User always receives the same error message if he changes his password via "ipa passwd" command and the new password fails configured password policy. He then has to investigate on his own the actual reason why was the policy violated. This patch improves our SLAPI PWD plugins to provide a better error message explaining the violation reason.
https://fedorahosted.org/freeipa/ticket/2067
>From eca1c4221c77139f0dafa2fb8d38f22b6c0481d9 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Thu, 2 Feb 2012 11:55:14 +0100 Subject: [PATCH] Improve password change error message User always receives the same error message if he changes his password via "ipa passwd" command and the new password fails configured password policy. He then has to investigate on his own the actual reason why was the policy violated. This patch improves our SLAPI PWD plugins to provide a better error message explaining the violation reason. https://fedorahosted.org/freeipa/ticket/2067 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 2 +- .../ipa-pwd-extop/ipapwd_prepost.c | 4 ++-- util/ipa_pwd.c | 20 ++++++++++++++++++++ util/ipa_pwd.h | 6 ++++++ 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 65c5834595f89aee8502347311f247be058c3416..64b1f8c353de816ca7ef8ccece35b7313a18bfbe 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -461,7 +461,7 @@ parse_req_done: /* check the policy */ ret = ipapwd_CheckPolicy(&pwdata); if (ret) { - errMesg = "Password Fails to meet minimum strength criteria"; + errMesg = ipapwd_error2string(ret); if (ret == IPAPWD_POLICY_ERROR) { errMesg = "Internal error"; rc = ret; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 961678acb4f7a3265b5b221acedb96a63cea5855..8185aa047570f0b24dabf9d580bf2d6bcbf241a0 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -302,7 +302,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) ret = ipapwd_CheckPolicy(&pwdop->pwdata); if (ret) { - errMesg = "Password Fails to meet minimum strength criteria"; + errMesg = ipapwd_error2string(ret); rc = LDAP_CONSTRAINT_VIOLATION; goto done; } @@ -740,7 +740,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) if (has_krb_keys == 0) { ret = ipapwd_CheckPolicy(&pwdop->pwdata); if (ret) { - errMesg = "Password Fails to meet minimum strength criteria"; + errMesg = ipapwd_error2string(ret); rc = LDAP_CONSTRAINT_VIOLATION; goto done; } diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c index fda6cb34ef24059362207325db61aedb62d7b665..b6ed929b3761fbce8f0ce90e6555123848d0c88d 100644 --- a/util/ipa_pwd.c +++ b/util/ipa_pwd.c @@ -538,6 +538,26 @@ int ipapwd_check_policy(struct ipapwd_policy *policy, return IPAPWD_POLICY_OK; } +char * IPAPWD_ERROR_STRINGS[] = { + "Password is OK", + "Account expired", + "Too soon to change password", + "Password is too short", + "Password reuse not permitted", + "Password is too simple" +}; + +char * IPAPWD_ERROR_STRING_GENERAL = "Password does not meet the policy requirements"; + +char * ipapwd_error2string(enum ipapwd_error err) { + if (err < 0 || err > IPAPWD_POLICY_PWD_COMPLEXITY) { + /* IPAPWD_POLICY_ERROR or out of boundary, return general error */ + return IPAPWD_ERROR_STRING_GENERAL; + } + + return IPAPWD_ERROR_STRINGS[err]; +} + /** * @brief Generate a new password history using the new password * diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h index 7a00b7fc3652e75f69f6f936acfddc8b50867950..3c60f12bf3f4c8f08aae44753888c2535c764550 100644 --- a/util/ipa_pwd.h +++ b/util/ipa_pwd.h @@ -27,6 +27,10 @@ #define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600) #define IPAPWD_DEFAULT_MINLEN 0 +/* + * IMPORTANT: plese update error string table in ipa_pwd.c if you change this + * error code table. + */ enum ipapwd_error { IPAPWD_POLICY_ERROR = -1, IPAPWD_POLICY_OK = 0, @@ -55,6 +59,8 @@ int ipapwd_check_policy(struct ipapwd_policy *policy, time_t last_pwd_change, char **pwd_history); +char * ipapwd_error2string(enum ipapwd_error err); + int ipapwd_generate_new_history(char *password, time_t cur_time, int history_length, -- 1.7.7.6
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
