Bug 47884 - Password security policy can be surpassed with password self-service
Password security policy can be surpassed with password self-service
Status: NEW
Product: UCS manual
Classification: Unclassified
Component: User management
unspecified
Other Linux
: P5 normal (vote)
: ---
Assigned To: Docu maintainers
UMC maintainers
https://help.univention.com/t/change-...
:
Depends on: 47883
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-28 15:38 CEST by Nico Gulden
Modified: 2018-09-28 15:39 CEST (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.051
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Gulden univentionstaff 2018-09-28 15:38:11 CEST
The documentation should be more clear on the limits of the password self service.

Taken from https://help.univention.com/t/change-password-self-service-component-password-check-not-working-correctly/9767/2

* It does mention that there are two authorities that use different sets of configuration options. That’s good.

* It does not explicitly list which method of changing passwords involves which method (from the top of my head: UMC admin modules for managing users; UMC user module for changing own password; password self-service app; Windows clients; passwd tool on the command line; kpasswd tool on the command line; slappasswd tool on the command line; directly via LDAP calls on the OpenLDAP server; directly via LDAP calls on the Samba4 LDAP…).

* It does not list all the ways those settings can be affected (again from the top of my head: UCR variables; Samba4 domain object in OpenLDAP; samba-tool domain passwordsettings …; group policies…) and how they interact.


+++ This bug was initially created as a clone of Bug #47883 +++

Resetting the password via password self service does not use the password policy. Please see https://help.univention.com/t/change-password-self-service-component-password-check-not-working-correctly/9767