diff options
author | Petr Spacek <pspacek@redhat.com> | 2016-12-21 15:07:34 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-01-06 09:26:56 +0100 |
commit | fb7c111ac13510609e2cba14ecf88cd2ed291a4b (patch) | |
tree | 3c963ca45514bbd66706a27175726a19a9f87713 /ipaserver/plugins/baseuser.py | |
parent | 8db5b277a079fdfe5efbd7d49311f14489cee0e8 (diff) | |
download | freeipa-fb7c111ac13510609e2cba14ecf88cd2ed291a4b.tar.gz freeipa-fb7c111ac13510609e2cba14ecf88cd2ed291a4b.tar.xz freeipa-fb7c111ac13510609e2cba14ecf88cd2ed291a4b.zip |
ipa_generate_password algorithm change
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.
This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'ipaserver/plugins/baseuser.py')
-rw-r--r-- | ipaserver/plugins/baseuser.py | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 4c7e9f083..85ad41768 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -17,8 +17,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import string - import six from ipalib import api, errors @@ -35,7 +33,7 @@ from ipalib.request import context from ipalib import _ from ipalib.constants import PATTERN_GROUPUSER_NAME from ipapython import kerberos -from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN +from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS from ipapython.ipavalidate import Email from ipalib.util import ( normalize_sshpubkey, @@ -75,8 +73,6 @@ UPG_DEFINITION_DN = DN(('cn', 'UPG Definition'), ('cn', 'etc'), api.env.basedn) -# characters to be used for generating random user passwords -baseuser_pwdchars = string.digits + string.ascii_letters + '_,.@+-=' def validate_nsaccountlock(entry_attrs): if 'nsaccountlock' in entry_attrs: @@ -554,7 +550,7 @@ class baseuser_mod(LDAPUpdate): def check_userpassword(self, entry_attrs, **options): if 'userpassword' not in entry_attrs and options.get('random'): entry_attrs['userpassword'] = ipa_generate_password( - baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN) + entropy_bits=TMP_PWD_ENTROPY_BITS) # save the password so it can be displayed in post_callback setattr(context, 'randompassword', entry_attrs['userpassword']) |