Bug 35809 - Configuration of UCS domain password policies
Configuration of UCS domain password policies
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.4
Other Linux
: P3 enhancement with 5 votes (vote)
: ---
Assigned To: UMC maintainers
: 38559 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2014-09-03 13:00 CEST by Arvid Requate
Modified: 2019-07-30 16:17 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2015111221000407
Bug group (optional): Cleanup, External feedback, Roadmap discussion (moved), Troubleshooting, Usability
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-09-03 13:00:03 CEST
The configuration of a set of domain password policies which consistently apply to Kerberos, LDAP and Samba authentication currently requires careful administration by the administrator and has been a source of intransparent failures ending up as support cases in the past. With the introduction of additional policy options (Bug 31907) the demand for a unified point of administration may grow.

We are talking about domain password policies here, which provide the default for the whole domain. They may be comlemented by user/group/subtree-scope specific policies (UDM and/or GPO), but we are not taking about those here. Both concepts co-exist.

Currently the domain password policies are implemented by a two-component (Samba+UDM) mixture configured via

1. the samba-domain-object (synchronized to the Samba4 LDAP base settings).
2. a set of individual UDM policies possibly linked to the domain root (applied via UDM to aspects of LDAP, Posix and Kerberos authentication).

My vision for this would be to implement a superordinate "UCS domain password policy" (object), which is monitored by the other services (e.g. via listener) to translate the UCS domain password policy into their specific policy concepts. I.e.

1. the settings on the samba-domain-object are derived from the new "UCS domain password policy"

2. the UDM users/user module checks the new "UCS domain password policy" before applying the classing UDM policies.

3. Things like the LDAP-specific ppolicy (Bug 31907), or possibly Kerberos specific policy configuration settings are derived as well (e.g. by package supplied listeners).

I think we need to define a common base-line for this, which the other services try to follow as closely as they can.
Comment 1 Michel Smidt univentionstaff 2015-11-13 17:25:22 CET
Support Case #2015111221000407 
On this case samba policies and ucs password policies ran apart.

Maybe a first "hotfix" would be a warning in the UMC passwort policy tab when saving and if samba is installed on the system.
Comment 2 Arvid Requate univentionstaff 2017-01-18 18:47:50 CET
Via Bug 32974 we also added bad password lockout for Samba/AD.

So, lockout threshold and lockout duration may differ between Samba/AD(Kerberos) and LDAP/ppolicy.
Comment 3 Arvid Requate univentionstaff 2017-01-18 18:50:59 CET
*** Bug 38559 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Gohmann univentionstaff 2019-01-03 07:18:26 CET
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Comment 5 Florian Best univentionstaff 2019-07-25 18:18:27 CEST
Still relevant.