Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 421971 - Passwords are truncated to 8 characters
Passwords are truncated to 8 characters
Product: 389
Classification: Retired
Component: Security - Password Policy (Show other bugs)
i686 Linux
low Severity high
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
Depends On:
  Show dependency treegraph
Reported: 2007-12-12 12:00 EST by Bob Kong
Modified: 2015-01-04 18:29 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.0.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-27 22:55:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bob Kong 2007-12-12 12:00:34 EST
Description of problem:
When changing passwords using string > 8 characters, the password is truncated to the first 8 

Version-Release number of selected component (if applicable):
Found on version Fedora-DS 1.0.2

How reproducible:
All tests that I have executed the password has been truncated to the first 8 chars.

Steps to Reproduce:
1. Under the directory console select a user and change the users password to a string > 8 chars
2. In another window attempt to access the database using only the first 8 characters
3. Access is allowed
Actual results:
User is allowed access to the database using only the first 8 characters of their password

Expected results:
User should be denied access with an error of Invalid Cred.

Additional info:
Comment 1 Rich Megginson 2007-12-12 12:32:45 EST
I've tried to reproduce the problem with Fedora DS 1.1.  Steps:
Login to the console as the admin user
Create a new user with a password of 1234567890
In a separate window, do
ldapsearch -x -D "uid=juser,ou=people,dc=example,dc=com" -w 1234567890
This works fine.  Then, try ldapsearch -x -D
"uid=juser,ou=people,dc=example,dc=com" -w 12345678
This gives the error - ldap_bind: Invalid credentials (49)

So I believe this issue is fixed in Fedora DS 1.1.  Have you tried Fedora DS 1.0.4?
Comment 2 Bob Kong 2007-12-12 12:45:49 EST
No I have not tried FDS 1.0.4. Is there a patch or work around for this under 
1.0.2? To move to 1.0.4 would require additional testing to implement.

Comment 3 Rich Megginson 2007-12-12 13:13:06 EST
(In reply to comment #2)
> No I have not tried FDS 1.0.4. Is there a patch or work around for this under 
> 1.0.2? To move to 1.0.4 would require additional testing to implement.

I'm not aware of this being a bug in previous versions of the software, and I
don't know of patches that would have fixed it.  I suppose you could do a
bugzilla search of Fedora and Red Hat Directory Server to see if any similar
bugs have been reported.

Are you using password policy?  Password syntax checking?  Perhaps that has
something to do with it.

> Thanks
> Bob

Comment 4 Bob Kong 2007-12-12 21:49:22 EST
Yes I am using a password policy and syntax checking. Disabling the password 
policy has yields the same result. I also tested this against a 1.0.4 server 
and passwords are handled correctly. Looks like the problem is only in 1.0.2.
Comment 5 Rich Megginson 2007-12-18 18:02:51 EST
I'm really not sure.  There were quite a few bugs fixed between 1.0.2 and 1.0.4.
 If you would like to see them for yourself, try this:

cvs -d :pserver:anonymous@cvs.fedoraproject.org:/cvs/dirsec diff
-rFedoraDirSvr102 -rFedoraDirSvr104 ldapserver

or try looking in ldapserver/ldap/servers/slapd and/or

Note You need to log in before you can comment on or make changes to this bug.