Bug 5163 - Failure to change password in ldap is mapped to NT_STATUS_UNSUCCESSFUL unconditionally
Summary: Failure to change password in ldap is mapped to NT_STATUS_UNSUCCESSFUL uncond...
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.26a
Hardware: x64 Linux
: P3 enhancement
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
: 6375 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-12-27 12:03 UTC by Laurent Pinchart
Modified: 2009-05-20 17:37 UTC (History)
1 user (show)

See Also:

Attachments
Return NT_STATUS_PASSWORD_RESTRICTION when ldap password policy check failed (610 bytes, patch)
2007-12-28 05:38 UTC, Laurent Pinchart 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Laurent Pinchart 2007-12-27 12:03:22 UTC 
When changing a user password with an ldapsam backend, a failure reported by the LDAP server is mapped to the NT_STATUS_UNSUCCESSFUL error code regardless of the failure cause.

Failures due to password policies violations should be mapped to more meaningful error codes.

[2007/12/27 18:38:53, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
  ldapsam_modify_entry: LDAP Password could not be changed for user *********: Constraint violation
        Password fails quality checking policy

There seems to be three password-related error codes (NT_STATUS_PWD_TOO_SHORT, NT_STATUS_PWD_TOO_RECENT, NT_STATUS_PWD_HISTORY_CONFLICT). I haven't checked if the LDAP server returns the same error for all 3 cases.
Comment 1 Laurent Pinchart 2007-12-28 05:38:48 UTC 
Created attachment 3080 [details]
Return NT_STATUS_PASSWORD_RESTRICTION when ldap password policy check failed
Comment 2 Jeremy Allison 2008-01-02 20:21:14 UTC 
Ok, looks good to me. Pushed for 3.0.28a and 3.2.
Thanks !
Jeremy.
Comment 3 Björn Jacke 2009-05-20 17:37:43 UTC 
*** Bug 6375 has been marked as a duplicate of this bug. ***