First Last Prev Next    This bug is not in your last search results.
Bug 44518 - password quality checks not disabled when syncing users from AD to UCS
password quality checks not disabled when syncing users from AD to UCS
Status: NEW
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-02 17:53 CEST by Florian Best
Modified: 2019-10-08 07:17 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019091821001171
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+

Attachments
patch (664 bytes, patch)
2017-05-03 16:44 CEST, Florian Best 		Details | Diff
bug44518_backport_of_bug34478.patch (1.54 KB, patch)
2017-05-04 14:18 CEST, Arvid Requate 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-05-02 17:53:23 CEST 
I created a user in AD. The AD-Connector failed to create it on UCS side:

02.05.2017 17:48:23,904 LDAP        (PROCESS): sync to ucs:   [          user] [       add] uid=aduser,cn=users,dc=school,dc=local
02.05.2017 17:48:24,417 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
02.05.2017 17:48:24,421 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1300, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1158, in add_in_ucs
    return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 307, in create
    return self._create()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 724, in _create
    al.extend(self._ldap_modlist())
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 2067, in _ldap_modlist
    raise univention.admin.uexceptions.pwQuality(str(e).replace('W?rterbucheintrag', 'Wörterbucheintrag').replace('enth?lt', 'enthält'))
pwQuality: Es ist zu einfach/systematisch

When it retries to add the object this fails with Bug #41711.
02.05.2017 17:49:19,387 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
02.05.2017 17:49:19,388 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1300, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 1158, in add_in_ucs
    return ucs_object.create() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 307, in create
    return self._create()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 723, in _create
    al = self._ldap_addlist()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1836, in _ldap_addlist
    raise univention.admin.uexceptions.uidAlreadyUsed(': %s' % username)
uidAlreadyUsed: : aduser
Comment 1 Florian Best univentionstaff 2017-05-02 18:05:49 CEST 
I enabled the password complexity checks on the default password policy.
Comment 2 Florian Best univentionstaff 2017-05-03 10:11:45 CEST 
It might be resolved if the S4 connector sets 'overridePWHistory' = 1 and 'overridePWLength' = 1 at the UDM object before creating it on UCS side.
Comment 3 Arvid Requate univentionstaff 2017-05-03 16:17:26 CEST 
The S4-Connector doesn't have any cleartext passwords, so udm users/user must not try to check the complexity of password hashes.. Something looks wrong here.
Comment 4 Florian Best univentionstaff 2017-05-03 16:28:56 CEST 
(In reply to Arvid Requate from comment #3)
> The S4-Connector doesn't have any cleartext passwords, so udm users/user
> must not try to check the complexity of password hashes.. Something looks
> wrong here.

Then the S4-Connector should not set udm_object['password'] = hash! but instead should write the data directly to the LDAP attribute instead of the UDM property. But this can be workarounded with comment 2.
Comment 5 Stefan Gohmann univentionstaff 2017-05-03 16:33:18 CEST 
(In reply to Florian Best from comment #4)
> (In reply to Arvid Requate from comment #3)
> > The S4-Connector doesn't have any cleartext passwords, so udm users/user
> > must not try to check the complexity of password hashes.. Something looks
> > wrong here.
> 
> Then the S4-Connector should not set udm_object['password'] = hash! but
> instead should write the data directly to the LDAP attribute instead of the
> UDM property. But this can be workarounded with comment 2.

The password attribute is currently required.
Comment 6 Florian Best univentionstaff 2017-05-03 16:38:37 CEST 
The password property in my case contained the following value:
8017402380174023801740238017402380174023801740238017402380174023801740238017402380174023801740238017402380174023801740238017402380174023801740238017402380174023
Comment 7 Florian Best univentionstaff 2017-05-03 16:44:56 CEST 
Created attachment 8819 [details]
patch
Comment 8 Arvid Requate univentionstaff 2017-05-04 14:18:21 CEST 
Created attachment 8822 [details]
bug44518_backport_of_bug34478.patch

Bug 34478 fixed this for the S4-Connector, let's simply backport that. The attached patch is a quick adaptation to univention-ad-connector.

I would actually prefer to use samba.generate_random_password(20, 20) from python-samba, but that's a different story.
Comment 9 Stefan Gohmann univentionstaff 2019-10-07 13:50:56 CEST 
It happens again in a customer environment, see Ticket #2019091821001171.
First Last Prev Next    This bug is not in your last search results.