Univention Bugzilla – Bug 28331
Samba Domänen Objekt und Password complexity
Last modified: 2015-04-21 09:17:59 CEST
Das Attribut Passwort complexity sollte zum Samba Domänen Objekt hinzugefügt werden und auch im S4 Connector synchronisiert werden.
root@master:~# ucr get version/version 4.0 root@master:~# udm settings/sambadomain list DN: sambaDomainName=DOMAIN,cn=samba,dc=domain,dc=tim ARG: None NextUserRid: 1000 passwordHistory: 5 SID: S-1-5-21-3862440394-1098682592-1530949938 badLockoutAttempts: 1 NextGroupRid: 1000 passwordLength: 8 resetCountMinutes: 2 minPasswordAge: None name: DOMAIN lockoutDuration: 30 minutes refuseMachinePWChange: None NextRid: None disconnectTime: 4 seconds maxPasswordAge: 10 days logonToChangePW: None Still not stored and synched in 4.0 - would really be nice!
Maybe as erratum for 4.0-1.
http://ldapwiki.willeke.com/wiki/PwdProperties pwdProperties is bitfield to indicate complexity and storage restrictions. Description: * DOMAIN_PASSWORD_COMPLEX 0x00000001L The password must have a mix of at least two of the following types of characters: Uppercase characters Lowercase characters Numerals * DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002L The password cannot be changed without logging on. Otherwise, if your password has expired, you can change your password and then log on. * DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004L Forces the client to use a protocol that does not allow the domain controller to get the plaintext password. * DOMAIN_LOCKOUT_ADMINS 0x00000008L Allows the built-in administrator account to be locked out from network logons. * DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010L The directory service is storing a plaintext password for all users instead of a hash function of the password. * DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020L Removes the requirement that the machine account password be automatically changed every week. This value should not be used as it can weaken security. LDAP schema: * S4 attributeTypes: ( 1.2.840.113556.1.4.93 NAME 'pwdProperties' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) * AD attributeTypes: ( 1.2.840.113556.1.4.93 NAME 'pwdProperties' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) ONLY domainPasswordComplex and domainPasswordStoreCleartext have been added here (as samba-tool only knows these two). These two are mapped to the domainPwdProperties UDM attribute (univentionSamba4pwdProperties in LDAP). And this domainPwdProperties is sync to S4. YAML: * 2015-03-26-univention-ldap.yaml - + added univentionSamba4pwdProperties (integer, single value) attribute to sambaDomain object class, + added default (1) to samba domain object in base.ldif * 2015-03-27-univention-s4-connector.yaml + added sync of domainPwdProperties <-> pwdProperties in univention/s4connector/s4/dc.py + the join script now sets domainPasswordComplex=1 for the UDM samba domain object (this is the default in s4) IF connector/s4/allow/secondary is not TRUE (not a ucs@school slave) + postinst: set syncmode=write for sambadomain (connector/s4/mapping/dc/syncmode) if connector/s4/allow/secondary is TRUE (ucs@school slave) + postinst: for this update, resync sambadomain from s4 to UCS, if not connector/s4/allow/secondary (not a ucs@school slave) * 2015-03-27-univention-directory-manager-modules.yaml + added domainPasswordComplex (UMC, boolean) to sambadomain.py + added domainPasswordStoreCleartext (UMC, boolean) to sambadomain.py + domainPwdProperties (NOT in UMC, used by the connector) to sambadomain.py Tests: * update (of all packages) -> complexity should be in sync and 1 * new installation -> complexity should be in sync and 1 * sync mode on UCS@school slaves should be write for connector/s4/mapping/dc/syncmode
Removed the domainPasswordComplex default from the join script -> univention-s4-connector 9.0.16-17.548.201504141005
Test upgrade previously ON: OK Test upgrade previously OFF: OK Test new installation: OK Code review: OK - univention-ldap: OK - univention-directory-manager: OK - univention-s4-connector: OK YAML: OK
<http://errata.univention.de/ucs/4.0/153.html> <http://errata.univention.de/ucs/4.0/154.html> <http://errata.univention.de/ucs/4.0/160.html>