Description of problem: passwd_modify_generate_passwd (passwd_extop.c) always generates 8-bytes random characters made by PK11_GenerateRandom and ldif_base64_encode. It needs to generate a password which follows the password policy if it's defined.
Created attachment 142208 [details] cvs diff (passwd_extop.c) File: ldap/servers/slapd/passwd_extop.c Changes: 1. Renamed passwd_modify_generate_passwd to passwd_modify_generate_basic_passwd, which algorithm is used when no specific password rule or just the minimum length is given. 2. If some other rules are set, passwd_modify_generate_policy_passwd is called and generate a password which fulfill the requirement. Note: this password generator does not support passwordMin8Bit. If it generates a password which includes 8-bit characters, most likely they won't be able to displayed or input from the users' keyboard. We should note it in the doc...
Created attachment 142213 [details] generated password sample Attached is the sample output from ldappasswd. Do you think this quality of the randomness satisfies the requirement?
What happens with the below code if the policy has the minimum alphas set to 1? + /* if only minalphas is set, divide it into minuppers and minlowers. */ + if ( pwpolicy->pw_minalphas > 0 && + ( my_policy[idx_minuppers] == 0 && my_policy[idx_minlowers] == 0 )) { + my_policy[idx_minuppers] = 2; + my_policy[idx_minlowers] = pwpolicy->pw_minalphas - my_policy[idx_minuppers]; + } I think this may cause a problem since my_policy[idx_minlowers] would be negative. If we need to split the minimum alphas into upper and lower categories, we may want to randomly pick a number between 0 and pwpolicy->pw_minalphas to use as my_policy[idx_minuppers], then use the leftover as my_policy[idx_minlowers] (if there is any leftover).
Created attachment 142247 [details] cvs diff (passwd_extop.c) Thank you to Nathan for the review and the discussion! As you suggested, I changed to randomly choose the rest of the specified characters (by such as minuppers or mindigits). Also, I added error messages to log in the errors log as well as to return to the client. Please take a look at the next attachment for the messages.
Created attachment 142248 [details] generated password sample + error messages Added error messages are for 1. when passwordMinCategories is 5, which expects the generated password to include 8-bit character(s). Password Generator does not support such a password. 2. when passwordMin8Bit is set. Also, fixed the bug pointed out by Nathan in Comment#3. Lastly, the generated password sequence looks more randomized!
After discussing with Nathan, I was convinced that this code (even if an obvious bug were fixed!) is not needed. I'm removing this section. + if ( my_policy[idx_minuppers] > 1 ) { + if ( 0 == my_policy[idx_minuppers] ) { + my_policy[idx_minuppers]++; + } else if ( pwpolicy->pw_minalphas == my_policy[idx_minuppers] ) { + my_policy[idx_minuppers]--; + } + } +
The code looks good now! I'd like to propose we use the following warning/error messages: Client error: Unable to generate new random password. Please contact the Administrator. Server error when passwordMin8bit is > 0: Unable to generate a password that meets the current password syntax rules. 8-bit syntax restrictions are not supported with random password generation. Server error when passwordMinCategories is set to 5 Unable to generate a password that meets the current password syntax rules. A minimum categories setting of 5 is not supported with random password generation.
Thank you so much, Nathan! passwordMinCategories: 5 Client> ldappasswd: Operations error ldappasswd: additional info: Unable to generate new random password. Please contact the Administrator. Server> [...] - Unable to generate a password that meets the current password syntax rules. A minimum categories setting of 5 is not supported with random password generation. passwordMin8bit: 1 Client> ldappasswd: Operations error ldappasswd: additional info: Unable to generate new random password. Please contact the Administrator. Server> [...] - Unable to generate a password that meets the current password syntax rules. 8-bit syntax restrictions are not supported with random password generation.
Created attachment 142311 [details] cvs diff (passwd_extop.c) Final diff of passwd_extop.c which has been revised based upon the Nathan's review. Reviewed by Nathan (Thank you!!) Checked in into HEAD Commit messsage: Resolves: #216983 Summary: Make random password generation work with policies Changes: 1) Generate a password that meets the current password syntax rules. 2) Report errors when Min8Bit is set or MinCategories > 4 CVS: ---------------------------------------------------------------------- CVS: Modified Files: passwd_extop.c CVS: ---------------------------------------------------------------------- Checking in passwd_extop.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v <-- passwd_extop.c new revision: 1.14; previous revision: 1.13 done