Improve password change error message

User always receives the same error message if he changes his password via "ipa passwd" command and the new password fails configured password policy. He then has to investigate on his own the actual reason why was the policy violated. This patch improves our SLAPI PWD plugins to provide a better error message explaining the violation reason. https://fedorahosted.org/freeipa/ticket/2067
2025-02-25 18:55:28 -06:00 · 2012-02-02 11:55:14 +01:00
parent cf12f3106a
commit f2cc9c8d33
4 changed files with 29 additions and 3 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -461,7 +461,7 @@ parse_req_done:
 	/* check the policy */
 	ret = ipapwd_CheckPolicy(&pwdata);
 	if (ret) {
-		errMesg = "Password Fails to meet minimum strength criteria";
+		errMesg = ipapwd_error2string(ret);
 		if (ret == IPAPWD_POLICY_ERROR) {
 			errMesg = "Internal error";
 			rc = ret;
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -302,7 +302,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)

    ret = ipapwd_CheckPolicy(&pwdop->pwdata);
    if (ret) {
-        errMesg = "Password Fails to meet minimum strength criteria";
+        errMesg = ipapwd_error2string(ret);
        rc = LDAP_CONSTRAINT_VIOLATION;
        goto done;
    }
@@ -750,7 +750,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
    if (has_krb_keys == 0) {
        ret = ipapwd_CheckPolicy(&pwdop->pwdata);
        if (ret) {
-            errMesg = "Password Fails to meet minimum strength criteria";
+            errMesg = ipapwd_error2string(ret);
            rc = LDAP_CONSTRAINT_VIOLATION;
            goto done;
        }
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -538,6 +538,26 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
    return IPAPWD_POLICY_OK;
 }

+char * IPAPWD_ERROR_STRINGS[] = {
+    "Password is OK",
+    "Account expired",
+    "Too soon to change password",
+    "Password is too short",
+    "Password reuse not permitted",
+    "Password is too simple"
+};
+
+char * IPAPWD_ERROR_STRING_GENERAL = "Password does not meet the policy requirements";
+
+char * ipapwd_error2string(enum ipapwd_error err) {
+   if (err < 0 || err > IPAPWD_POLICY_PWD_COMPLEXITY) {
+       /* IPAPWD_POLICY_ERROR or out of boundary, return general error */
+       return IPAPWD_ERROR_STRING_GENERAL;
+   }
+
+   return IPAPWD_ERROR_STRINGS[err];
+}
+
 /**
 * @brief    Generate a new password history using the new password
 *
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -27,6 +27,10 @@
 #define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600)
 #define IPAPWD_DEFAULT_MINLEN 0

+/*
+ * IMPORTANT: please update error string table in ipa_pwd.c if you change this
+ * error code table.
+ */
 enum ipapwd_error {
    IPAPWD_POLICY_ERROR = -1,
    IPAPWD_POLICY_OK = 0,
@@ -55,6 +59,8 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
                        time_t last_pwd_change,
                        char **pwd_history);

+char * ipapwd_error2string(enum ipapwd_error err);
+
 int ipapwd_generate_new_history(char *password,
                                time_t cur_time,
                                int history_length,