Univention Bugzilla – Bug 50856
UDM users/ldap can't handle empty password length in "Passwords" policy
Last modified: 2020-12-18 09:38:34 CET
UDM allows you to create a password policy (policies/pwhistory) with an empty password length. This results in UDM being unable to create users of type users/ldap. UDM should either be able to handle this correctly and create the user nonetheless or password length having a value should be a mandatory. Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 219, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 409, in doit out = _doit(arglist) File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 755, in _doit dn = object.create() File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 558, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1242, in _create al.extend(self._ldap_modlist()) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 223, in _ldap_modlist self._check_password_complexity(pwhistoryPolicy) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 294, in _check_password_complexity password_minlength = max(0, pwhistoryPolicy.pwhistoryPasswordLength) or self.password_length AttributeError: 'object' object has no attribute 'password_length'
Besides UDM allowing users to create password policies with empty password length, it is also possible to not have a password policy at all by simply removing the default reference from the LDAP base: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=ldap,dc=base
At least join script 35ucs-school-import.inst is affected by this and fails at creating the unprivileged user: https://git.knut.univention.de/univention/ucsschool/-/blob/4.4/ucs-school-import/35ucs-school-import.inst#L84
Workaround: extent the UDM call and add --set overridePWLength=1