Univention Bugzilla – Bug 44518
password quality checks not disabled when syncing users from AD to UCS
Last modified: 2019-10-08 07:17:17 CEST
I created a user in AD. The AD-Connector failed to create it on UCS side: 02.05.2017 17:48:23,904 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=aduser,cn=users,dc=school,dc=local 02.05.2017 17:48:24,417 LDAP (ERROR ): Unknown Exception during sync_to_ucs 02.05.2017 17:48:24,421 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1300, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1158, in add_in_ucs return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 307, in create return self._create() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 724, in _create al.extend(self._ldap_modlist()) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 2067, in _ldap_modlist raise univention.admin.uexceptions.pwQuality(str(e).replace('W?rterbucheintrag', 'Wörterbucheintrag').replace('enth?lt', 'enthält')) pwQuality: Es ist zu einfach/systematisch When it retries to add the object this fails with Bug #41711. 02.05.2017 17:49:19,387 LDAP (ERROR ): Unknown Exception during sync_to_ucs 02.05.2017 17:49:19,388 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1300, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1158, in add_in_ucs return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 307, in create return self._create() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 723, in _create al = self._ldap_addlist() File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1836, in _ldap_addlist raise univention.admin.uexceptions.uidAlreadyUsed(': %s' % username) uidAlreadyUsed: : aduser
I enabled the password complexity checks on the default password policy.
It might be resolved if the S4 connector sets 'overridePWHistory' = 1 and 'overridePWLength' = 1 at the UDM object before creating it on UCS side.
The S4-Connector doesn't have any cleartext passwords, so udm users/user must not try to check the complexity of password hashes.. Something looks wrong here.
(In reply to Arvid Requate from comment #3) > The S4-Connector doesn't have any cleartext passwords, so udm users/user > must not try to check the complexity of password hashes.. Something looks > wrong here. Then the S4-Connector should not set udm_object['password'] = hash! but instead should write the data directly to the LDAP attribute instead of the UDM property. But this can be workarounded with comment 2.
(In reply to Florian Best from comment #4) > (In reply to Arvid Requate from comment #3) > > The S4-Connector doesn't have any cleartext passwords, so udm users/user > > must not try to check the complexity of password hashes.. Something looks > > wrong here. > > Then the S4-Connector should not set udm_object['password'] = hash! but > instead should write the data directly to the LDAP attribute instead of the > UDM property. But this can be workarounded with comment 2. The password attribute is currently required.
The password property in my case contained the following value: 8017402380174023801740238017402380174023801740238017402380174023801740238017402380174023801740238017402380174023801740238017402380174023801740238017402380174023
Created attachment 8819 [details] patch
Created attachment 8822 [details] bug44518_backport_of_bug34478.patch Bug 34478 fixed this for the S4-Connector, let's simply backport that. The attached patch is a quick adaptation to univention-ad-connector. I would actually prefer to use samba.generate_random_password(20, 20) from python-samba, but that's a different story.
It happens again in a customer environment, see Ticket #2019091821001171.