[Fedora-directory-devel] Request for reviews and comments: [Bug 216983] New: Make random password generation work with policies
Summary: Make random password generation work with policies
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216983
Description of problem: passwd_modify_generate_passwd (passwd_extop.c) always generates 8-bytes random characters made by PK11_GenerateRandom and ldif_base64_encode. It needs to generate a password which follows the password policy if it's defined.
------- Additional Comments From nhosoi@redhat.com 2006-11-27 14:18 EST ------- Created an attachment (id=142208) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142208&action=vie...) cvs diff (passwd_extop.c)
File: ldap/servers/slapd/passwd_extop.c
Changes: 1. Renamed passwd_modify_generate_passwd to passwd_modify_generate_basic_passwd, which algorithm is used when no specific password rule or just the minimum length is given. 2. If some other rules are set, passwd_modify_generate_policy_passwd is called and generates a password which fulfills the requirement.
Note: this password generator does not support passwordMin8Bit. If it generates a password which includes 8-bit characters, most likely they won't be able to be displayed or input from the users' keyboard. We should note it in the doc...
------- Additional Comments From nhosoi@redhat.com 2006-11-27 14:21 EST ------- Created an attachment (id=142213) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142213&action=vie...) generated password sample
Attached is the sample output from ldappasswd. Do you think this quality of the randomness satisfies the requirement?
Summary: Make random password generation work with policies
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216983
------- Additional Comments From nhosoi@redhat.com 2006-11-28 13:04 EST ------- Created an attachment (id=142311) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142311&action=vie...) cvs diff (passwd_extop.c)
Final diff of passwd_extop.c which has been revised based upon the Nathan's review.
Reviewed by Nathan (Thank you!!)
Checked in into HEAD Commit messsage: Resolves: #216983 Summary: Make random password generation work with policies Changes: 1) Generate a password that meets the current password syntax rules. 2) Report errors when Min8Bit is set or MinCategories > 4 CVS: ---------------------------------------------------------------------- CVS: Modified Files: passwd_extop.c CVS: ---------------------------------------------------------------------- Checking in passwd_extop.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v <-- passwd_extop.c
new revision: 1.14; previous revision: 1.13 done
------- Additional Comments From nhosoi@redhat.com 2006-11-28 12:57 EST ------- Thank you so much, Nathan!
passwordMinCategories: 5 Client> ldappasswd: Operations error ldappasswd: additional info: Unable to generate new random password. Please contact the Administrator. Server> [...] - Unable to generate a password that meets the current password syntax rules. A minimum categories setting of 5 is not supported with random password generation.
passwordMin8bit: 1 Client> ldappasswd: Operations error ldappasswd: additional info: Unable to generate new random password. Please contact the Administrator. Server> [...] - Unable to generate a password that meets the current password syntax rules. 8-bit syntax restrictions are not supported with random password generation.
------- Additional Comments From nhosoi@redhat.com 2006-11-27 18:58 EST ------- Created an attachment (id=142247) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142247&action=vie...) cvs diff (passwd_extop.c)
Thank you to Nathan for the review and the discussion!
As you suggested, I changed the code to randomly choose the rest of the specified characters (characters specified by, e.g., minuppers or mindigits). Also, I added error messages to log in the errors log as well as to return to the client. Please take a look at the next attachment for the messages.
------- Additional Comments From nhosoi@redhat.com 2006-11-27 19:04 EST ------- Created an attachment (id=142248) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142248&action=vie...) generated password sample + error messages
Added error messages are for
- when passwordMinCategories is 5, which expects the generated password to
include 8-bit character(s). Password Generator does not support such a password. 2. when passwordMin8Bit is set.
Also, fixed the bug pointed out by Nathan in Comment#3.
Lastly, the generated password sequence looks more randomized!
Summary: Make random password generation work with policies
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216983
Description of problem: passwd_modify_generate_passwd (passwd_extop.c) always generates 8-bytes random characters made by PK11_GenerateRandom and ldif_base64_encode. It needs to generate a password which follows the password policy if it's defined.
------- Additional Comments From nhosoi@redhat.com 2006-11-27 14:18 EST ------- Created an attachment (id=142208) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142208&action=vie...)
cvs diff (passwd_extop.c)
File: ldap/servers/slapd/passwd_extop.c
Changes:
- Renamed passwd_modify_generate_passwd to
passwd_modify_generate_basic_passwd, which algorithm is used when no specific password rule or just the minimum length is given. 2. If some other rules are set, passwd_modify_generate_policy_passwd is called and generates a password which fulfills the requirement.
Note: this password generator does not support passwordMin8Bit. If it generates a password which includes 8-bit characters, most likely they won't be able to be displayed or input from the users' keyboard. We should note it in the doc...
------- Additional Comments From nhosoi@redhat.com 2006-11-27 14:21 EST ------- Created an attachment (id=142213) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142213&action=vie...)
generated password sample
Attached is the sample output from ldappasswd. Do you think this quality of the randomness satisfies the requirement?
-- Fedora-directory-devel mailing list Fedora-directory-devel@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-devel
-- Fedora-directory-devel mailing list Fedora-directory-devel@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-devel
389-devel@lists.fedoraproject.org
-
Noriko Hosoi