Update error message for ldapsetpasswd

Using ldapsetpasswd when changing a password may fail due to required password security standards. The current error message is vague and provides no information about the error causing password change to fail. This fix provides a more clear error message which informs the user about the security requirements for a new password. Test Plan: PASS: In a simplex system, create a ldap user named test and then run "sudo ldapsetpasswd test" and provide a password that fails the security requirements, such as "linux99", retype the provided password and the system should present an error message comprising the system's security requirements for user passwords. PASS: Using the same user created in the previous test plan, run the command "sudo ldapsetpasswd test <pwd>", changing <pwd> for a bad password, and the system should present an error message comprising the system's security requirements for user passwords. Closes-Bug: 2008838 Change-Id: Ibe942d87bee402e43c42f33e26276f0e078213cb Signed-off-by: Alan Bandeira <Alan.PortelaBandeira@windriver.com>
2023-03-01 00:16:22 -03:00 · 2023-03-01 00:16:22 -03:00 · 96d6f948a9
parent e02268a95d
commit 96d6f948a9
2 changed files with 56 additions and 0 deletions
--- a/ldap/ldapscripts/debian/patches/0001-Update-ldapsetpasswd-error-message.patch
+++ b/ldap/ldapscripts/debian/patches/0001-Update-ldapsetpasswd-error-message.patch
@ -0,0 +1,55 @@
+From 45fa2de1f17dd421ac34f3485162b59c981f057c Mon Sep 17 00:00:00 2001
+From: Alan Bandeira <Alan.PortelaBandeira@windriver.com>
+Date: Tue, 28 Mar 2023 12:16:32 -0300
+Subject: [PATCH] Update ldapsetpasswd error message
+
+Signed-off-by: Alan Bandeira <Alan.PortelaBandeira@windriver.com>
+---
+ sbin/ldapsetpasswd | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/sbin/ldapsetpasswd b/sbin/ldapsetpasswd
+index 4cde4d7..452ed0c 100755
+--- a/sbin/ldapsetpasswd
+++ b/sbin/ldapsetpasswd
+@@ -19,6 +19,21 @@
+ #  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+ #  USA.
+ 
+# Password creation rules message
+_BADPASSWDMESSAGE=$(cat << EOF
+BAD PASSWORD!
+Password must comply with the following rules:
+* The password must be at least 7 characters long
+* You cannot reuse the last password in history
+* Every password must differ from its previous one by at least 3 characters
+* The password must contain:
+  - at least 1 lower-case character
+  - at least 1 upper-case character
+  - at least 1 numeric character
+  - at least 1 special character
+EOF
+)
+
+ if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]
+ then
+   echo "Usage : $0 <username | uid> [encoded password]"
+@@ -41,13 +56,13 @@ then
+   [ -z "$_PASSWORD" ] && end_die "Invalid password, please try again"
+   # Change user's password
+   _changepassword "$_PASSWORD" "$_ENTRY"
+-  [ $? -eq 0 ] || end_die "Error setting password for user $_ENTRY"
+  [ $? -eq 0 ] || end_die "${_BADPASSWDMESSAGE}"
+   end_ok "Successfully set password for user $_ENTRY"
+ else # Have to use the *encoded* password given on the command line
+   # Use LDIF info to modify the password
+   _PASSWORD="$2"
+   _extractldif 2 | _filterldif | _utf8encode | _ldapmodify
+-  [ $? -eq 0 ] || end_die "Error setting encoded password for user $_ENTRY"
+  [ $? -eq 0 ] || end_die "${_BADPASSWDMESSAGE}"
+   end_ok "Successfully set encoded password for user $_ENTRY"
+ fi
+ 
+-- 
+2.25.1
+
--- a/ldap/ldapscripts/debian/patches/series
+++ b/ldap/ldapscripts/debian/patches/series
@ -6,3 +6,4 @@ allow-anonymous-bind-for-ldap-search.patch
 ldapscripts-templates.patch
 install-ldapscripts-files-to-etc.patch
 0001-Reset-password-after-user-is-added.patch
+0001-Update-ldapsetpasswd-error-message.patch