Bug 733409 - Improve password policy error message
Summary: Improve password policy error message
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 748873
TreeView+ depends on / blocked
 
Reported: 2011-08-25 16:13 UTC by Kaushik Banerjee
Modified: 2015-01-04 23:50 UTC (History)
5 users (show)

Fixed In Version: sssd-1.5.1-49.el6
Doc Type: Bug Fix
Doc Text:
Cause: During password change, password policy attributes are checked in SSSD. When these attributes were incomplete, SSSD would report this password policy error as an internal error. Consequence: Log message produced in this case was confusing and unclear. Fix: When password policy attributes are incomplete, it is reported as an authentication error and proper log message is displayed. Result: Password policy related log messages are no longer confusing.
Clone Of:
: 748873 (view as bug list)
Environment:
Last Closed: 2011-12-06 16:39:43 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1529 normal SHIPPED_LIVE sssd bug fix and enhancement update 2011-12-06 00:50:20 UTC

Description Kaushik Banerjee 2011-08-25 16:13:43 UTC
Description of problem:
Password policy error message should print something better than "Internal Error".

Version-Release number of selected component (if applicable):
sssd-1.5.1-47.el6

How reproducible:
Always

Steps to Reproduce:
1. Add a ldap user without any shadow attributes.
2. Set ldap_pwd_policy = shadow in sssd.conf
3. Try auth as the user.
  
Actual results:
Auth fails as expected. However, "Internal Error (System error)" appears in the log.

/var/log/sssd/sssd_LDAP.log shows:

<snip>
(Thu Aug 25 06:22:59 2011) [sssd[be[LDAP]]] [find_password_expiration_attributes] (1): No shadow password attributes found, but shadow password policy was requested.
(Thu Aug 25 06:22:59 2011) [sssd[be[LDAP]]] [get_user_dn] (1): find_password_expiration_attributes failed.
(Thu Aug 25 06:22:59 2011) [sssd[be[LDAP]]] [sdap_handle_release] (8): Trace: sh[0x241b610], connected[1], ops[(nil)], ldap[0x241e270], destructor_lock[0], release_memory[0]
(Thu Aug 25 06:22:59 2011) [sssd[be[LDAP]]] [remove_connection_callback] (9): Successfully removed connection callback.
(Thu Aug 25 06:22:59 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Thu Aug 25 06:22:59 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sending result [4][LDAP]
(Thu Aug 25 06:22:59 2011) [sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sent result [4][LDAP]
</snip>

Expected results:
Password policy error message should print something better than "Internal Error (System error)".

Additional info:

Comment 2 Stephen Gallagher 2011-08-26 12:52:01 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/982

Comment 6 Kaushik Banerjee 2011-09-15 17:06:35 UTC
Verified in version:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 51.el6                        Build Date: Mon 12 Sep 2011 06:55:14 PM IST
Install Date: Tue 13 Sep 2011 08:02:21 PM IST      Build Host: x86-001.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-51.el6.src.rpm
Size        : 3670464                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 7 Jan Zeleny 2011-10-27 13:23:36 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: During password change, password policy attributes are checked in SSSD. When these attributes were incomplete, SSSD would report this password policy error as an internal error.
Consequence: Log message produced in this case was confusing and unclear.
Fix: When password policy attributes are incomplete, it is reported as an authentication error and proper log message is displayed.
Result: Password policy related log messages are no longer confusing.

Comment 8 errata-xmlrpc 2011-12-06 16:39:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html


Note You need to log in before you can comment on or make changes to this bug.