Univention Bugzilla – Bug 49346
Password is not complex enough despite password policies are set to no-complexity
Last modified: 2019-07-25 18:23:09 CEST
+++ This bug was initially created as a clone of Bug #49039 +++ The problem persists in a different customer's environment. All systems are on UCS 4.3 e481, I checked /etc/pam.d/univention-management-console and it was correctly configured. Certain passwords can be set via the users module in the UMC but not via Self Service "too simple". The default password policy was changed to only allow passwords with at least 16 chars, password complexity check is deactivated. Samba4 is installed on the master and backup.
Problem still persists with UCS 4.4
The initial bug to fix this in UCS 4.4 was bug 49239, not the one mentioned in the first comment
(In reply to Valentin Heidelberger from comment #2) > Problem still persists with UCS 4.4 Which errata version? Was the fix for #49239 / errata 70 applied?
(In reply to Ingo Steuwer from comment #4) > (In reply to Valentin Heidelberger from comment #2) > > Problem still persists with UCS 4.4 > > Which errata version? Was the fix for #49239 / errata 70 applied? All systems are on 4.4-0 e78
(In reply to Valentin Heidelberger from comment #0) > +++ This bug was initially created as a clone of Bug #49039 +++ > > The problem persists in a different customer's environment. > All systems are on UCS 4.3 e481, I checked > /etc/pam.d/univention-management-console and it was correctly configured. > > Certain passwords can be set via the users module in the UMC but not via > Self Service "too simple". > > The default password policy was changed to only allow passwords with at > least 16 chars, password complexity check is deactivated. > Samba4 is installed on the master and backup. Sorry, I still don't get the issue here. * what is expected? * what is configured? * how does the system behave? And last but not least: is this a duplicate of #49551?
(In reply to Ingo Steuwer from comment #6) > Sorry, I still don't get the issue here. > > * what is expected? > * what is configured? > * how does the system behave? > > And last but not least: is this a duplicate of #49551? They are two different problems. I believe the issue behind both problems might be the same, though. The problem *here* is that the deactivation of the password quality check in the default password policy is ignored by the self service. In the "Users" module, the deactivation is respected. In a nutshell, there is a discrepancy between which passwords the Self Service allows and which the "Users" module allows as soon as one makes a change to the default password policy. 1. Deactivate password quality check 2. Self Service: Set password that was denied for complexity reasons when the complexity check was activated 3. Self Service: "Password is not complex enough" Expectation: Self Service respects the policy and doesn't do a complexity check if it is deactivated via the policy. Reality: Self Service does a complexity regardless of whether it's deactivated in the policy. The problem at #49551 is that changes to the required length are also ignored, it just always defaults to 8. The customer set the minimum length from the default 8 to 16 characters. Passwords with min. 8 characters can still be set via Self Service though. The "Users" module respects the changes and doesn't allow these changes. Same with the complexity check. In some scenarios this might actually be a security issue, in the current state of the customer's env it's not yet.
Please reset to NEEDMOREINFO again if I comment #7 leaves further questions
Does the environment use Samba 4? The policy you are changing is cn=default-settings,cn=pwhistory,cn=users,cn=policies,$ldap_base, right? That policy is attached to the ldap base: univention-ldapsearch -LLL univentionPolicyReference="cn=default-settings,cn=pwhistory,cn=users,cn=policies,$ldap_base" dn There don't exists any other further policy (udm policies/pwhistory list), which overwrites some settings?
> Does the environment use Samba 4? Yes, it is installed on Master and Backup. > The policy you are changing is cn=default-settings,cn=pwhistory,cn=users,cn=policies,$ldap_base, right? Yes it looks like this in LDAP: dn: cn=default-settings,cn=pwhistory,cn=users,cn=policies,<LDAP BASE> objectClass: top objectClass: univentionPolicy objectClass: univentionPolicyPWHistory objectClass: univentionObject univentionObjectType: policies/pwhistory cn: default-settings univentionPWLength: 16 univentionPWExpiryInterval: 365 univentionPWQualityCheck: FALSE univentionPWHistoryLen: 9 > That policy is attached to the ldap base: univention-ldapsearch -LLL univentionPolicyReference="cn=default->settings,cn=pwhistory,cn=users,cn=policies,$ldap_base" dn Yes it is: $ univention-ldapsearch -LLL univentionPolicyReference=cn=default-settings,cn=pwhistory,cn=users,cn=policies,<LDAP BASE> dn dn: <LDAP BASE> > There don't exists any other further policy (udm policies/pwhistory list), which overwrites some settings? Only the default-settings from above $ udm policies/pwhistory list DN: cn=default-settings,cn=pwhistory,cn=users,cn=policies,<ldap base> expiryInterval: 365 ldapFilter: None length: 9 name: default-settings pwLength: 16 pwQualityCheck: FALSE
I am not sure atm, but I think the cn=default-settings object is only for heimdal systems. Samba systems have different policies, iirc.
See also Bug #35809