined in the initial bug comment. It adds
the following new config parameters to the cn=config entry (valid range and
defaults in parenthesis):
passwordMinDigits (0-64, default=0)
passwordMinAlphas (0-64, default=0)
passwordMinUppers (0-64, default=0)
passwordMinLowers (0-64, default=0)
passwordMinSpecials (0-64, default=0)
passwordMin8Bit (0-64, default=0)
passwordMaxRepeats (0-64, default=0)
passwordMinCategories (1-5, default=3)
passwordMinTokenLength (1-64, default=3)
It also adjusts the default passwordMinLength setting to 8. This makes our
defaults match Active Directorys password complexity feature.
Created attachment 123678 [details]
CVS Commit
Checked into ldapserver (HEAD). Reviewed by Rich, Pete, and Noriko.
|
The password syntax checking feature should be enhanced to enforce strict password policies. The policy needs to be flexible enough to work in a variety of deployments. The following should be enforceable: - minimum password character length - minimum number of digit characters (0-9) - minimum number of ASCII alpha characters (a-z, A-Z) - minimum number of uppercase ASCII alpha characters (A-Z) - minimum number of lowercase ASCII alpha characters (a-z) - minimum number of special ASCII characters (!@#$, etc.) - minimum number of 8-bit characters - maximum number of times the same char can be immediately repeated (aaabbb) - minimum number of character categories that are represented (categories are lower, upper, digit, special, and 8-bit) The code currently makes sure that userPassword is not the same as the uid, cn, sn, givenname, mail, or ou attribute value(s) present in the entry. This needs to be enhanced to make sure that the password does not contain these values instead of an equality check. There should also be a minimum value size to use for comparision purposes for these attributes. All of these features should work for passwords that contain 8-bit, multi-byte characters.