Univention Bugzilla – Bug 49039
Password is not complex enough despite password policies are set to no-complexity
Last modified: 2019-04-25 11:02:17 CEST
In the given UCS@school environment all pwd policies are configured to pwLength: 8 pwQualityCheck: FALSE Password complexity: off Minimum password length: 8 but when changing the password (in this case via SelfService) the new password is rejected due to lack of complexity. In the related Ticket there is a testing environment given to analyze further.
Reinstalling a previous version is the only workaround yet known.
In the erratum I basically only restored the behavior of UCS 4.2, AFAICS. If we want to support non-complex passwords via UMC we should remove pam_cracklib completely from the UMC pam configuration. I think pam_krb5 calls some cracklib code in non-samba and samba environments, which evaluates our policies. pam_unix doesn't have enabled pam_cracklib anymore then.
pam_cracklib has been removed from the UMC pam configuration for password changes. Therefore with pam_unix no password checks are performed anymore and for pam_krb5 it is required to have configured password policies. univention-management-console.yaml 7271eadff981 | YAML Bug #49039 univention-management-console (10.0.6-23) 32b40a92f05f | Bug #49039: remove pam_cracklib from univention-management-console pam
Removing pam_cracklib is not possible as out pam stack depends on it, otherwise all error messages are broken. Therefore I just restored the behavior prior to Bug #48684. univention-management-console (10.0.6-24) 0f0fb2bc6fd9 | Bug ##49039: restore original pam_cracklib behavior (reverts Bug #48684).
OK, works.
<http://errata.software-univention.de/ucs/4.3/475.html>