PWM v2.0.6 baaefbe7: Error, password.RandomPasswordGenerator, Generator does not match policy

[sven-probst]

the password-generator in the helpdesk-module does not match the password-policy:

2023-06-02T07:31:00Z, DEBUG, password.PasswordUtility, {vDFFt,admin} merged user password policy of 'CN=xxxxx' with PWM configured policy: PwmPasswordPolicy: {"policyMap":{"chai.pwrule.repeat.max":"0","chai.pwrule.changeMessage":"","chai.pwrule.upper.min":"0","chai.pwrule.allowUserChange":"true"
,"chai.pwrule.disallowedValues":"password\ntest","password.policy.disallowCurrent":"true","chai.pwrule.allowAdminChange":"true","chai.pwrule.uniqueRequired":"false","passwor
d.policy.allowNonAlpha":"true","chai.pwrule.unique.max":"0","chai.pwrule.special.max":"0","chai.pwrule.enforceAtLogin":"false","password.policy.charGroup.regExValues":".*[0-
9]\n.*[^A-Za-z0-9]\n.*[A-Z]\n.*[a-z]","chai.pwrule.policyEnabled":"true","chai.pwrule.lower.max":"0","password.policy.checkWordlist":"true","chai.pwrule.upper.max":"0","chai.pwrule.unique.min":"0","chai.pwrule.length.min":"25","password.policy.maximumAlpha":"0","chai.pwrule.numeric.allow":"true","password.policy.minimumNonAlpha":"0","chai.pwrule.challengeResponseEnabled":"false","password.policy.regExMatch":"","chai.pwrule.length.max":"64","password.policy.ADComplexityLevel":"AD2008","password.policy.minimumStrength":"0","chai.pwrule.disallowedAttributes":"givenName\ncn\nsn","password.policy.charGroup.minimumMatch":"0","chai.pwrule.sequentialRepeat.max":"0","password.policy.minimumAlpha":"0","chai.pwrule.lower.min":"0","password.policy.allowMacroInRegexSetting":"true","chai.pwrule.numeric.allowLast":"true","chai.pwrule.numeric.allowFirst":"true","chai.pwrule.special.allow":"true","chai.pwrule.expirationInterval":"0","chai.pwrule.special.min":"0","password.policy.maximumNonAlpha":"0","chai.pwrule.numeric.max":"0","chai.pwrule.ADComplexityMaxViolation":"2","chai.pwrule.numeric.min":"0","chai.pwrule.special.allowFirst":"true","chai.pwrule.special.allowLast":"true","password.policy.maximumConsecutive":"0","chai.pwrule.caseSensitive":"true","chai.pwrule.lifetime.minimum":"0","password.policy.regExNoMatch":""}} [xxx.xxx.xxx.xxx]
2023-06-02T07:31:00Z, TRACE, password.PasswordUtility, {vDFFt,admin} readPasswordPolicyForUser completed (7ms) [xxx.xxx.xxx.xxx]
2023-06-02T07:31:00Z, ERROR, password.RandomPasswordGenerator, {vDFFt,admin} failed random password generation after 38ms after 2000 tries. (errors=6, judgeLevel=37 [xxx.xxx.xxx.xxx]

Policy is evaluated correct to:

"chai.pwrule.length.min":"25"
"chai.pwrule.length.max":"64"

but the generator only show passwords with less than 16 characters.

According to comment in https://groups.google.com/g/pwm-general/c/xRI4ruayckM this is not only related to the helpdesk-module.

[jrivard]

@sven-probst if your able to test either the v2_0 and/or master branch updates with your config that would be helpful.

[sven-probst]

ok, this looks much better, thank you! The table in v2.1.0-SNAPSHOT contains only passwords that match the policy. By the way, is it possible to extract Microsoft FGPP (Fine Grained Password Policies) from the AD to use this direct in PWM? Now we have to "copy" the policies in AD to pwm-policies.