Tuesday, September 22, 2020

[389-users] Re: Clarification on passwordMaxSeqSets


On 9/22/20 2:56 PM, Bryan K. Walton wrote:
I'm looking at the RH documentation for passwordMaxSeqSets, found here:  https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-passwordMaxSeqSets    Their wording seems a little unclear, to me.  
Sorry, I 100% agree...
The paragraph, before the  example states: "If you set the passwordMaxSeqSets parameter to a   value higher than 0, Directory Server rejects passwords with duplicate   monotonic sequences exceeding the length set in the parameter."    But, in their example, they list a password with two sequences of "XYZ".  And they say that setting the value to 2 would prevent that password.  But according to the paragraph before the example, shouldn't it be set  to 1?
Yeah it is worded strangely, but the documentation is sort of correct.  Setting it to "2" means you can NOT have two or more sequence sets that have a length of 2 characters.   I'll open a doc bug to get that clarified this...
    I have passwordMaxSequence set to 3.  Can somebody clarify how  passwordMaxSeqSets should be set to prevent any duplicate sequences?

Setting passwordMaxSeqSets rejects any duplicate sequence, but that sequence length must be the same or higher than the setting.

So i you want to reject duplicate sequences then set passwordMaxSeqSets to the length of sequence you want to check.  For example, if you want to reject duplicate sequences where the sequence length is 4 or higher (e.g. bcde), then you set passwordMaxSeqSets to 4. 

But if you were only concerned about a single sequence, then it's a little different.  If you want to reject a single sequence of 4 characters or more then you set passwordMaxSequence to 3 (as 4 would be exceeding the max).  So it's a bit inconsistent between these two settings :-(

If you still have questions, and you probably do, please let me know.

Mark


    Thanks,  Bryan  _______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  
--     389 Directory Server Development Team

No comments:

Post a Comment