Bug 44090 - Change password module does not honor default password policy
Change password module does not honor default password policy
Status: CLOSED DUPLICATE of bug 44470
Product: UCS
Classification: Unclassified
Component: UMC - Change password
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Daniel Tröder
Florian Best
:
Depends on:
Blocks: 42173
  Show dependency treegraph
 
Reported: 2017-03-27 17:06 CEST by Daniel Tröder
Modified: 2018-03-15 08:26 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2017-03-27 17:06:33 CEST
+++ This bug was initially created as a clone of Bug #42173 +++

The change password module does not honor the default password policy:

cn=default-settings,cn=pwhistory,cn=users,cn=policies,$ldap_base

Test by changing the desired minimum length or by repeatedly using the same two passwords.
Comment 1 Stefan Gohmann univentionstaff 2017-03-28 12:17:37 CEST
If you use Samba 4, you have to set the Samba password settings. The password reset is done via UDM and that will honor the UDM password settings. Since we have patched the Heimdal password service, this will also be honored if you don't use Samba 4. We didn't patch the Samba 4 Heimdal password service.

I think it should be better documented since it is not really obviously.
Comment 2 Florian Best univentionstaff 2017-03-28 19:23:28 CEST
@Daniel:
Do you mean the "Change password" or the "Reset password" module here?
The first uses PAM while the second uses UDM.
Comment 3 Daniel Tröder univentionstaff 2017-04-25 16:34:34 CEST
The password changepage on https://$HOST/univention/self-service/#page=passwordchange does not honor the settings in cn=default-settings,cn=pwhistory,cn=users,cn=policies,$LDAP_BASE.
If I change the minimum password length to 5 I can change my password - when logged in through the side panel - to qwertz. But I cannot do that on the /univention/self-service/#page=passwordchange page. Also if the password quality check is disabled in the policy, but the self-service/#page=passwordchange page always checks it anyway.
Comment 4 Florian Best univentionstaff 2017-04-25 16:48:05 CEST
(In reply to Stefan Gohmann from comment #1)
> If you use Samba 4, you have to set the Samba password settings.
Where can this be done? Are there also UCR variables etc. for this in UCS?

> I think it should be better documented since it is not really obviously.
Where could this be documented?
Comment 5 Stefan Gohmann univentionstaff 2017-04-25 19:39:25 CEST
(In reply to Florian Best from comment #4)
> (In reply to Stefan Gohmann from comment #1)
> > If you use Samba 4, you have to set the Samba password settings.
> Where can this be done? Are there also UCR variables etc. for this in UCS?

'samba-tool domain passwordsettings' or 'udm settings/sambaconfig'

> > I think it should be better documented since it is not really obviously.
> Where could this be documented?

I think it should be documented in our manual, see also Bug #39983.
Comment 6 Daniel Tröder univentionstaff 2017-04-26 08:40:47 CEST
Regarding the documentation: Bug #39983
New feature request: Bug #44470 (synchronize the PAM/s3/s4 password policies)

Marking this as a duplicate of Bug #44470 - as that is the behavior that I had expected.

*** This bug has been marked as a duplicate of bug 44470 ***
Comment 7 Florian Best univentionstaff 2017-04-28 08:14:13 CEST
Yes, here is nothing to do.
Comment 8 Stefan Gohmann univentionstaff 2018-03-15 08:26:00 CET
Nothing to release.