Bug 212112

Summary: Better error messages should be reported for password syntax violations
Product: [Retired] 389 Reporter: Nathan Kinder <nkinder>
Component: Security - Password PolicyAssignee: Nathan Kinder <nkinder>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0.2CC: nhosoi, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 17:03:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152373, 240316, 427409    
Attachments:
Description Flags
CVS Diffs none

Description Nathan Kinder 2006-10-25 04:58:07 UTC 
We should report better error messages when a password modification violates the
syntax policies.  The error message should state why the password violated the
policy.  Some examples of good messages would be:

  - "Password must be at least 8 characters long"
  - "Password must contain at least 1 numeric character"
  - "Password must contain at least 1 uppercase character"

Reporting information about the password policy setting in the error messages is
safe since we first verify that the user is allowed to make the password change
before checking the syntax.
Comment 1 Nathan Kinder 2006-11-22 22:09:13 UTC 
Created attachment 141954 [details]
CVS Diffs
Comment 2 Rich Megginson 2006-11-22 22:21:29 UTC 
Ok.
Comment 3 Nathan Kinder 2006-11-27 18:54:40 UTC 
After talking with Noriko before the holiday break, we both agreed that it would
be nice to let the end user know what the valid character categories are when
their password doesn't meet the minimum categories requirement.  The following
change to the previous set of diffs improves the error message for this case.

+                        } else if ( pwpolicy->pw_mincategories > num_categories ) {
+                                syntax_violation = 1;
+                                PR_snprintf ( errormsg, BUFSIZ,
+                                    "invalid password syntax - password must
contain at least %d character "
+                                    "categories (valid categories are digit,
uppercase, lowercase, special, and 8-bit characters)",
+                                    pwpolicy->pw_mincategories );
+                        }
Comment 4 Nathan Kinder 2006-11-27 19:26:31 UTC 
Checked into ldapserver (HEAD).  Thanks to Rich and Noriko for reviews!

Checking in pw.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/pw.c,v  <--  pw.c
new revision: 1.14; previous revision: 1.13
done
Comment 5 Anh Nguyen 2008-01-03 22:49:37 UTC 
Verified. 
We reran the password syntax policy test suite. The results showed meaningful
error messages when the syntax is violated.
####################################################################
Strong Password Policy: Test Case 4 : Settings ...
Password:                                         76h*hhhh
PasswordMinDigits:                -1
PasswordMinAlphas:                0
PasswordMinLowers:                0
PasswordMinUppers:                0
PasswordMinSpecials:              0
PasswordMin8bit:                  0
PasswordMaxRepeats:               0
PasswordMinCategories:    3
PasswordMinTokenLength:   3
PasswordLength:                   8
mindigits of -1 is out of range [0-64]
Password Policy Params do not meet password strength policy requirements
ldap_modify: Operations error
ldap_modify: additional info: password minimum number of digits "-1" is invalid.
The minimum number of digits must range from 0 to 64.
modifying entry cn=config

####################################################################
Strong Password Policy: Test Case 45 : Settings ...
Password:                                         %!
PasswordMinDigits:                0
PasswordMinAlphas:                0
PasswordMinLowers:                0
PasswordMinUppers:                0
PasswordMinSpecials:              0
PasswordMin8bit:                  0
PasswordMaxRepeats:               0
PasswordMinCategories:    3
PasswordMinTokenLength:   3
PasswordLength:                   -1
password length of -1 is out of range [0-64]
Password Policy Params do not meet password strength policy requirements
ldap_modify: Operations error
ldap_modify: additional info: password minimum length "-1" is invalid. The
minimum length must range from 2 to 512.

####################################################################
Strong Password Policy: Test Case 72 : Settings ...
Password:                                         4Fy^h&3H
PasswordMinDigits:                0
PasswordMinAlphas:                0
PasswordMinLowers:                0
PasswordMinUppers:                0
PasswordMinSpecials:              0
PasswordMin8bit:                  0
PasswordMaxRepeats:               0
PasswordMinCategories:    3
PasswordMinTokenLength:   3
PasswordLength:                   bogus
password length of bogus is out of range [2-512]
Password Policy Params do not meet password strength policy requirements
ldap_modify: Operations error
ldap_modify: additional info: password minimum length "bogus" is invalid. The
minimum length must range from 2 to 512.