Setting user pass with ldapsetpasswd which doesn't comply with rules is not showing proper error

Bug #2008838 reported by Alan Portela Bandeira
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Alan Portela Bandeira

Bug Description

Brief Description
-----------------

Setting user pass with ldapsetpasswd which doesn't comply with rules is not showing proper error

Severity
-----------------

minor

Steps to Reproduce
-----------------

1)Create a ldap user: "sudo ldapusersetup"

sudo [sysadmin@controller-0 ~(keystone_admin)]$ sudo ldapusersetup
Password:
Enter username to add to LDAP: test
Successfully added user test to LDAP
Successfully set password for user test
Add test to sudoer list? (yes/NO): yes
Successfully added sudo access for user test to LDAP
Add test to secondary user group? (yes/NO): yes
Secondary group to add user to? [sys_protected]:
Successfully added user test to group cn=sys_protected,ou=Group,dc=cgcs,dc=local
Enter days after which user password must be changed [90]:
Successfully modified user entry uid=test,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Enter days before password is to expire that user is warned [2]:
Successfully modified user entry uid=test,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days
[sysadmin@controller-0 ~(keystone_admin)]$

2)Now set the password for this user using the command "sudo ldapsetpasswd test"

first try passwords that doesn't comply with the following password rules:
* The password must be at least 7 characters long
* You cannot reuse the last password in history
* Every password must differ from its previous on by at least 3 characters
* The password must contain:
  - at least 1 lower-case character
  - at least 1 upper-case character
  - at least 1 numeric character
  - at least 1 special character

for example:
try linux89
try LINUXsf
try 123456

{code:java}
controller-0:~$ sudo ldapsetpasswd test
Password:
Changing password for user uid=test,ou=People,dc=cgcs,dc=local
New Password:
Retype New Password:
Error setting password for user uid=test,ou=People,dc=cgcs,dc=local
controller-0:~$ sudo ldapsetpasswd test
Changing password for user uid=test1,ou=People,dc=cgcs,dc=local
New Password:
Retype New Password:
Error setting password for user uid=test,ou=People,dc=cgcs,dc=local

As you can see from the above error message is "Error setting password for user uid=test,ou=People,dc=cgcs,dc=local"

if you try the same by logging into the system using "test" username

{code:java}
amantri@yow-amantri-lx:~$ ssh test@128.224.151.82
test1@128.224.151.82's password:
You are required to change your password immediately (root enforced)
Last login: Mon Jul 18 16:00:45 2022 from 128.224.67.94
/etc/motd.d/00-header:

/etc/motd.d/10-system:

====================================================================
         SYSTEM: yow-cgcs-wildcat-61-62
====================================================================

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user test.
(current) LDAP Password:
New password:
BAD PASSWORD: The password contains less than 1 uppercase letters
New password:
BAD PASSWORD: The password contains less than 1 uppercase letters
New password:
BAD PASSWORD: The password contains less than 1 uppercase letters
passwd: Have exhausted maximum number of retries for service

As you can see above, the error message is clear "BAD PASSWORD: The password contains less than 1 uppercase letters"

Expected Behavior
-----------------

The error message has to be clear when setting the password for user using ""sudo ldapsetpasswd test"

Actual Behavior
-----------------

error message is not clear about the rules

Reproducibility
-----------------

100%

System Configuration
-----------------

SW_VERSION="22.06"
BUILD_TARGET="Host Installer"
BUILD_TYPE="Formal"
BUILD_ID="2022-07-16_18-00-07"
SRC_BUILD_ID="1341"

BUILD_BY="jenkins"
BUILD_NUMBER="1341"
BUILD_DATE="2022-07-16 18:06:31 -0400"

Last Pass
-----------------

Never

Use this section to also indicate if this is a new test scenario.

Timestamp/Logs
-----------------

Provide a snippet of logs if available and the timestamp when issue was seen.

Please indicate the unique identifier in the logs to highlight the problem

Attach the logs for debugging

Alarms
-----------------

Please indicate if there are any alarms observed.

If there are any alarms please list them here

Test Activity
-----------------

regression testing

Workaround
-----------------

Describe workaround if available

Changed in starlingx:
assignee: nobody → Alan Portela Bandeira (aportelab)
Changed in starlingx:
status: New → In Progress
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/875798
Committed: https://opendev.org/starlingx/integ/commit/96d6f948a9259740e29ed47c6ab30976f182b133
Submitter: "Zuul (22348)"
Branch: master

commit 96d6f948a9259740e29ed47c6ab30976f182b133
Author: Alan Bandeira <email address hidden>
Date: Wed Mar 1 00:16:22 2023 -0300

    Update error message for ldapsetpasswd

    Using ldapsetpasswd when changing a password may
    fail due to required password security standards.
    The current error message is vague and provides
    no information about the error causing password
    change to fail. This fix provides a more clear
    error message which informs the user about the
    security requirements for a new password.

    Test Plan:
    PASS: In a simplex system, create a ldap user named
          test and then run "sudo ldapsetpasswd test" and
          provide a password that fails the security
          requirements, such as "linux99", retype the
          provided password and the system should present
          an error message comprising the system's security
          requirements for user passwords.

    PASS: Using the same user created in the previous test
          plan, run the command "sudo ldapsetpasswd test
          <pwd>", changing <pwd> for a bad password, and
          the system should present an error message
          comprising the system's security requirements
          for user passwords.

    Closes-Bug: 2008838
    Change-Id: Ibe942d87bee402e43c42f33e26276f0e078213cb
    Signed-off-by: Alan Bandeira <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.9.0
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.