Univention Bugzilla – Bug 44090
Change password module does not honor default password policy
Last modified: 2018-03-15 08:26:00 CET
+++ This bug was initially created as a clone of Bug #42173 +++ The change password module does not honor the default password policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,$ldap_base Test by changing the desired minimum length or by repeatedly using the same two passwords.
If you use Samba 4, you have to set the Samba password settings. The password reset is done via UDM and that will honor the UDM password settings. Since we have patched the Heimdal password service, this will also be honored if you don't use Samba 4. We didn't patch the Samba 4 Heimdal password service. I think it should be better documented since it is not really obviously.
@Daniel: Do you mean the "Change password" or the "Reset password" module here? The first uses PAM while the second uses UDM.
The password changepage on https://$HOST/univention/self-service/#page=passwordchange does not honor the settings in cn=default-settings,cn=pwhistory,cn=users,cn=policies,$LDAP_BASE. If I change the minimum password length to 5 I can change my password - when logged in through the side panel - to qwertz. But I cannot do that on the /univention/self-service/#page=passwordchange page. Also if the password quality check is disabled in the policy, but the self-service/#page=passwordchange page always checks it anyway.
(In reply to Stefan Gohmann from comment #1) > If you use Samba 4, you have to set the Samba password settings. Where can this be done? Are there also UCR variables etc. for this in UCS? > I think it should be better documented since it is not really obviously. Where could this be documented?
(In reply to Florian Best from comment #4) > (In reply to Stefan Gohmann from comment #1) > > If you use Samba 4, you have to set the Samba password settings. > Where can this be done? Are there also UCR variables etc. for this in UCS? 'samba-tool domain passwordsettings' or 'udm settings/sambaconfig' > > I think it should be better documented since it is not really obviously. > Where could this be documented? I think it should be documented in our manual, see also Bug #39983.
Regarding the documentation: Bug #39983 New feature request: Bug #44470 (synchronize the PAM/s3/s4 password policies) Marking this as a duplicate of Bug #44470 - as that is the behavior that I had expected. *** This bug has been marked as a duplicate of bug 44470 ***
Yes, here is nothing to do.
Nothing to release.