[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#5285) password policy checks userPassword hash even without policies
Full_Name: Matthew Backes
Version: 2.3, 2.4, head, etc
OS: all
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (67.115.65.234)
When receiving a new userPassword, slapo-ppolicy checks to see if that password
matches the hash already present in userPassword, and disallows it if this is
the case.
This is a sensible default for most circumstances, as otherwise the user could
reset their age counters by using the same password.
Unfortunately, it also blocks arguably-legitimate password changes; e.g. when
migration to SSHA from CRYPT where the first 8 chars of the new password match
the old.
This patch changes this userPassword-has-changed check to only apply if there is
a password policy defined which requires it; in particular, any of pwdInHistory,
pwdMinAge, pwdMaxAge, pwdCheckQuality, or pwdMustChange must apply for this
check to be enforced.
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/overlays/ppolicy.c,v
retrieving revision 1.110
diff -u -r1.110 ppolicy.c
--- ppolicy.c 17 Nov 2007 12:39:19 -0000 1.110
+++ ppolicy.c 15 Dec 2007 03:21:27 -0000
@@ -1776,7 +1776,13 @@
* Last check - the password history.
*/
/* FIXME: no access checking? */
- if (slap_passwd_check( op, NULL, pa, bv, &txt ) == LDAP_SUCCESS)
{
+ if (( pp.pwdInHistory
+ || pp.pwdMinAge
+ || pp.pwdMaxAge
+ || pp.pwdCheckQuality
+ || pp.pwdMustChange ) /* make sure we care */
+ && ( slap_passwd_check( op, NULL, pa, bv, &txt )
+ == LDAP_SUCCESS )) {
/*
* This is bad - it means that the user is attempting
* to set the password to the same as the old one.