Bug 50856 – UDM users/ldap can't handle empty password length in "Passwords" policy

Bug 50856 - UDM users/ldap can't handle empty password length in "Passwords" policy


Summary:	UDM users/ldap can't handle empty password length in "Passwords" policy

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UDM (Generic)
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-02-26 13:09 CET by Valentin Heidelberger
Modified:	2020-12-18 09:38 CET (History)
CC List:	3 users (show)

See Also:	48562
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.057
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Workaround is available
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Valentin Heidelberger

2020-02-26 13:09:33 CET

UDM allows you to create a password policy (policies/pwhistory) with an empty password length. This results in UDM being unable to create users of type users/ldap.

UDM should either be able to handle this correctly and create the user nonetheless or password length having a value should be a mandatory.

Traceback (most recent call last):
  File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 219, in doit
    output = univention.admincli.admin.doit(arglist)
  File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 409, in doit
    out = _doit(arglist)
  File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 755, in _doit
    dn = object.create()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 558, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1242, in _create
    al.extend(self._ldap_modlist())
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 223, in _ldap_modlist
    self._check_password_complexity(pwhistoryPolicy)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 294, in _check_password_complexity
    password_minlength = max(0, pwhistoryPolicy.pwhistoryPasswordLength) or self.password_length
AttributeError: 'object' object has no attribute 'password_length'

Comment 1 Valentin Heidelberger

2020-02-26 14:11:45 CET

Besides UDM allowing users to create password policies with empty password length, it is also possible to not have a password policy at all by simply removing the default reference from the LDAP base:
cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=ldap,dc=base

Comment 2 Valentin Heidelberger

2020-02-26 14:19:12 CET

At least join script 35ucs-school-import.inst is affected by this and fails at creating the unprivileged user: https://git.knut.univention.de/univention/ucsschool/-/blob/4.4/ucs-school-import/35ucs-school-import.inst#L84

Comment 3 Erik Damrose

2020-12-17 12:17:46 CET

Workaround: extent the UDM call and add
--set overridePWLength=1