Bug 28331 - Samba Domänen Objekt und Password complexity
Samba Domänen Objekt und Password complexity
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.0
Other Linux
: P5 enhancement (vote)
: UCS 4.0-1-errata
Assigned To: Felix Botner
Stefan Gohmann
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-28 07:18 CEST by Stefan Gohmann
Modified: 2015-04-21 09:17 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2012-08-28 07:18:04 CEST
Das Attribut Passwort complexity sollte zum Samba Domänen Objekt hinzugefügt werden und auch im S4 Connector synchronisiert werden.
Comment 1 Tim Petersen univentionstaff 2014-11-20 09:56:22 CET
root@master:~# ucr get version/version 
4.0

root@master:~# udm settings/sambadomain list

DN: sambaDomainName=DOMAIN,cn=samba,dc=domain,dc=tim
ARG: None
  NextUserRid: 1000
  passwordHistory: 5
  SID: S-1-5-21-3862440394-1098682592-1530949938
  badLockoutAttempts: 1
  NextGroupRid: 1000
  passwordLength: 8
  resetCountMinutes: 2
  minPasswordAge: None
  name: DOMAIN
  lockoutDuration: 30 minutes
  refuseMachinePWChange: None
  NextRid: None
  disconnectTime: 4 seconds
  maxPasswordAge: 10 days
  logonToChangePW: None


Still not stored and synched in 4.0 - would really be nice!
Comment 2 Stefan Gohmann univentionstaff 2015-01-20 20:50:47 CET
Maybe as erratum for 4.0-1.
Comment 3 Felix Botner univentionstaff 2015-04-13 12:58:27 CEST
http://ldapwiki.willeke.com/wiki/PwdProperties

pwdProperties is bitfield to indicate complexity and storage restrictions.

Description:
 * DOMAIN_PASSWORD_COMPLEX 0x00000001L 
   The password must have a mix of at least two of the following types of 
   characters: Uppercase characters Lowercase characters Numerals
 * DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002L
   The password cannot be changed without logging on. Otherwise, if your 
   password has expired, you can change your password and then log on.
 * DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004L
   Forces the client to use a protocol that does not allow the domain 
   controller to get the plaintext password.
 * DOMAIN_LOCKOUT_ADMINS 0x00000008L
   Allows the built-in administrator account to be locked out from 
   network logons.
 * DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010L
   The directory service is storing a plaintext password for all 
   users instead of a hash function of the password.
 * DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020L
   Removes the requirement that the machine account password be automatically 
   changed every week. This value should not be used as it can weaken security.

LDAP schema:
 * S4
   attributeTypes: ( 1.2.840.113556.1.4.93 NAME 'pwdProperties' 
   SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
 * AD
   attributeTypes: ( 1.2.840.113556.1.4.93 NAME 'pwdProperties' 
   SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )


ONLY domainPasswordComplex and domainPasswordStoreCleartext have been added here (as samba-tool only knows these two). These two are mapped to the domainPwdProperties UDM attribute (univentionSamba4pwdProperties in LDAP). And this domainPwdProperties is sync to S4.


YAML:

 * 2015-03-26-univention-ldap.yaml - 
   + added univentionSamba4pwdProperties 
     (integer, single value) attribute to sambaDomain object class,
   + added default (1) to samba domain object in base.ldif

 * 2015-03-27-univention-s4-connector.yaml
   + added sync of domainPwdProperties <-> pwdProperties in 
     univention/s4connector/s4/dc.py
   + the join script now sets domainPasswordComplex=1 for the UDM
     samba domain object (this is the default in s4) IF 
     connector/s4/allow/secondary is not TRUE (not a ucs@school slave)
   + postinst: set syncmode=write for sambadomain 
     (connector/s4/mapping/dc/syncmode) if connector/s4/allow/secondary 
     is TRUE (ucs@school slave)
   + postinst: for this update, resync sambadomain from s4 to UCS,
     if not connector/s4/allow/secondary (not a ucs@school slave)

 * 2015-03-27-univention-directory-manager-modules.yaml
   + added domainPasswordComplex (UMC, boolean) to sambadomain.py 
   + added domainPasswordStoreCleartext (UMC, boolean) to sambadomain.py 
   + domainPwdProperties (NOT in UMC, used by the connector) to sambadomain.py 


Tests:
 * update (of all packages) -> complexity should be in sync and 1
 * new installation -> complexity should be in sync and 1
 * sync mode on UCS@school slaves  should be write for 
   connector/s4/mapping/dc/syncmode
Comment 4 Felix Botner univentionstaff 2015-04-14 10:28:00 CEST
Removed the domainPasswordComplex default from the join script

-> univention-s4-connector 9.0.16-17.548.201504141005
Comment 5 Stefan Gohmann univentionstaff 2015-04-14 17:37:14 CEST
Test upgrade previously ON: OK

Test upgrade previously OFF: OK

Test new installation: OK

Code review: OK
 - univention-ldap: OK
 - univention-directory-manager: OK
 - univention-s4-connector: OK

YAML: OK