Directory ApacheDS
  1. Directory ApacheDS
  2. DIRSERVER-1726

DefaultPasswordValidator always throws PasswordPolicyException when consecutive non-letter chars are in RDN

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-M6
    • Fix Version/s: 2.0.0-M8
    • Component/s: None
    • Labels:
      None

      Description

      When adding an entry with a userPassword attribute and the entry RDN contains two non-letter characters in a row (such as cn=test1@tempuri.com) then a CONSTRAINT_VIOLATION error is always received with the message "Password shouldn't contain parts of the username" regardless of what password you enter.

      If you remove the "1" character or the "@" character then the entry will be created successfully

      Believe the issue is caused by the regex expressions used within org.apache.directory.server.core.authn.ppolicy.DefaultPasswordValidator, as the String array of tokens will contain an empty string when two non-letter chars are together ("1@" in this case).

      Full error message is:

      Error while creating entry

      • [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUES
        javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
        Message ID : 240
        Add Request :
        Entry
        dn[n]: cn=test1@tempuri.com,o=unitTest
        objectClass: inetOrgPerson
        objectClass: organizationalPerson
        objectClass: person
        objectClass: top
        sn: Smith
        userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 0x31 '
        cn: test1@tempuri.com
        : Password shouldn't contain parts of the username]; remaining name 'cn=test1@tempuri.com,o=unitTest'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Unknown Source)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(Unknown Source)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(Unknown Source)
        at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$4.run(JNDIConnectionWrapper.java:658)
        at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
        at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203)
        at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.createEntry(JNDIConnectionWrapper.java:704)
        at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.createEntry(CreateEntryRunnable.java:226)
        at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.run(CreateEntryRunnable.java:117)
        at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:113)
        at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

      [LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : ADD_REQUEST
      Message ID : 240
      Add Request :
      Entry
      dn[n]: cn=test1@tempuri.com,o=unitTest
      objectClass: inetOrgPerson
      objectClass: organizationalPerson
      objectClass: person
      objectClass: top
      sn: Smith
      userPassword: '0x70 0x61 0x73 0x73 0x77 0x6F 0x72 0x64 0x31 0x31 '
      cn: test1@tempuri.com
      : Password shouldn't contain parts of the username]

        Activity

        Hide
        Emmanuel Lecharny added a comment -
        Show
        Emmanuel Lecharny added a comment - Good catch ! Fixed with http://svn.apache.org/viewvc?rev=1393278&view=rev
        Hide
        Oldrich Novak added a comment -

        Hi
        I investigated a found the reason. Split method will return empty string if there are 2 non letter characters in user name. For example john2@google.com. This empty string always matched the password.
        Please fix DefaultPasswordValidator.java method checkUsernameSubstring( String password, String username ).
        Replace : if ( password.matches( "(?i)." + tokens[ii] + "." ) )
        For : if (tokens[ii].length()>=3 && password.matches( "(?i)." + tokens[ii] + "." ) )
        Author in the method notation describes that tokens should be ignored if they have less then 3 characters, but it is not done anywhere in the code.
        Thank You

        Show
        Oldrich Novak added a comment - Hi I investigated a found the reason. Split method will return empty string if there are 2 non letter characters in user name. For example john2@google.com. This empty string always matched the password. Please fix DefaultPasswordValidator.java method checkUsernameSubstring( String password, String username ). Replace : if ( password.matches( "(?i). " + tokens [ii] + ". " ) ) For : if (tokens [ii] .length()>=3 && password.matches( "(?i). " + tokens [ii] + ". " ) ) Author in the method notation describes that tokens should be ignored if they have less then 3 characters, but it is not done anywhere in the code. Thank You
        Hide
        Oldrich Novak added a comment -

        Yep we found this bug on our project as well.

        Show
        Oldrich Novak added a comment - Yep we found this bug on our project as well.

          People

          • Assignee:
            Unassigned
            Reporter:
            Richard Lowden
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development