Bug 178867 - Need to enhance password syntax checking
Summary: Need to enhance password syntax checking
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Security - Password Policy
Version: 1.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Viktor Ashirov
URL:
Whiteboard: 1.0.2
Depends On:
Blocks: 152373 183369 240316
TreeView+ depends on / blocked
 
Reported: 2006-01-24 23:00 UTC by Nathan Kinder
Modified: 2015-12-07 16:36 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 16:36:59 UTC
Embargoed:


Attachments (Terms of Use)
CVS DIffs (45.30 KB, patch)
2006-01-24 23:25 UTC, Nathan Kinder
no flags Details | Diff
CVS Commit (839 bytes, text/plain)
2006-01-25 16:49 UTC, Nathan Kinder
no flags Details

Description Nathan Kinder 2006-01-24 23:00:49 UTC
The password syntax checking feature should be enhanced to enforce strict
password policies.  The policy needs to be flexible enough to work in a variety
of deployments.

The following should be enforceable:

 - minimum password character length
 - minimum number of digit characters (0-9)
 - minimum number of ASCII alpha characters (a-z, A-Z)
 - minimum number of uppercase ASCII alpha characters (A-Z)
 - minimum number of lowercase ASCII alpha characters (a-z)
 - minimum number of special ASCII characters (!@#$, etc.)
 - minimum number of 8-bit characters
 - maximum number of times the same char can be immediately repeated (aaabbb)
 - minimum number of character categories that are represented (categories are
     lower, upper, digit, special, and 8-bit)

The code currently makes sure that userPassword is not the same as the uid, cn,
sn, givenname, mail, or ou attribute value(s) present in the entry.  This needs
to be enhanced to make sure that the password does not contain these values
instead of an equality check.  There should also be a minimum value size to use
for comparision purposes for these attributes.

All of these features should work for passwords that contain 8-bit, multi-byte
characters.

Comment 1 Nathan Kinder 2006-01-24 23:25:14 UTC
Created attachment 123641 [details]
CVS DIffs

These diffs implement everything outlined in the initial bug comment.  It adds
the following new config parameters to the cn=config entry (valid range and
defaults in parenthesis):

passwordMinDigits (0-64, default=0)
passwordMinAlphas (0-64, default=0)
passwordMinUppers (0-64, default=0)
passwordMinLowers (0-64, default=0)
passwordMinSpecials (0-64, default=0)
passwordMin8Bit (0-64, default=0)
passwordMaxRepeats (0-64, default=0)
passwordMinCategories (1-5, default=3)
passwordMinTokenLength (1-64, default=3)

It also adjusts the default passwordMinLength setting to 8.  This makes our
defaults match Active Directorys password complexity feature.

Comment 2 Nathan Kinder 2006-01-25 16:49:22 UTC
Created attachment 123678 [details]
CVS Commit

Checked into ldapserver (HEAD).  Reviewed by Rich, Pete, and Noriko.


Note You need to log in before you can comment on or make changes to this bug.