Attachment #10905 for bug #52575

(-)a/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables (-2 / +2 lines)

Lines 1178-1185 Type=str	Link Here

1178

Categories=service-base

1178

Categories=service-base

1179

1180

[machine/password/length]

1180

[machine/password/length]

1181

Description[de]=Das Passwort des Rechnerkontos wird in der Regel automatisch erstellt und rotiert. Es wird in der Datei /etc/machine.secret gespeichert. Diese Variable konfiguriert die Länge des generierten Passworts. Ist die Variable nicht gesetzt, ist das Passwort 20 Zeichen lang.

1181

Description[de]=Das Passwort des Rechnerkontos wird in der Regel automatisch erstellt und rotiert. Es wird in der Datei /etc/machine.secret gespeichert. Diese Variable konfiguriert die Länge des generierten Passworts. Ist die Variable nicht gesetzt, ist das Passwort 32 Zeichen lang.

1182

Description[en]=The password for the computer account is usually automatically created and rotated. It is stored in the file /etc/machine.secret. This variable configures the length of the generated password. If the variable is unset, the password consists of 20 characters.

1182

Description[en]=The password for the computer account is usually automatically created and rotated. It is stored in the file /etc/machine.secret. This variable configures the length of the generated password. If the variable is unset, the password consists of 32 characters.

1183

Type=int

1183

Type=int

1184

Categories=service-base

1184

Categories=service-base

1185

(-)a/base/univention-lib/python/misc.py (-1 / +1 lines)

Lines 48-54 def createMachinePassword():	Link Here

"""

"""

	ucr = ConfigRegistry()

	ucr = ConfigRegistry()

	ucr.load()

	ucr.load()

	length = ucr.get('machine/password/length', '20')

	length = ucr.get('machine/password/length', '32')

	compl = ucr.get('machine/password/complexity', 'scn')

	compl = ucr.get('machine/password/complexity', 'scn')

	p = subprocess.Popen(["pwgen", "-1", "-" + compl, length], stdout=subprocess.PIPE, stderr=subprocess.PIPE)

	p = subprocess.Popen(["pwgen", "-1", "-" + compl, length], stdout=subprocess.PIPE, stderr=subprocess.PIPE)

	(stdout, stderr) = p.communicate()

	(stdout, stderr) = p.communicate()

(-)a/base/univention-lib/shell/base.sh (-1 / +1 lines)

Lines 145-151 create_machine_password () {	Link Here

145

	local length compl

145

	local length compl

146

	length="$(/usr/sbin/univention-config-registry get machine/password/length)"

146

	length="$(/usr/sbin/univention-config-registry get machine/password/length)"

147

	compl="$(/usr/sbin/univention-config-registry get machine/password/complexity)"

147

	compl="$(/usr/sbin/univention-config-registry get machine/password/complexity)"

148

	pwgen -1 -"${compl:-scn}" "${length:-20}" | tr -d '\n'

148

	pwgen -1 -"${compl:-scn}" "${length:-32}" | tr -d '\n'

149

150

151

(-)a/base/univention-licence/lib/license_ldap.c (-1 / +1 lines)

Lines 8-14	Link Here

static univention_ldap_parameters_t *lp = NULL;

static univention_ldap_parameters_t *lp = NULL;

#define _UNIVENTION_LDAP_MACHINE_SECRET_LEN_MAX 60

#define _UNIVENTION_LDAP_MACHINE_SECRET_LEN_MAX 256

int univention_ldap_set_machine_connection(univention_ldap_parameters_t *lp) {

int univention_ldap_set_machine_connection(univention_ldap_parameters_t *lp) {

	FILE *secret;

	FILE *secret;

	size_t len;

	size_t len;

(-)a/base/univention-policy/lib/ldap.c (-1 / +1 lines)

Lines 107-113 static int sasl_interact(LDAP ld, unsigned flags, void defaults, void *in)	Link Here

107

	return LDAP_SUCCESS;

107

	return LDAP_SUCCESS;

108

109

110

#define _UNIVENTION_LDAP_SECRET_LEN_MAX 27

110

#define _UNIVENTION_LDAP_SECRET_LEN_MAX 256

111

int univention_ldap_set_admin_connection( univention_ldap_parameters_t *lp )

111

int univention_ldap_set_admin_connection( univention_ldap_parameters_t *lp )

112

113

	FILE *secret;

113

	FILE *secret;

(-)a/doc/manual/computers-de.xml (-1 / +1 lines)

Lines 26-32	Link Here

        <para>

        <para>

		  Das Passwort für das Rechnerkonto wird beim Domänenbeitritt automatisch erzeugt und in der

		  Das Passwort für das Rechnerkonto wird beim Domänenbeitritt automatisch erzeugt und in der

		  Datei <filename>/etc/machine.secret</filename> gespeichert. Das Passwort umfasst in der

		  Datei <filename>/etc/machine.secret</filename> gespeichert. Das Passwort umfasst in der

		  Grundeinstellung 20 Zeichen (konfigurierbar über die &ucsUCRV; <envar>machine/password/length</envar>).

		  Grundeinstellung 32 Zeichen (konfigurierbar über die &ucsUCRV; <envar>machine/password/length</envar>).

		  Das Passwort wird in festen Intervallen automatisch

		  Das Passwort wird in festen Intervallen automatisch

		  neu generiert (in der Grundeinstellung 21 Tage, konfigurierbar über die

		  neu generiert (in der Grundeinstellung 21 Tage, konfigurierbar über die

		  &ucsUCRV; <envar>server/password/interval</envar>). Die Passwortrotation kann über die

		  &ucsUCRV; <envar>server/password/interval</envar>). Die Passwortrotation kann über die

(-)a/doc/manual/computers-en.xml (-1 / +1 lines)

Lines 27-33	Link Here

	<para>

	<para>

	  The password for the computer account is generated automatically during the domain join and

	  The password for the computer account is generated automatically during the domain join and

	  saved in the <filename>/etc/machine.secret</filename> file.  By default the

	  saved in the <filename>/etc/machine.secret</filename> file.  By default the

	  password consists of 20 characters (can be configured via the &ucsUCRV;

	  password consists of 32 characters (can be configured via the &ucsUCRV;

	  <envar>machine/password/length</envar>). The password is regenerated

	  <envar>machine/password/length</envar>). The password is regenerated

	  automatically at fixed intervals (default setting: 21 days; can be configured using the

	  automatically at fixed intervals (default setting: 21 days; can be configured using the

	  &ucsUCRV; <envar>server/password/interval</envar>). Password rotation can also be disabled

	  &ucsUCRV; <envar>server/password/interval</envar>). Password rotation can also be disabled

(-)a/management/univention-appcenter/scripts/joinscripthelper.sh (-1 / +2 lines)

Lines 40-47 CONTAINER=$(ucr get "$ucr_container_key")	Link Here

joinscript_add_simple_app_system_user () {

joinscript_add_simple_app_system_user () {

	local password

	local password

	local pwdfile

	local pwdfile

	eval "$(ucr shell machine/password/length)"

	password="$(makepasswd)"

	password="$(makepasswd --chars=${machine_password_length:-32})"

	pwdfile="/etc/$APP.secret"

	pwdfile="/etc/$APP.secret"

	joinscript_run_in_container touch "$pwdfile"

	joinscript_run_in_container touch "$pwdfile"

	joinscript_run_in_container chmod 600 "$pwdfile"

	joinscript_run_in_container chmod 600 "$pwdfile"

(-)a/management/univention-self-service/35univention-self-service-passwordreset-umc.inst (-1 / +1 lines)

Lines 60-66 if [ "$server_role" = "domaincontroller_master" -o "$server_role" = "domaincontr	Link Here

	DB_SECRET_FILE="/etc/self-service-db.secret"

	DB_SECRET_FILE="/etc/self-service-db.secret"

	if [ ! -f $DB_SECRET_FILE ]; then

	if [ ! -f $DB_SECRET_FILE ]; then

		echo "Generating new DB password..."

		echo "Generating new DB password..."

		selfservice_pwd="$(makepasswd --chars 20)"

		selfservice_pwd="$(makepasswd --chars=${machine_password_length:-32})"

		touch "$DB_SECRET_FILE"

		touch "$DB_SECRET_FILE"

		chown root:root "$DB_SECRET_FILE"

		chown root:root "$DB_SECRET_FILE"

		chmod 600 "$DB_SECRET_FILE"

		chmod 600 "$DB_SECRET_FILE"

(-)a/saml/univention-saml/91univention-saml.inst (-1 / +1 lines)

Lines 134-140 if [ "$server_role" = "domaincontroller_master" ]; then	Link Here

134

	# Only set password if sys-idp-user does not exist

134

	# Only set password if sys-idp-user does not exist

135

	username=$(ucs_getAttrOfDN uid uid=sys-idp-user,cn=users,"$ldap_base" "$@" 2>/dev/null)

135

	username=$(ucs_getAttrOfDN uid uid=sys-idp-user,cn=users,"$ldap_base" "$@" 2>/dev/null)

136

	if [ ! "$username" = "sys-idp-user" ]; then

136

	if [ ! "$username" = "sys-idp-user" ]; then

137

		PASSWORD=$(makepasswd --chars=20)

137

		PASSWORD=$(makepasswd --chars=${machine_password_length:-32})

138

		touch "$SECRETFILE"

138

		touch "$SECRETFILE"

139

		chown root:"DC Backup Hosts" "$SECRETFILE"

139

		chown root:"DC Backup Hosts" "$SECRETFILE"

140

		chmod 640 "$SECRETFILE"

140

		chmod 640 "$SECRETFILE"

(-)a/services/univention-mariadb/debian/univention-mariadb.postinst (-1 / +2 lines)

Lines 39-48 test_mysql_access() {	Link Here

create_mysql_secret_if_not_exists () {

create_mysql_secret_if_not_exists () {

	if [ ! -e /etc/mysql.secret ]; then

	if [ ! -e /etc/mysql.secret ]; then

		eval "$(ucr shell machine/password/length 2>/dev/null || /bin/true)"

		touch /etc/mysql.secret

		touch /etc/mysql.secret

		chmod 600 /etc/mysql.secret

		chmod 600 /etc/mysql.secret

		chown root /etc/mysql.secret

		chown root /etc/mysql.secret

		makepasswd --nocrypt --chars=20 >> /etc/mysql.secret

		makepasswd --nocrypt --chars=${machine_password_length:-32} >> /etc/mysql.secret

fi

fi

Return to bug 52575