389-ds-base

Clone
Source Code
GIT

#49468 password policy: minimum token length fails when the token lenght is equal to attribute length.
Closed: wontfix 6 years ago Opened 6 years ago by gparente.

Closed: wontfix
Reopen Issue

Issue Description

the function check_trivial_words is failing to recongnize a token that is exactly same size as the token length.

Example:

dn: uid=Dord,ou=People,dc=parente,dc=local
sn: David
objectClass: top
objectClass: account
objectClass: posixaccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uid: Dord
cn: David
loginShell: /bin/bash
homeDirectory: /home/dorda
uidNumber: 501003
gidNumber: 510003

passwordMinTokenLength: 4

ldapmodify -D "uid=Dord,ou=People,dc=parente,dc=local" -w secret12
dn: uid=Dord,ou=People,dc=parente,dc=local
changetype: modify
replace: userpassword
userPassword: dord

modifying entry "uid=Dord,ou=People,dc=parente,dc=local"

Package Version and Platform

389-ds-base-1.3.6.1-21

Actual results

the password including a token of 4 length is accepted (it's the exact length of the attribute).

Expected results

additional information.

After some debugging, the function:

check_trivial_words calls

ldap_utf8prevn(sp, ep, toklen);

This function returns NULL when the token length is same length than the attribute value in "sp".

IMHO, this should be the fix:

char
ldap_utf8prevn(char s, char from, int n)
{
char prev = from;
if (!s || !from || (s > from)) {
return NULL;
}
for (; n > 0; --n) {
prev = ldap_utf8prev(prev);
if ((prev <= s) && (n > 0)) { <============= should be (prev < s)
return NULL;
}
}
return prev;
}

For instance, in the previous example,

ldap_utf8prevn("dord", char *from,4)

will loop to find the postfix d, rd, ord, and will return NULL for dord.

So check_trivial_words will fail to refuse the password.

the former change is not enough to fix this ticket. There's still an issue when comparing the obtained values with the password

Metadata Update from @gparente:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
6 years ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue close_status updated to: duplicate
- Issue set to the milestone: 1.3.7.0
- Issue status updated to: Closed (was: Open)
6 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2527

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: duplicate)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.