We should report better error messages when a password modification violates the syntax policies. The error message should state why the password violated the policy. Some examples of good messages would be: - "Password must be at least 8 characters long" - "Password must contain at least 1 numeric character" - "Password must contain at least 1 uppercase character" Reporting information about the password policy setting in the error messages is safe since we first verify that the user is allowed to make the password change before checking the syntax.
Created attachment 141954 [details] CVS Diffs
Ok.
After talking with Noriko before the holiday break, we both agreed that it would be nice to let the end user know what the valid character categories are when their password doesn't meet the minimum categories requirement. The following change to the previous set of diffs improves the error message for this case. + } else if ( pwpolicy->pw_mincategories > num_categories ) { + syntax_violation = 1; + PR_snprintf ( errormsg, BUFSIZ, + "invalid password syntax - password must contain at least %d character " + "categories (valid categories are digit, uppercase, lowercase, special, and 8-bit characters)", + pwpolicy->pw_mincategories ); + }
Checked into ldapserver (HEAD). Thanks to Rich and Noriko for reviews! Checking in pw.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/pw.c,v <-- pw.c new revision: 1.14; previous revision: 1.13 done
Verified. We reran the password syntax policy test suite. The results showed meaningful error messages when the syntax is violated. #################################################################### Strong Password Policy: Test Case 4 : Settings ... Password: 76h*hhhh PasswordMinDigits: -1 PasswordMinAlphas: 0 PasswordMinLowers: 0 PasswordMinUppers: 0 PasswordMinSpecials: 0 PasswordMin8bit: 0 PasswordMaxRepeats: 0 PasswordMinCategories: 3 PasswordMinTokenLength: 3 PasswordLength: 8 mindigits of -1 is out of range [0-64] Password Policy Params do not meet password strength policy requirements ldap_modify: Operations error ldap_modify: additional info: password minimum number of digits "-1" is invalid. The minimum number of digits must range from 0 to 64. modifying entry cn=config #################################################################### Strong Password Policy: Test Case 45 : Settings ... Password: %! PasswordMinDigits: 0 PasswordMinAlphas: 0 PasswordMinLowers: 0 PasswordMinUppers: 0 PasswordMinSpecials: 0 PasswordMin8bit: 0 PasswordMaxRepeats: 0 PasswordMinCategories: 3 PasswordMinTokenLength: 3 PasswordLength: -1 password length of -1 is out of range [0-64] Password Policy Params do not meet password strength policy requirements ldap_modify: Operations error ldap_modify: additional info: password minimum length "-1" is invalid. The minimum length must range from 2 to 512. #################################################################### Strong Password Policy: Test Case 72 : Settings ... Password: 4Fy^h&3H PasswordMinDigits: 0 PasswordMinAlphas: 0 PasswordMinLowers: 0 PasswordMinUppers: 0 PasswordMinSpecials: 0 PasswordMin8bit: 0 PasswordMaxRepeats: 0 PasswordMinCategories: 3 PasswordMinTokenLength: 3 PasswordLength: bogus password length of bogus is out of range [2-512] Password Policy Params do not meet password strength policy requirements ldap_modify: Operations error ldap_modify: additional info: password minimum length "bogus" is invalid. The minimum length must range from 2 to 512.