Bug 5163 - Failure to change password in ldap is mapped to NT_STATUS_UNSUCCESSFUL unconditionally
Failure to change password in ldap is mapped to NT_STATUS_UNSUCCESSFUL uncond...
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
3.0.26a
x64 Linux
: P3 enhancement
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
: 6375 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-27 12:03 UTC by Laurent Pinchart
Modified: 2009-05-20 17:37 UTC (History)
1 user (show)

See Also:


Attachments
Return NT_STATUS_PASSWORD_RESTRICTION when ldap password policy check failed (610 bytes, patch)
2007-12-28 05:38 UTC, Laurent Pinchart
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Laurent Pinchart 2007-12-27 12:03:22 UTC
When changing a user password with an ldapsam backend, a failure reported by the LDAP server is mapped to the NT_STATUS_UNSUCCESSFUL error code regardless of the failure cause.

Failures due to password policies violations should be mapped to more meaningful error codes.

[2007/12/27 18:38:53, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
  ldapsam_modify_entry: LDAP Password could not be changed for user *********: Constraint violation
        Password fails quality checking policy

There seems to be three password-related error codes (NT_STATUS_PWD_TOO_SHORT, NT_STATUS_PWD_TOO_RECENT, NT_STATUS_PWD_HISTORY_CONFLICT). I haven't checked if the LDAP server returns the same error for all 3 cases.
Comment 1 Laurent Pinchart 2007-12-28 05:38:48 UTC
Created attachment 3080 [details]
Return NT_STATUS_PASSWORD_RESTRICTION when ldap password policy check failed
Comment 2 Jeremy Allison 2008-01-02 20:21:14 UTC
Ok, looks good to me. Pushed for 3.0.28a and 3.2.
Thanks !
Jeremy.
Comment 3 Björn Jacke 2009-05-20 17:37:43 UTC
*** Bug 6375 has been marked as a duplicate of this bug. ***