Bug 28331 - Samba Domänen Objekt und Password complexity
Samba Domänen Objekt und Password complexity
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.0
Other Linux
: P5 enhancement (vote)
: UCS 4.0-1-errata
Assigned To: Felix Botner
Stefan Gohmann
Depends on:
  Show dependency treegraph
Reported: 2012-08-28 07:18 CEST by Stefan Gohmann
Modified: 2015-04-21 09:17 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2012-08-28 07:18:04 CEST
Das Attribut Passwort complexity sollte zum Samba Domänen Objekt hinzugefügt werden und auch im S4 Connector synchronisiert werden.
Comment 1 Tim Petersen univentionstaff 2014-11-20 09:56:22 CET
root@master:~# ucr get version/version 

root@master:~# udm settings/sambadomain list

DN: sambaDomainName=DOMAIN,cn=samba,dc=domain,dc=tim
ARG: None
  NextUserRid: 1000
  passwordHistory: 5
  SID: S-1-5-21-3862440394-1098682592-1530949938
  badLockoutAttempts: 1
  NextGroupRid: 1000
  passwordLength: 8
  resetCountMinutes: 2
  minPasswordAge: None
  name: DOMAIN
  lockoutDuration: 30 minutes
  refuseMachinePWChange: None
  NextRid: None
  disconnectTime: 4 seconds
  maxPasswordAge: 10 days
  logonToChangePW: None

Still not stored and synched in 4.0 - would really be nice!
Comment 2 Stefan Gohmann univentionstaff 2015-01-20 20:50:47 CET
Maybe as erratum for 4.0-1.
Comment 3 Felix Botner univentionstaff 2015-04-13 12:58:27 CEST

pwdProperties is bitfield to indicate complexity and storage restrictions.

   The password must have a mix of at least two of the following types of 
   characters: Uppercase characters Lowercase characters Numerals
   The password cannot be changed without logging on. Otherwise, if your 
   password has expired, you can change your password and then log on.
   Forces the client to use a protocol that does not allow the domain 
   controller to get the plaintext password.
   Allows the built-in administrator account to be locked out from 
   network logons.
   The directory service is storing a plaintext password for all 
   users instead of a hash function of the password.
   Removes the requirement that the machine account password be automatically 
   changed every week. This value should not be used as it can weaken security.

LDAP schema:
 * S4
   attributeTypes: ( 1.2.840.113556.1.4.93 NAME 'pwdProperties' 
 * AD
   attributeTypes: ( 1.2.840.113556.1.4.93 NAME 'pwdProperties' 

ONLY domainPasswordComplex and domainPasswordStoreCleartext have been added here (as samba-tool only knows these two). These two are mapped to the domainPwdProperties UDM attribute (univentionSamba4pwdProperties in LDAP). And this domainPwdProperties is sync to S4.


 * 2015-03-26-univention-ldap.yaml - 
   + added univentionSamba4pwdProperties 
     (integer, single value) attribute to sambaDomain object class,
   + added default (1) to samba domain object in base.ldif

 * 2015-03-27-univention-s4-connector.yaml
   + added sync of domainPwdProperties <-> pwdProperties in 
   + the join script now sets domainPasswordComplex=1 for the UDM
     samba domain object (this is the default in s4) IF 
     connector/s4/allow/secondary is not TRUE (not a ucs@school slave)
   + postinst: set syncmode=write for sambadomain 
     (connector/s4/mapping/dc/syncmode) if connector/s4/allow/secondary 
     is TRUE (ucs@school slave)
   + postinst: for this update, resync sambadomain from s4 to UCS,
     if not connector/s4/allow/secondary (not a ucs@school slave)

 * 2015-03-27-univention-directory-manager-modules.yaml
   + added domainPasswordComplex (UMC, boolean) to sambadomain.py 
   + added domainPasswordStoreCleartext (UMC, boolean) to sambadomain.py 
   + domainPwdProperties (NOT in UMC, used by the connector) to sambadomain.py 

 * update (of all packages) -> complexity should be in sync and 1
 * new installation -> complexity should be in sync and 1
 * sync mode on UCS@school slaves  should be write for 
Comment 4 Felix Botner univentionstaff 2015-04-14 10:28:00 CEST
Removed the domainPasswordComplex default from the join script

-> univention-s4-connector 9.0.16-17.548.201504141005
Comment 5 Stefan Gohmann univentionstaff 2015-04-14 17:37:14 CEST
Test upgrade previously ON: OK

Test upgrade previously OFF: OK

Test new installation: OK

Code review: OK
 - univention-ldap: OK
 - univention-directory-manager: OK
 - univention-s4-connector: OK