[Issue 9523] New: In OpenLDAP, the password length check counts accented characters (UTF-8) as two characters instead of one
https://bugs.openldap.org/show_bug.cgi?id=9523
Issue ID: 9523 Summary: In OpenLDAP, the password length check counts accented characters (UTF-8) as two characters instead of one Product: OpenLDAP Version: 2.4.40 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: anand.b.krishnamohan@gmail.com Target Milestone: ---
In OpenLDAP, the password length check counts accented characters (eg. è which has UTF-8 Encoding of 0xC3 0xA8) as two characters instead of one. As a result, if users enter accented characters, they can create passwords that are shorter than the minimum length specified in the password policy.
We tested it directly in Apache Directory Studio and the same result. Is this a bug or is there any setting in LDAP which makes sure the encoding is happening in UTF-16?
Steps to reproduce 1. Access the LDAP in Apache Directory studio 2. Have the password policy to accept more than 8 characters 3. Try to update the password for a user to "àbcdefg" (7 characters)
Expected result: Fails with the error password length should be greater than 8
Actual result: It accepts the password
https://bugs.openldap.org/show_bug.cgi?id=9523
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|slapd |overlays
https://bugs.openldap.org/show_bug.cgi?id=9523
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|UNCONFIRMED |RESOLVED
--- Comment #2 from Howard Chu hyc@openldap.org ---
*** This issue has been marked as a duplicate of issue 7259 ***
https://bugs.openldap.org/show_bug.cgi?id=9523
--- Comment #3 from anand.b.krishnamohan@gmail.com --- Will the bug fix be backported to 2.4.x release? The 7259 issue ticket mentions the target fix release as 2.5.2, but there is no such release in the download section and the latest is 2.5.3 which is in beta testing.
https://bugs.openldap.org/show_bug.cgi?id=9523
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to anand.b.krishnamohan from comment #3)
Will the bug fix be backported to 2.4.x release? The 7259 issue ticket mentions the target fix release as 2.5.2, but there is no such release in the download section and the latest is 2.5.3 which is in beta testing.
It was a documentation fix. No, it will not be backported. The 2.5.2 release is not listed because it has been superseded by 2.5.3. However, if you follow the links on the download site to the historical section, you can still find the 2.5.2 release. Not much point though.
You can see the 2.5 version of the man page at:
https://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&...
specifically read the sections on "pwdMinLength" and "pwdMaxLength"
-
openldap-its@openldap.org