From 6dd5ae522dbd621eb0d313b54f884b205855625a Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Mon, 27 Nov 2006 19:23:57 +0000 Subject: Resolves: 212112 Summary: Improved error messages for password syntax violations. --- ldap/servers/slapd/pw.c | 85 ++++++++++++++++++++++++++++++++++--------------- 1 file changed, 59 insertions(+), 26 deletions(-) (limited to 'ldap/servers') diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c index 058dcac0..4e3c0d8c 100644 --- a/ldap/servers/slapd/pw.c +++ b/ldap/servers/slapd/pw.c @@ -732,6 +732,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, char *dn= (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */ char *pwd = NULL; char *p = NULL; + char errormsg[ BUFSIZ ]; passwdPolicy *pwpolicy = NULL; pwpolicy = new_passwdPolicy(pb, dn); @@ -739,6 +740,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, if ( pwpolicy->pw_syntax == 1 ) { for ( i = 0; vals[ i ] != NULL; ++i ) { + int syntax_violation = 0; int num_digits = 0; int num_alphas = 0; int num_uppers = 0; @@ -753,13 +755,14 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, if ( pwpolicy->pw_minlength > ldap_utf8characters((char *)slapi_value_get_string( vals[i] )) ) { + PR_snprintf( errormsg, BUFSIZ, + "invalid password syntax - password must be at least %d characters long", + pwpolicy->pw_minlength ); if ( pwresponse_req == 1 ) { slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDTOOSHORT ); } - pw_send_ldap_result ( pb, - LDAP_CONSTRAINT_VIOLATION, NULL, - "invalid password syntax", 0, NULL ); + pw_send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, errormsg, 0, NULL ); delete_passwdPolicy(&pwpolicy); return ( 1 ); } @@ -767,10 +770,6 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, /* check character types */ pwd = (char *)slapi_value_get_string( vals[i] ); p = pwd; - /* - pwdlen = slapi_value_get_length( vals[i] ); - for ( j = 0; j < pwdlen; j++ ) { - */ while ( p && *p ) { if ( ldap_utf8isdigit( p ) ) { @@ -829,24 +828,58 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, ++num_categories; /* check for character based syntax limits */ - if ( ( pwpolicy->pw_mindigits > num_digits ) || - ( pwpolicy->pw_minalphas > num_alphas ) || - ( pwpolicy->pw_minuppers > num_uppers ) || - ( pwpolicy->pw_minlowers > num_lowers ) || - ( pwpolicy->pw_minspecials > num_specials ) || - ( pwpolicy->pw_min8bit > num_8bit ) || - ( (pwpolicy->pw_maxrepeats != 0) && (pwpolicy->pw_maxrepeats < (max_repeated + 1)) ) || - ( pwpolicy->pw_mincategories > num_categories ) ) - { - if ( pwresponse_req == 1 ) { - slapi_pwpolicy_make_response_control ( pb, -1, -1, - LDAP_PWPOLICY_INVALIDPWDSYNTAX ); - } - pw_send_ldap_result ( pb, - LDAP_CONSTRAINT_VIOLATION, NULL, - "invalid password syntax", 0, NULL ); - delete_passwdPolicy(&pwpolicy); - return ( 1 ); + if ( pwpolicy->pw_mindigits > num_digits ) { + syntax_violation = 1; + PR_snprintf ( errormsg, BUFSIZ, + "invalid password syntax - password must contain at least %d digit characters", + pwpolicy->pw_mindigits ); + } else if ( pwpolicy->pw_minalphas > num_alphas ) { + syntax_violation = 1; + PR_snprintf ( errormsg, BUFSIZ, + "invalid password syntax - password must contain at least %d alphabetic characters", + pwpolicy->pw_minalphas ); + } else if ( pwpolicy->pw_minuppers > num_uppers ) { + syntax_violation = 1; + PR_snprintf ( errormsg, BUFSIZ, + "invalid password syntax - password must contain at least %d uppercase characters", + pwpolicy->pw_minuppers ); + } else if ( pwpolicy->pw_minlowers > num_lowers ) { + syntax_violation = 1; + PR_snprintf ( errormsg, BUFSIZ, + "invalid password syntax - password must contain at least %d lowercase characters", + pwpolicy->pw_minlowers ); + } else if ( pwpolicy->pw_minspecials > num_specials ) { + syntax_violation = 1; + PR_snprintf ( errormsg, BUFSIZ, + "invalid password syntax - password must contain at least %d special characters", + pwpolicy->pw_minspecials ); + } else if ( pwpolicy->pw_min8bit > num_8bit ) { + syntax_violation = 1; + PR_snprintf ( errormsg, BUFSIZ, + "invalid password syntax - password must contain at least %d 8-bit characters", + pwpolicy->pw_min8bit ); + } else if ( (pwpolicy->pw_maxrepeats != 0) && (pwpolicy->pw_maxrepeats < (max_repeated + 1)) ) { + syntax_violation = 1; + PR_snprintf ( errormsg, BUFSIZ, + "invalid password syntax - a character cannot be repeated more than %d times", + (pwpolicy->pw_maxrepeats + 1) ); + } else if ( pwpolicy->pw_mincategories > num_categories ) { + syntax_violation = 1; + PR_snprintf ( errormsg, BUFSIZ, + "invalid password syntax - password must contain at least %d character " + "categories (valid categories are digit, uppercase, lowercase, special, and 8-bit characters)", + pwpolicy->pw_mincategories ); + } + + /* If the password failed syntax checking, send the result and return */ + if (syntax_violation) { + if ( pwresponse_req == 1 ) { + slapi_pwpolicy_make_response_control ( pb, -1, -1, + LDAP_PWPOLICY_INVALIDPWDSYNTAX ); + } + pw_send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, errormsg, 0, NULL ); + delete_passwdPolicy(&pwpolicy); + return ( 1 ); } } } @@ -1311,7 +1344,7 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char } pw_send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, - "invalid password syntax", 0, NULL ); + "invalid password syntax - password based off of user entry", 0, NULL ); /* Free valueset */ slapi_valueset_free( vs ); -- cgit