From 55cd9e7dbec3d74c1856fc177bb3d64010761cc2 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Feb 03 2012 16:22:24 +0000
Subject: Improve password change error message


User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.

https://fedorahosted.org/freeipa/ticket/2067

---

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 65c5834..64b1f8c 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -461,7 +461,7 @@ parse_req_done:
 	/* check the policy */
 	ret = ipapwd_CheckPolicy(&pwdata);
 	if (ret) {
-		errMesg = "Password Fails to meet minimum strength criteria";
+		errMesg = ipapwd_error2string(ret);
 		if (ret == IPAPWD_POLICY_ERROR) {
 			errMesg = "Internal error";
 			rc = ret;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 961678a..8185aa0 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -302,7 +302,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
 
     ret = ipapwd_CheckPolicy(&pwdop->pwdata);
     if (ret) {
-        errMesg = "Password Fails to meet minimum strength criteria";
+        errMesg = ipapwd_error2string(ret);
         rc = LDAP_CONSTRAINT_VIOLATION;
         goto done;
     }
@@ -740,7 +740,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
     if (has_krb_keys == 0) {
         ret = ipapwd_CheckPolicy(&pwdop->pwdata);
         if (ret) {
-            errMesg = "Password Fails to meet minimum strength criteria";
+            errMesg = ipapwd_error2string(ret);
             rc = LDAP_CONSTRAINT_VIOLATION;
             goto done;
         }
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index fda6cb3..b6ed929 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -538,6 +538,26 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
     return IPAPWD_POLICY_OK;
 }
 
+char * IPAPWD_ERROR_STRINGS[] = {
+    "Password is OK",
+    "Account expired",
+    "Too soon to change password",
+    "Password is too short",
+    "Password reuse not permitted",
+    "Password is too simple"
+};
+
+char * IPAPWD_ERROR_STRING_GENERAL = "Password does not meet the policy requirements";
+
+char * ipapwd_error2string(enum ipapwd_error err) {
+   if (err < 0 || err > IPAPWD_POLICY_PWD_COMPLEXITY) {
+       /* IPAPWD_POLICY_ERROR or out of boundary, return general error */
+       return IPAPWD_ERROR_STRING_GENERAL;
+   }
+
+   return IPAPWD_ERROR_STRINGS[err];
+}
+
 /**
 * @brief    Generate a new password history using the new password
 *
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index 7a00b7f..ecb8210 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -27,6 +27,10 @@
 #define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600)
 #define IPAPWD_DEFAULT_MINLEN 0
 
+/*
+ * IMPORTANT: please update error string table in ipa_pwd.c if you change this
+ * error code table.
+ */
 enum ipapwd_error {
     IPAPWD_POLICY_ERROR = -1,
     IPAPWD_POLICY_OK = 0,
@@ -55,6 +59,8 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
                         time_t last_pwd_change,
                         char **pwd_history);
 
+char * ipapwd_error2string(enum ipapwd_error err);
+
 int ipapwd_generate_new_history(char *password,
                                 time_t cur_time,
                                 int history_length,