Bug 1468284 - Passwords rejected if its similar to uid, cn, sn or mail attributes
Passwords rejected if its similar to uid, cn, sn or mail attributes
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.4
x86_64 Linux
high Severity high
: rc
: ---
Assigned To: mreynolds
Viktor Ashirov
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-06 10:56 EDT by Sankar Ramalingam
Modified: 2017-08-29 16:07 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-29 16:07:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sankar Ramalingam 2017-07-06 10:56:02 EDT
Description of problem: Resetting passwords to a similar value of cn, sn and uid is failing. 

Version-Release number of selected component (if applicable): 389-ds-base-1.3.6.1-16

How reproducible: Consistently

Steps to Reproduce:
1. Install latest of 389-ds-base-1.3.6.1-16 on RHEL-7.4.
2. Configure global and local password policy with PasswordCheckSyntax attribute set to on.
3. Add users with cn, sn, uid, mail and userPassword attributes, like this
sn: textuser1
sn: test user1
uid: tentuser1
mail: tesstuser1@test.com

4. Run ldapmodify as normal user and replace userPassword.
ldapmodify -x -p $PORT -h localhost -D "$USR" -w $PASW << EOF
dn: uid=tetusr4,ou=people,dc=example,dc=com
replace: userPassword
userPassword: text1234
EOF
ldap_modify: Constraint violation (19)

ldapmodify -x -p $PORT -h localhost -D "$USR" -w $PASW << EOF
dn: uid=tetusr4,ou=people,dc=example,dc=com
replace: userPassword
userPassword: tent1234
EOF
ldap_modify: Constraint violation (19)

ldapmodify -x -p $PORT -h localhost -D "$USR" -w $PASW << EOF
dn: uid=tetusr4,ou=people,dc=example,dc=com
replace: userPassword
userPassword: ttest1234
EOF
ldap_modify: Constraint violation (19)

Actual results: Passwords similar to sn, cn and uid are rejected.

Expected results: It should accept passwords which are not same as sn, cn and uid, if its not in the history.

Additional info: Refer to TET failed tests: tp26, tp56 through tp77.

ldap_modify: Constraint violation
[22/June/2017:16:01:53.542355187 -0400] ldap_modify: additional info:
invalid password syntax - password based off of user entry
Comment 2 Sankar Ramalingam 2017-08-08 06:58:05 EDT
Automated in pytest ./suites/password/regression_test.py
Comment 3 Nathan Kinder 2017-08-29 16:07:29 EDT
I believe that this is actually the expected behavior.  The password policy code performs a check for passwords that are similar to certain attributes from the same user entry (not just passwords that fully contain the other attribute values).  This is referred to as the "trivial words check".

Internally, the way this works is that the values of the checked attributes (like cn, sn, uid) are broken up into tokens of a configurable length.  We then check if the password value contains any of these tokens.  If it does, it is rejected with a constraint violation (rc=19).  The token length defaults to 3, and is configurable with the passwordMinTokenLength attribute in the password policy.  This is described here:

  https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-passwordMinTokenLength_Password_Syntax

As an example, a token length of 3 would mean that the following tokens are not allowed in a password for a user with a uid of "nkinder":

  - nki
  - kin
  - ind
  - nde
  - der

In your examples in the initial description of this bug, all of the password values that were rejected contain a 3 character token (or greater) from one of the checked attributes.

Closing this as NOTABUG.  Please be sure to update your tests to match the expected behavior.

Note You need to log in before you can comment on or make changes to this bug.