Bug 1795220

Summary:	Expecting appropriate error message when new password length is less than 8 characters when ldap_pwmodify_mode = ldap_modify in sssd.conf
Product:	Red Hat Enterprise Linux 8	Reporter:	Madhuri <mupadhye>
Component:	sssd	Assignee:	Pavel Březina <pbrezina>
Status:	CLOSED ERRATA	QA Contact:	sssd-qe <sssd-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.2	CC:	atikhono, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sgoveas, thalman, tscherf
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	sync-to-jira
Fixed In Version:	sssd-2.3.0-1.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-11-04 02:04:37 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Madhuri 2020-01-27 13:18:21 UTC

Description of problem:
Expecting appropriate error message when new password length is less than 8 characters when ldap_pwmodify_mode = ldap_modify in sssd.conf

Version-Release number of selected component (if applicable):
sssd-2.2.3-11.el8.x86_64

How reproducible:
Always 

Steps to Reproduce:
1. Setup sssd client with the rhds server and enable passwordCheckSyntax on server 
[root@ipaqavma ~]# ldapsearch -xLLL -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=config"  | grep passwordCheckSyntax
passwordCheckSyntax: on

2. Add ldap_pwmodify_mode = ldap_modify in sssd.conf
[root@ipaqavmh ~]# cat /etc/sssd/sssd.conf 
[sssd]
config_file_version = 2
services = nss, pam
domains = example1

[domain/example1]
ldap_search_base = dc=example,dc=test
id_provider = ldap
auth_provider = ldap
ldap_user_home_directory = /home/%u
ldap_uri = ldaps://server.example.com
use_fully_qualified_names = True
debug_level = 9
ldap_pwmodify_mode = ldap_modify

3. Try to change password of a user

Actual results:
[foo9@example1@ipaqavmh /]$ passwd
Changing password for user foo9@example1.
Current Password: 
New password: <password like red_12>
Retype new password: <password like red_12>
passwd: all authentication tokens updated successfully.

Here I provided a new password having a length less than 8 characters
but still, it's giving a message of successful password change.


from log,
(Mon Jan 27 07:22:02 2020) [sssd[be[example1]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_MODIFY]
(Mon Jan 27 07:22:02 2020) [sssd[be[example1]]] [sdap_modify_done] (0x1000): ldap_modify result: Constraint violation(19), invalid password syntax - password must be at least 8 characters long
(Mon Jan 27 07:22:02 2020) [sssd[be[example1]]] [sdap_op_destructor] (0x2000): Operation 3 finished
(Mon Jan 27 07:22:02 2020) [sssd[be[example1]]] [sdap_modify_passwd_done] (0x0400): Password change for [uid=foo9,ou=People,dc=example,dc=test] was successful


Expected results:
Must give proper error message when new password length is less than 8 characters.

Additional info:

Comment 1 Pavel Březina 2020-01-29 11:41:25 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4148

Comment 4 Pavel Březina 2020-02-14 11:40:42 UTC

Upstream PR:
https://github.com/SSSD/sssd/pull/979

Comment 5 Pavel Březina 2020-03-05 09:32:34 UTC

* `master`
    * e4c6ebf6754dca194487f02b616018a860e5dbdf - sdap: provide error message when password change fail in ldap_modify mode
* `sssd-1-16`
    * ddf0a59a610570111fadc391f104c29442e01ac8 - sdap: provide error message when password change fail in ldap_modify mode

Comment 7 Pavel Březina 2020-04-24 11:33:48 UTC

*** Bug 1710749 has been marked as a duplicate of this bug. ***

Comment 11 Madhuri 2020-07-13 11:36:21 UTC

Verified with:
sssd-2.3.0-4.el8.x86_64

Steps to Reproduce:
1. Setup sssd client with the rhds server and enable passwordCheckSyntax on server 
[root@ipaqavma ~]# ldapsearch -xLLL -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=config"  | grep passwordCheckSyntax
passwordCheckSyntax: on

2.
[root@ci-vm-10-0-104-246 ~]# cat /etc/sssd/sssd.conf 
[sssd]
config_file_version = 2
services = nss, pam
domains = example1

[domain/example1]
ldap_search_base = dc=example,dc=test
id_provider = ldap
auth_provider = ldap
ldap_user_home_directory = /home/%u
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
use_fully_qualified_names = True
debug_level = 9
ldap_pwmodify_mode = ldap_modify

3. Try to change password of a user
[foo6@example1@ci-vm-10-0-104-246 /]$ passwd
Changing password for user foo6@example1.
Current Password: 
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error
[foo6@example1@ci-vm-10-0-104-246 /]$ passwd
Changing password for user foo6@example1.
Current Password: 
New password: 
Retype new password: 
Password change failed. Server message: invalid password syntax - password must be at least 8 characters long
passwd: Authentication token is no longer valid; new one required
[foo6@example1@ci-vm-10-0-104-246 /]$ exit



As getting proper error message when new password length is less than 8 characters.
thus marking this as verified.

Comment 12 Madhuri 2020-07-13 11:39:34 UTC

Verified with:
sssd-2.3.0-4.el8.x86_64

Steps to Reproduce:
1. Setup sssd client with the rhds server and enable passwordCheckSyntax on server 
[root@ipaqavma ~]# ldapsearch -xLLL -p 389 -h localhost -D "cn=Directory Manager" -w Secret123 -b "cn=config"  | grep passwordCheckSyntax
passwordCheckSyntax: on

2.
[root@ci-vm-10-0-104-246 ~]# cat /etc/sssd/sssd.conf 
[sssd]
config_file_version = 2
services = nss, pam
domains = example1

[domain/example1]
ldap_search_base = dc=example,dc=test
id_provider = ldap
auth_provider = ldap
ldap_user_home_directory = /home/%u
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
use_fully_qualified_names = True
debug_level = 9
ldap_pwmodify_mode = ldap_modify

3. Try to change password of a user
[foo6@example1@ci-vm-10-0-104-246 /]$ passwd
Changing password for user foo6@example1.
Current Password: 
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error
[foo6@example1@ci-vm-10-0-104-246 /]$ passwd
Changing password for user foo6@example1.
Current Password: 
New password: 
Retype new password: 
Password change failed. Server message: invalid password syntax - password must be at least 8 characters long
passwd: Authentication token is no longer valid; new one required
[foo6@example1@ci-vm-10-0-104-246 /]$ exit



As getting proper error message when new password length is less than 8 characters.
thus marking this as verified.

Comment 15 errata-xmlrpc 2020-11-04 02:04:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4569