Univention Bugzilla – Bug 47884
Password security policy can be surpassed with password self-service
Last modified: 2024-04-17 13:25:01 CEST
The documentation should be more clear on the limits of the password self service. Taken from https://help.univention.com/t/change-password-self-service-component-password-check-not-working-correctly/9767/2 * It does mention that there are two authorities that use different sets of configuration options. That’s good. * It does not explicitly list which method of changing passwords involves which method (from the top of my head: UMC admin modules for managing users; UMC user module for changing own password; password self-service app; Windows clients; passwd tool on the command line; kpasswd tool on the command line; slappasswd tool on the command line; directly via LDAP calls on the OpenLDAP server; directly via LDAP calls on the Samba4 LDAP…). * It does not list all the ways those settings can be affected (again from the top of my head: UCR variables; Samba4 domain object in OpenLDAP; samba-tool domain passwordsettings …; group policies…) and how they interact. +++ This bug was initially created as a clone of Bug #47883 +++ Resetting the password via password self service does not use the password policy. Please see https://help.univention.com/t/change-password-self-service-component-password-check-not-working-correctly/9767
The customer is having trouble understanding which password policy is applying in different use cases and how to configure them appropriately. I had a hard time understanding this myself and unfortunately wasn't really benefiting from the handbook. The things I understood and could test resulted in the following help article, which might come in handy for laying out an easier to digest paragraph in our handbook for customers to comprehend the topic: https://help.univention.com/t/q-a-how-to-manage-password-policies-udm-policy-and-samba-policy/22838