Bug 178867 - Need to enhance password syntax checking
Need to enhance password syntax checking
Product: 389
Classification: Community
Component: Security - Password Policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nathan Kinder
Viktor Ashirov
Depends On:
Blocks: 152373 183369 240316
  Show dependency treegraph
Reported: 2006-01-24 18:00 EST by Nathan Kinder
Modified: 2015-12-07 11:36 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-12-07 11:36:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
CVS DIffs (45.30 KB, patch)
2006-01-24 18:25 EST, Nathan Kinder
no flags Details | Diff
CVS Commit (839 bytes, text/plain)
2006-01-25 11:49 EST, Nathan Kinder
no flags Details

  None (edit)
Description Nathan Kinder 2006-01-24 18:00:49 EST
The password syntax checking feature should be enhanced to enforce strict
password policies.  The policy needs to be flexible enough to work in a variety
of deployments.

The following should be enforceable:

 - minimum password character length
 - minimum number of digit characters (0-9)
 - minimum number of ASCII alpha characters (a-z, A-Z)
 - minimum number of uppercase ASCII alpha characters (A-Z)
 - minimum number of lowercase ASCII alpha characters (a-z)
 - minimum number of special ASCII characters (!@#$, etc.)
 - minimum number of 8-bit characters
 - maximum number of times the same char can be immediately repeated (aaabbb)
 - minimum number of character categories that are represented (categories are
     lower, upper, digit, special, and 8-bit)

The code currently makes sure that userPassword is not the same as the uid, cn,
sn, givenname, mail, or ou attribute value(s) present in the entry.  This needs
to be enhanced to make sure that the password does not contain these values
instead of an equality check.  There should also be a minimum value size to use
for comparision purposes for these attributes.

All of these features should work for passwords that contain 8-bit, multi-byte
Comment 1 Nathan Kinder 2006-01-24 18:25:14 EST
Created attachment 123641 [details]

These diffs implement everything outlined in the initial bug comment.  It adds
the following new config parameters to the cn=config entry (valid range and
defaults in parenthesis):

passwordMinDigits (0-64, default=0)
passwordMinAlphas (0-64, default=0)
passwordMinUppers (0-64, default=0)
passwordMinLowers (0-64, default=0)
passwordMinSpecials (0-64, default=0)
passwordMin8Bit (0-64, default=0)
passwordMaxRepeats (0-64, default=0)
passwordMinCategories (1-5, default=3)
passwordMinTokenLength (1-64, default=3)

It also adjusts the default passwordMinLength setting to 8.  This makes our
defaults match Active Directorys password complexity feature.
Comment 2 Nathan Kinder 2006-01-25 11:49:22 EST
Created attachment 123678 [details]
CVS Commit

Checked into ldapserver (HEAD).  Reviewed by Rich, Pete, and Noriko.

Note You need to log in before you can comment on or make changes to this bug.