[email protected] wrote: > Full_Name: Guillaume Rousse > Version: 2.4.16 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (195.83.212.136) > > > Current implementation of password checker doesn't allow exact errors returned > by the external module to be returned to the client, for security reason. They > are only available in server logs. Quoting man page: > > If the password is unacceptable, the server will return an error to the > client, > and ppErrStr may be used to return a human-readable textual explanation of > the > error. > > As it is already difficult to have strong password policies accepted by users, > making this behaviour configurable, exactly the same way the > ppolicy_use_lockout > option allows the servers to return more information if wanted to the client, > would be desirable.
Hmm. Perhaps the default behavior here is overly paranoid; I think it's fair to explain to a user why their password was rejected in a PasswordModify request. If they've already provided the correct old password, it doesn't seem that there's any security exposure here. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
