Univention Bugzilla – Bug 49207
91univention-saml.inst fails with "Password policy error: is too simple"
Last modified: 2023-10-18 14:49:44 CEST
Caused by a very strict password policy, the 91univention-saml.inst script fails. The ucs-sso user is not created, so the 98univention-samba4-saml-kerberos.inst fails too. RUNNING 91univention-saml.inst 2019-03-29 16:56:52.585763131+01:00 (in joinscript_init) Not updating saml/idp/certificate/privatekey Not updating saml/idp/certificate/certificate Not updating saml/idp/entityID Not updating ucs/server/sso/fqdn File: /etc/apache2/sites-available/univention-saml.conf Adding A record "ucs-sso 194.95.243.2" to zone in.dfn.de... done 29.03.19 16:56:53.808 DEBUG_INIT Password policy error: is too simple __JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst EXITCODE=3 RUNNING 98univention-samba4-saml-kerberos.inst 2019-03-29 16:56:54.926370727+01:00 (in joinscript_init) Waiting for user replication... ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found ERROR: User ucs-sso not found EXITCODE=1 ----------------------------------------------------------- univention-policy-result -D $(ucr get ldap/hostdn) -y /etc/machine.secret cn=users,$(ucr get ldap/base) Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=in,dc=dfn,dc=de Attribute: univentionPWLength Value: 12 Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=in,dc=dfn,dc=de Attribute: univentionPWQualityCheck Value: TRUE Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=in,dc=dfn,dc=de Attribute: univentionPWHistoryLen Value: 3
Patch available in branch fbest/49207-saml-password-complexity: diff --git a/saml/univention-saml/91univention-saml.inst b/saml/univention-saml/91univention-saml.inst index 4d16b3cf51..dd547a06ba 100755 --- a/saml/univention-saml/91univention-saml.inst +++ b/saml/univention-saml/91univention-saml.inst @@ -77,6 +77,7 @@ create_krb_apache2_user() { » » udm users/user create "$@" --ignore_exists \ » » » » --position "cn=users,$ldap_base" \ +» » » » --set overridePWLength=1 --set overridePWHistory=1 \ » » » » --set username="$spn_account_name" \ » » » » --set lastname="SSO" \ » » » » --set password="$spn_account_name_password" \ @@ -153,6 +153,8 @@ lo, po = univention.admin.uldap.getAdminConnection() po.setDn('cn=users,%s' % (sys.argv[2])) user = univention.admin.modules.get('users/ldap').object(None, lo, po) user.open() +user['overridePWHistory'] = '1' +user['overridePWLength'] = '1' user['username'] = 'sys-idp-user' user['password'] = sys.argv[1] user['lastname'] = 'idp-user'
Workaround: The 91univention-saml.inst uses the create_machine_password function spn_account_name_password=$(create_machine_password) so the ucr variables ucr info machine/password/length machine/password/length: <empty> The password for the computer account is usually automatically created and rotated. It is stored in the file /etc/machine.secret. This variable configures the length of the generated password. If the variable is unset, the password consists of 20 characters. Categories: service-base and ucr info machine/password/complexity machine/password/complexity: <empty> The machine passwords are generated with the tool pwgen. This variable configures the parameters used during generation (see 'man pwgen'). If the variable is unset, 'scn' applies. Categories: service-base should be set.
This issue has been filed against UCS 4.3. UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Should be still relevant for UCS 4.4
Still relevant for enterprise-customer Please keep in mind that enabling scny for machine/password/complexity also includes special characters like " and '. These must be correctly quoted in config files such as radius.
This also relevant in UCS5 with other joinscripts like: RUNNING 98univention-samba4-dns.inst 2023-01-31 10:57:09.982192698+01:00 (in joinscript_init) Waiting for RID Pool replication: done. Password policy error: is too simple. ERROR: could not create user account dns-primary1 ************************************************************** * ERROR: Failed to create DNS spn account. * * Please check the samba and the s4-connector logfile.* I set the component of this bug to join instead of saml and increased the UCS Version to ucs5
The user creation now ignores the required password length and the password history. univention-saml.yaml e8ff76bf4990 | Bug #49207: The user creation during the installation now ignores the password length and history univention-saml (7.0.8-5) e8ff76bf4990 | Bug #49207: The user creation during the installation now ignores the password length and history univention-samba4.yaml 57ce48a35c1d | Bug #49207: The spn account creation now ignores the password length and history univention-samba4 (9.0.13-3) 57ce48a35c1d | Bug #49207: The spn account creation now ignores the password length and history
REOPENED: There are two errors in the code, see my remarks in the merge request.
The user creation now ignores the required password length and the password history and now without errors. univention-saml.yaml a67914983acb | Bug #49207: Corrected some syntax errors in a joinscript e8ff76bf4990 | Bug #49207: The user creation during the installation now ignores the password length and history univention-saml (7.0.8-6) a67914983acb | Bug #49207: Corrected some syntax errors in a joinscript univention-saml (7.0.8-5) e8ff76bf4990 | Bug #49207: The user creation during the installation now ignores the password length and history univention-samba4.yaml a67914983acb | Bug #49207: Corrected some syntax errors in a joinscript 57ce48a35c1d | Bug #49207: The spn account creation now ignores the password length and history univention-samba4 (9.0.13-4) a67914983acb | Bug #49207: Corrected some syntax errors in a joinscript univention-samba4 (9.0.13-3) 57ce48a35c1d | Bug #49207: The spn account creation now ignores the password length and history
QA: - The spn account creation in univention-samba4 and univention-saml now ignores specific password policies (length/history): OK - spn accounts are successfully created even after switching to strict password policies (which would have caused the user creation to fail before): OK - advisories: OK - no related tracebacks/errors in log files: OK
<https://errata.software-univention.de/#/?erratum=5.0x774> <https://errata.software-univention.de/#/?erratum=5.0x778>