Bug 212112 - Better error messages should be reported for password syntax violations
Better error messages should be reported for password syntax violations
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Security - Password Policy (Show other bugs)
1.0.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nathan Kinder
Viktor Ashirov
:
Depends On:
Blocks: 152373 240316 FDS1.1.0
  Show dependency treegraph
 
Reported: 2006-10-25 00:58 EDT by Nathan Kinder
Modified: 2015-12-07 12:03 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 12:03:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
CVS Diffs (8.92 KB, patch)
2006-11-22 17:09 EST, Nathan Kinder
no flags Details | Diff

  None (edit)
Description Nathan Kinder 2006-10-25 00:58:07 EDT
We should report better error messages when a password modification violates the
syntax policies.  The error message should state why the password violated the
policy.  Some examples of good messages would be:

  - "Password must be at least 8 characters long"
  - "Password must contain at least 1 numeric character"
  - "Password must contain at least 1 uppercase character"

Reporting information about the password policy setting in the error messages is
safe since we first verify that the user is allowed to make the password change
before checking the syntax.
Comment 1 Nathan Kinder 2006-11-22 17:09:13 EST
Created attachment 141954 [details]
CVS Diffs
Comment 2 Rich Megginson 2006-11-22 17:21:29 EST
Ok.
Comment 3 Nathan Kinder 2006-11-27 13:54:40 EST
After talking with Noriko before the holiday break, we both agreed that it would
be nice to let the end user know what the valid character categories are when
their password doesn't meet the minimum categories requirement.  The following
change to the previous set of diffs improves the error message for this case.

+                        } else if ( pwpolicy->pw_mincategories > num_categories ) {
+                                syntax_violation = 1;
+                                PR_snprintf ( errormsg, BUFSIZ,
+                                    "invalid password syntax - password must
contain at least %d character "
+                                    "categories (valid categories are digit,
uppercase, lowercase, special, and 8-bit characters)",
+                                    pwpolicy->pw_mincategories );
+                        } 
Comment 4 Nathan Kinder 2006-11-27 14:26:31 EST
Checked into ldapserver (HEAD).  Thanks to Rich and Noriko for reviews!

Checking in pw.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/pw.c,v  <--  pw.c
new revision: 1.14; previous revision: 1.13
done
Comment 5 Anh Nguyen 2008-01-03 17:49:37 EST
Verified. 
We reran the password syntax policy test suite. The results showed meaningful
error messages when the syntax is violated.
####################################################################
Strong Password Policy: Test Case 4 : Settings ...
Password:                                         76h*hhhh
PasswordMinDigits:                -1
PasswordMinAlphas:                0
PasswordMinLowers:                0
PasswordMinUppers:                0
PasswordMinSpecials:              0
PasswordMin8bit:                  0
PasswordMaxRepeats:               0
PasswordMinCategories:    3
PasswordMinTokenLength:   3
PasswordLength:                   8
mindigits of -1 is out of range [0-64]
Password Policy Params do not meet password strength policy requirements
ldap_modify: Operations error
ldap_modify: additional info: password minimum number of digits "-1" is invalid.
The minimum number of digits must range from 0 to 64.
modifying entry cn=config

####################################################################
Strong Password Policy: Test Case 45 : Settings ...
Password:                                         %!
PasswordMinDigits:                0
PasswordMinAlphas:                0
PasswordMinLowers:                0
PasswordMinUppers:                0
PasswordMinSpecials:              0
PasswordMin8bit:                  0
PasswordMaxRepeats:               0
PasswordMinCategories:    3
PasswordMinTokenLength:   3
PasswordLength:                   -1
password length of -1 is out of range [0-64]
Password Policy Params do not meet password strength policy requirements
ldap_modify: Operations error
ldap_modify: additional info: password minimum length "-1" is invalid. The
minimum length must range from 2 to 512.

####################################################################
Strong Password Policy: Test Case 72 : Settings ...
Password:                                         4Fy^h&3H
PasswordMinDigits:                0
PasswordMinAlphas:                0
PasswordMinLowers:                0
PasswordMinUppers:                0
PasswordMinSpecials:              0
PasswordMin8bit:                  0
PasswordMaxRepeats:               0
PasswordMinCategories:    3
PasswordMinTokenLength:   3
PasswordLength:                   bogus
password length of bogus is out of range [2-512]
Password Policy Params do not meet password strength policy requirements
ldap_modify: Operations error
ldap_modify: additional info: password minimum length "bogus" is invalid. The
minimum length must range from 2 to 512.




Note You need to log in before you can comment on or make changes to this bug.