Bug 467973 - ipa-passwd fails with "Password Fails to meet minimum strength criteria" when a user tries to set their password to the same value it was previously.
ipa-passwd fails with "Password Fails to meet minimum strength criteria" when...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise IPA
Classification: Retired
Component: ipa-admintools (Show other bugs)
1.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: David O'Brien
Chandrasekar Kannan
:
Depends On:
Blocks: 453489
  Show dependency treegraph
 
Reported: 2008-10-21 19:42 EDT by Michael Gregg
Modified: 2015-01-04 18:34 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-23 14:38:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Gregg 2008-10-21 19:42:43 EDT
Description of problem:
ipa-passwd fails with "Password Fails to meet minimum strength criteria" when a user tries to set their password to the same value it was previously.

Version-Release number of selected component (if applicable):
1.1.0-2.20081021.el5ipa

How reproducible:
always

Steps to Reproduce:
1. kinit as admin
2. set pwpolicy minlife to 0
3. set pwpolicy history to 0
4. set pwpolicy minclasses to 0
5. create a user
6. set users password to anything
7. kdestroy
8. kinit as that user
9. upon first login set new password to redhat001
10. run ipa-password to try to set the user password to redhat001
  
Actual results:
[root@ipaqa-64vm tmp]# ipa-passwd l
Changing password for l@DSQA.SJC2.REDHAT.COM
  New Password: 
  Confirm Password: 
A database error occurred: Constraint violation: Password Fails to meet minimum strength criteria

Expected results:
ipa-passwd to accept the password.

Additional info:
setting the same password with kpasswd does work.
Comment 2 Michael Gregg 2008-10-28 17:30:52 EDT
I can provide a VM that reproduces this, but you shouldn't need one. It seems to be easily reproducible on any ipa-server. Just follow the reproduction steps. 

Do you still need a VM?
Comment 3 Rob Crittenden 2008-10-29 14:21:03 EDT
I can't reproduce this. I get this when trying to set the password to the same value using kpasswd:

Password change rejected: Password change failed Err8: Password reuse not permitted.

python-ldap doesn't support the password control so we can't get the reason for failure using ipa-passwd, just the generic "it failed".

Can you provide the exact commands you are executing?
Comment 4 Michael Gregg 2008-11-06 20:13:23 EST
okay, exact commands:

kinit as admin - 

 ipa-adduser l
 ipa-pwpolicy --minlife 0
 ipa-pwpolicy --minlength 1
 ipa-passwd l
    set password to "k"
kdestroy
kinit as l -
     set password to k on first kinit
 ipa-passwd l
     set password to p
 ipa-passwd l
     set password to p

observe: 
[root@ipaqa-64vm tmp]# ipa-passwd l
Changing password for l@DSQA.SJC2.REDHAT.COM
  New Password: 
  Confirm Password: 
A database error occurred: Constraint violation: Password Fails to meet minimum strength criteria
Comment 5 Simo Sorce 2008-11-19 15:46:36 EST
I can't reproduce a difference between kpasswd and ipa-passwd, for me they both return an error, which I do expect as setting the password to the exact same value already there was considred not permitted regardless of password policies when the plugin was coded.

This is what I get, the error printed is different but that's only because ipa-passwd uses python-ldap which can't peek into the control sent back to get the exact error:

[root@vice ~]# kpasswd
Password for test@IPA.REDHAT.COM:
Enter new password:
Enter it again:
Password change rejected: Password change failed Err8: Password reuse not permitted.
[root@vice ~]# ipa-passwd
Changing password for test@IPA.REDHAT.COM
  New Password:
  Confirm Password:
Passwords do not match
  New Password:
  Confirm Password:
A database error occurred: Constraint violation: Password Fails to meet minimum
strength criteria
Comment 6 Chandrasekar Kannan 2008-11-20 08:51:22 EST
assign to david per bug council
Comment 7 Michael Gregg 2008-11-25 17:45:26 EST
Daily QA test that fails on this bug removed from daily QA.
Comment 8 David O'Brien 2009-01-06 20:00:43 EST
This is documented in the Administrator's Guide in the Password Policy section. There is a discussion on Password History and how it works that covers this.

Note You need to log in before you can comment on or make changes to this bug.