[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6082) ppolicy password checker module should make possible to return error to the client
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6082) ppolicy password checker module should make possible to return error to the client
- From: hyc@symas.com
- Date: Thu, 30 Apr 2009 10:50:33 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Guillaume.Rousse@inria.fr wrote:
> Full_Name: Guillaume Rousse
> Version: 2.4.16
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (195.83.212.136)
>
>
> Current implementation of password checker doesn't allow exact errors returned
> by the external module to be returned to the client, for security reason. They
> are only available in server logs. Quoting man page:
>
> If the password is unacceptable, the server will return an error to the client,
> and ppErrStr may be used to return a human-readable textual explanation of the
> error.
>
> As it is already difficult to have strong password policies accepted by users,
> making this behaviour configurable, exactly the same way the ppolicy_use_lockout
> option allows the servers to return more information if wanted to the client,
> would be desirable.
Hmm. Perhaps the default behavior here is overly paranoid; I think it's fair
to explain to a user why their password was rejected in a PasswordModify
request. If they've already provided the correct old password, it doesn't seem
that there's any security exposure here.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/