1468284 – Passwords rejected if its similar to uid, cn, sn or mail attributes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1468284 - Passwords rejected if its similar to uid, cn, sn or mail attributes

Summary: Passwords rejected if its similar to uid, cn, sn or mail attributes

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	mreynolds
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-06 14:56 UTC by Sankar Ramalingam
Modified:	2017-08-29 20:07 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-29 20:07:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Sankar Ramalingam 2017-07-06 14:56:02 UTC

Description of problem: Resetting passwords to a similar value of cn, sn and uid is failing. 

Version-Release number of selected component (if applicable): 389-ds-base-1.3.6.1-16

How reproducible: Consistently

Steps to Reproduce:
1. Install latest of 389-ds-base-1.3.6.1-16 on RHEL-7.4.
2. Configure global and local password policy with PasswordCheckSyntax attribute set to on.
3. Add users with cn, sn, uid, mail and userPassword attributes, like this
sn: textuser1
sn: test user1
uid: tentuser1
mail: tesstuser1

4. Run ldapmodify as normal user and replace userPassword.
ldapmodify -x -p $PORT -h localhost -D "$USR" -w $PASW << EOF
dn: uid=tetusr4,ou=people,dc=example,dc=com
replace: userPassword
userPassword: text1234
EOF
ldap_modify: Constraint violation (19)

ldapmodify -x -p $PORT -h localhost -D "$USR" -w $PASW << EOF
dn: uid=tetusr4,ou=people,dc=example,dc=com
replace: userPassword
userPassword: tent1234
EOF
ldap_modify: Constraint violation (19)

ldapmodify -x -p $PORT -h localhost -D "$USR" -w $PASW << EOF
dn: uid=tetusr4,ou=people,dc=example,dc=com
replace: userPassword
userPassword: ttest1234
EOF
ldap_modify: Constraint violation (19)

Actual results: Passwords similar to sn, cn and uid are rejected.

Expected results: It should accept passwords which are not same as sn, cn and uid, if its not in the history.

Additional info: Refer to TET failed tests: tp26, tp56 through tp77.

ldap_modify: Constraint violation
[22/June/2017:16:01:53.542355187 -0400] ldap_modify: additional info:
invalid password syntax - password based off of user entry

Comment 2 Sankar Ramalingam 2017-08-08 10:58:05 UTC

Automated in pytest ./suites/password/regression_test.py

Comment 3 Nathan Kinder 2017-08-29 20:07:29 UTC

I believe that this is actually the expected behavior.  The password policy code performs a check for passwords that are similar to certain attributes from the same user entry (not just passwords that fully contain the other attribute values).  This is referred to as the "trivial words check".

Internally, the way this works is that the values of the checked attributes (like cn, sn, uid) are broken up into tokens of a configurable length.  We then check if the password value contains any of these tokens.  If it does, it is rejected with a constraint violation (rc=19).  The token length defaults to 3, and is configurable with the passwordMinTokenLength attribute in the password policy.  This is described here:

  https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-passwordMinTokenLength_Password_Syntax

As an example, a token length of 3 would mean that the following tokens are not allowed in a password for a user with a uid of "nkinder":

  - nki
  - kin
  - ind
  - nde
  - der

In your examples in the initial description of this bug, all of the password values that were rejected contain a 3 character token (or greater) from one of the checked attributes.

Closing this as NOTABUG.  Please be sure to update your tests to match the expected behavior.

Note You need to log in before you can comment on or make changes to this bug.