Improve password change error message

User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.

https://fedorahosted.org/freeipa/ticket/2067

4 files changed, 29 insertions, 3 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 82acc49dd..f9cff70cb 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -461,7 +461,7 @@ parse_req_done:
 	/* check the policy */
 	ret = ipapwd_CheckPolicy(&pwdata);
 	if (ret) {
-		errMesg = "Password Fails to meet minimum strength criteria";
+		errMesg = ipapwd_error2string(ret);
 		if (ret == IPAPWD_POLICY_ERROR) {
 			errMesg = "Internal error";
 			rc = ret;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index a4663c0cc..410c536a5 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -302,7 +302,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
 
     ret = ipapwd_CheckPolicy(&pwdop->pwdata);
     if (ret) {
-        errMesg = "Password Fails to meet minimum strength criteria";
+        errMesg = ipapwd_error2string(ret);
         rc = LDAP_CONSTRAINT_VIOLATION;
         goto done;
     }
@@ -750,7 +750,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
     if (has_krb_keys == 0) {
         ret = ipapwd_CheckPolicy(&pwdop->pwdata);
         if (ret) {
-            errMesg = "Password Fails to meet minimum strength criteria";
+            errMesg = ipapwd_error2string(ret);
             rc = LDAP_CONSTRAINT_VIOLATION;
             goto done;
         }
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index fda6cb34e..b6ed929b3 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -538,6 +538,26 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
     return IPAPWD_POLICY_OK;
 }
 
+char * IPAPWD_ERROR_STRINGS[] = {
+    "Password is OK",
+    "Account expired",
+    "Too soon to change password",
+    "Password is too short",
+    "Password reuse not permitted",
+    "Password is too simple"
+};
+
+char * IPAPWD_ERROR_STRING_GENERAL = "Password does not meet the policy requirements";
+
+char * ipapwd_error2string(enum ipapwd_error err) {
+   if (err < 0 || err > IPAPWD_POLICY_PWD_COMPLEXITY) {
+       /* IPAPWD_POLICY_ERROR or out of boundary, return general error */
+       return IPAPWD_ERROR_STRING_GENERAL;
+   }
+
+   return IPAPWD_ERROR_STRINGS[err];
+}
+
 /**
 * @brief    Generate a new password history using the new password
 *
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index 7a00b7fc3..ecb821084 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -27,6 +27,10 @@
 #define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600)
 #define IPAPWD_DEFAULT_MINLEN 0
 
+/*
+ * IMPORTANT: please update error string table in ipa_pwd.c if you change this
+ * error code table.
+ */
 enum ipapwd_error {
     IPAPWD_POLICY_ERROR = -1,
     IPAPWD_POLICY_OK = 0,
@@ -55,6 +59,8 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
                         time_t last_pwd_change,
                         char **pwd_history);
 
+char * ipapwd_error2string(enum ipapwd_error err);
+
 int ipapwd_generate_new_history(char *password,
                                 time_t cur_time,
                                 int history_length,