[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6082) ppolicy password checker module should make possible to return error to the client



Guillaume.Rousse@inria.fr wrote:
> Full_Name: Guillaume Rousse
> Version: 2.4.16
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (195.83.212.136)
>
>
> Current implementation of password checker doesn't allow exact errors returned
> by the external module to be returned to the client, for security reason. They
> are only available in server logs. Quoting man page:
>
> If the password is unacceptable, the server will return an error to the client,
> and  ppErrStr may be used to return a human-readable textual explanation of the
> error.
>
> As it is already difficult to have strong password policies accepted by users,
> making this behaviour configurable, exactly the same way the ppolicy_use_lockout
> option allows the servers to return more information if wanted to the client,
> would be desirable.

Hmm. Perhaps the default behavior here is overly paranoid; I think it's fair 
to explain to a user why their password was rejected in a PasswordModify 
request. If they've already provided the correct old password, it doesn't seem 
that there's any security exposure here.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/