Univention Bugzilla – Bug 35809
Configuration of UCS domain password policies
Last modified: 2019-07-30 16:17:28 CEST
The configuration of a set of domain password policies which consistently apply to Kerberos, LDAP and Samba authentication currently requires careful administration by the administrator and has been a source of intransparent failures ending up as support cases in the past. With the introduction of additional policy options (Bug 31907) the demand for a unified point of administration may grow.
We are talking about domain password policies here, which provide the default for the whole domain. They may be comlemented by user/group/subtree-scope specific policies (UDM and/or GPO), but we are not taking about those here. Both concepts co-exist.
Currently the domain password policies are implemented by a two-component (Samba+UDM) mixture configured via
1. the samba-domain-object (synchronized to the Samba4 LDAP base settings).
2. a set of individual UDM policies possibly linked to the domain root (applied via UDM to aspects of LDAP, Posix and Kerberos authentication).
My vision for this would be to implement a superordinate "UCS domain password policy" (object), which is monitored by the other services (e.g. via listener) to translate the UCS domain password policy into their specific policy concepts. I.e.
1. the settings on the samba-domain-object are derived from the new "UCS domain password policy"
2. the UDM users/user module checks the new "UCS domain password policy" before applying the classing UDM policies.
3. Things like the LDAP-specific ppolicy (Bug 31907), or possibly Kerberos specific policy configuration settings are derived as well (e.g. by package supplied listeners).
I think we need to define a common base-line for this, which the other services try to follow as closely as they can.
Support Case #2015111221000407
On this case samba policies and ucs password policies ran apart.
Maybe a first "hotfix" would be a warning in the UMC passwort policy tab when saving and if samba is installed on the system.
Via Bug 32974 we also added bad password lockout for Samba/AD.
So, lockout threshold and lockout duration may differ between Samba/AD(Kerberos) and LDAP/ppolicy.
*** Bug 38559 has been marked as a duplicate of this bug. ***
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.
Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.
If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.