[Fedora-directory-devel] Commit: [Bug 216983] New: Make random password generation work with policies

Noriko Hosoi nhosoi at redhat.com
Tue Nov 28 18:11:40 UTC 2006 

Summary: Make random password generation work with policies

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216983

------- Additional Comments From nhosoi at redhat.com  2006-11-28 13:04 EST -------
Created an attachment (id=142311)
 --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142311&action=view)
cvs diff (passwd_extop.c)

Final diff of passwd_extop.c which has been revised based upon the Nathan's
review.

Reviewed by Nathan (Thank you!!)

Checked in into HEAD
Commit messsage:
Resolves: #216983
Summary: Make random password generation work with policies
Changes: 1) Generate a password that meets the current password syntax rules.
2) Report errors when Min8Bit is set or MinCategories > 4
CVS: ----------------------------------------------------------------------
CVS: Modified Files: passwd_extop.c
CVS: ----------------------------------------------------------------------
Checking in passwd_extop.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v  <--  passwd_extop.c

new revision: 1.14; previous revision: 1.13
done

------- Additional Comments From nhosoi at redhat.com  2006-11-28 12:57 EST -------
Thank you so much, Nathan!

passwordMinCategories: 5
Client>
ldappasswd: Operations error
ldappasswd: additional info: Unable to generate new random password.  Please
contact the Administrator.
Server>
[...] - Unable to generate a password that meets the current password syntax
rules.  A minimum categories setting of 5 is not supported with random password
generation.

passwordMin8bit: 1
Client>
ldappasswd: Operations error
ldappasswd: additional info: Unable to generate new random password.  Please
contact the Administrator.
Server>
[...] - Unable to generate a password that meets the current password syntax
rules.  8-bit syntax restrictions are not supported with random password generation.


>
> ------- Additional Comments From nhosoi at redhat.com  2006-11-27 18:58 EST -------
> Created an attachment (id=142247)
>  --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142247&action=view)
> cvs diff (passwd_extop.c)
>
> Thank you to Nathan for the review and the discussion!
>
> As you suggested, I changed the code to randomly choose the rest of the specified
> characters (characters specified by, e.g., minuppers or mindigits).  Also, I added 
> error messages to log in the errors log as well as to return to the client.  Please 
> take a look at the next attachment for the messages.
>
> ------- Additional Comments From nhosoi at redhat.com  2006-11-27 19:04 EST -------
> Created an attachment (id=142248)
>  --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142248&action=view)
> generated password sample + error messages
>
> Added error messages are for
> 1. when passwordMinCategories is 5, which expects the generated password to
> include 8-bit character(s).  Password Generator does not support such a
> password.
> 2. when passwordMin8Bit is set. 
>
> Also, fixed the bug pointed out by Nathan in Comment#3.
>
> Lastly, the generated password sequence looks more randomized!
>
>
>   
>> Summary: Make random password generation work with policies
>>
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216983
>>
>> Description of problem:
>> passwd_modify_generate_passwd (passwd_extop.c) always generates 
>> 8-bytes random
>> characters made by PK11_GenerateRandom and ldif_base64_encode.  It 
>> needs to
>> generate a password which follows the password policy if it's defined.
>>
>> ------- Additional Comments From nhosoi at redhat.com  2006-11-27 14:18 
>> EST -------
>> Created an attachment (id=142208)
>> --> 
>> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142208&action=view) 
>>
>> cvs diff (passwd_extop.c)
>>
>> File:
>> ldap/servers/slapd/passwd_extop.c
>>
>> Changes:
>> 1. Renamed passwd_modify_generate_passwd to
>> passwd_modify_generate_basic_passwd, which algorithm is used when no 
>> specific
>> password rule or just the minimum length is given.
>> 2. If some other rules are set, passwd_modify_generate_policy_passwd 
>> is called
>> and generates a password which fulfills the requirement.
>>
>> Note: this password generator does not support passwordMin8Bit.  If it
>> generates a password which includes 8-bit characters, most likely 
>> they won't be
>> able to be displayed or input from the users' keyboard.  We should 
>> note it in the
>> doc...
>>
>> ------- Additional Comments From nhosoi at redhat.com  2006-11-27 14:21 
>> EST -------
>> Created an attachment (id=142213)
>> --> 
>> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=142213&action=view) 
>>
>> generated password sample
>>
>> Attached is the sample output from ldappasswd.    Do you think this 
>> quality of
>> the randomness satisfies the requirement?
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-devel mailing list
>> Fedora-directory-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>>   
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3170 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20061128/320ddc7d/attachment.bin>

More information about the Fedora-directory-devel mailing list