Validation error on short passwords

[dfyx]

I recently had a case where a user had a rather short password (don't ask why. He's been told to change it). When he logged in via devise_ldap_authenticatable, he just got a generic error 500. Digging through the logs revealed that the root cause was a failing validation regarding password length.

I would expect devise_ldap_authenticatable to skip that validation. If the user exists with that password on the ldap server, it should be okay.

[bengsiswantoh]

try setting config.password_length = range1..range2 in devise config

[dfyx]

Yeah, I did that as a workaround but I think devise_ldap_authenticatable should do that by itself.

[littldr]

Got the same problem. Our Ldap password policy diverge in some cases from our application using devise_ldap_authenticatable. But i would like to enforce a more complex password policy for our application independent of the ldap policy (which is not managed by us).

Maybe devise_ldap_authenticatable should show a meaningful error (e.g. 'Password too short' as flash message) instead of a generic 500 page?

[dfyx]

Well, I think the password length should be checked only when creating the account. Currently it throws an error on every login. In my opinion at that point everything that's in the ldap database should be considered correct even if it doesn't match the client's rules for new passwords.