Description Florian Best 2019-02-14 20:45:25 CET

We've a patched heimdal kpasswdd which calls univention.admin.password.change().

Quoting from svn/patches/heimdal/4.2-0-0-ucs/1.6~rc2+dfsg-9-errata4.2-1/0001-password_sync.quilt:

+    call = PyEval_CallObject(lib_password_change, args);
+
+    if (call == NULL) {
+    »  PyErr_Fetch(&errobj, &errdata, &errtraceback);
+    »  pystring = PyObject_Str(errobj);
+    »  if ( PyString_Check(pystring) ) {
+    »  »   const char *err = PyString_AsString(pystring);
+    »  »   ucs_error = 1;
+
+    »  »   if( !strcmp(err, "<class 'univention.admin.uexceptions.pwalreadyused'>")) {
+    »  »   »   krb5_warnx (context, "%s", err);
+    »  »   »   reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SOFTERROR, "Password already used");
+    »  »   } else if( !strcmp(err, "<class 'univention.admin.uexceptions.pwToShort'>")) {
+    »  »   »   krb5_warnx (context,"%s",  err);
+    »  »   »   reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SOFTERROR, "Password is too short");
+    »  »   } else if( !strcmp(err, "<class 'univention.admin.uexceptions.pwQuality'>")) {
+    »  »   »   krb5_warnx (context, "%s", err);
+    »  »   »   reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SOFTERROR, "The passwort didn't pass quality check");
+    »  »   } else {
+    »  »   »   /*
+    »  »   »    * Ignore all other errors, for example the user is not
+    »  »   »    * a valid UCS user.
+    »  »   »    */
+    »  »   »   ucs_error = -1;
+    »  »   }
+    »  }


The "else { Ignore all other errors }" block should create a log message with the "err" string!