LDAP Password Issue (Using Space!)

[shenlong]

I've got issue with LDAP login as some of my users used space as there password. Upon checking the is_blank function, i found out the trim function removes spaces as well as other ANSI characters by default. So to accept space as password change the trim function to only trim ANSI.
More Info: http://php.net/manual/en/function.trim.php

Go to:
MyProgram\testlink\lib\functions\common.php

function is_blank( $p_var ) {
$p_var = trim( $p_var , "\t\n\r\0\x0B" );
$str_len = strlen( $p_var );
if ( 0 == $str_len ) {
return true;
}
return false;
}

[fman]

Any time I use trim() what I want to do is remove BLANKS as main scope of calling this function.
I'm sorry but this is a change that we will not use on standard code => we have choose to do not not accept empty passwords (as you know is not a good security practice).
And I know also that standard password management on Test Link is very weak => no dictionary control, and more, but at least empty password willbe not allowed.

regards

[shenlong]

I guess you are right. However, in setting Windows password, there's no restriction in preventing users from using SPACE, is there?
Some users uses space at the end of the password to make up the password length. Though it's a matter of practice, using SPACE in the password is not illegal in context and maybe even more secured. But I guess it's up to individual. Maybe testlink can provide an option to allow special characters in the Password Options. =)

[shenlong]

From http://www.symantec.com/connect/article ... word-myths

Myth #8: Passwords Cannot Include Spaces

Although most users do not realize it, both Windows 2000 and Windows XP allow spaces in passwords. In fact, if you can view a character in Windows, you can use that character in a password. Therefore, spaces are perfectly valid password characters. However, due to how some applications trim spaces, it is often best not to begin or end your password with a space.

Spaces can actually make it easier for users to come up with more complex passwords. A space is used between words therefore using spaces may encourage users to use more than one word in their passwords.

An interesting fact I recently discovered in my research is that spaces do not fall into any of the categories for Windows password complexity requirements. It is not a number or letter yet does not count as a symbol either. So while it will make your password more complex, it does nothing to help you pass Windows complexity requirements.

And finally, one drawback with spaces is that the spacebar makes a unique noise when tapped. It is not hard to hear when someone uses a space in their password. So use spaces, but don't overuse spaces.

So, if your users use spaces before or after their alphanumeric password, you have to modify the following:
Under \lib\functions
-ldap_api.php

Code: Select all

	function ldap_authenticate( $p_login_name, $p_password ) 
	{
		# if password is empty and ldap allows anonymous login, then
		# the user will be able to login, hence, we need to check
		# for this special case.
    if ( 0 == strlen( $p_password ) ) {
        return false;
    }

-inputparameter.class.php

Code: Select all

public function trim($value)
... ...
			case tlStringValidationInfo::TRIM_BOTH:
				$value = trim($value, "\t\n\r\0\x0B" ); \\do not trim spaces~!!!!
				break;

Actually, I wanted to try modifying the login.php > function init_args() > set the $iParams = array( "tl_password" => array(tlInputParameter::STRING_N,1,32),
but I wasn't able to catch the exception and put it into the notes part. Shows an ugly page with exception. Maybe someone can enlighten us the catching of exception part. Also, I hate to change the trim global function. So, if we can change only the login.php , it'll be great!