50856 – UDM users/ldap can't handle empty password length in "Passwords" policy

Bug 50856 - UDM users/ldap can't handle empty password length in "Passwords" policy

Summary: UDM users/ldap can't handle empty password length in "Passwords" policy

Status:	RESOLVED WONTFIX

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	UDM (Generic)
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-02-26 13:09 CET by Valentin Heidelberger
Modified:	2025-02-05 09:28 CET (History)
CC List:	3 users (show)

See Also:	48562
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.057
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Workaround is available
Customer ID:	20677, 57195
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Valentin Heidelberger

2020-02-26 13:09:33 CET

UDM allows you to create a password policy (policies/pwhistory) with an empty password length. This results in UDM being unable to create users of type users/ldap.

UDM should either be able to handle this correctly and create the user nonetheless or password length having a value should be a mandatory.

Traceback (most recent call last):
  File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 219, in doit
    output = univention.admincli.admin.doit(arglist)
  File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 409, in doit
    out = _doit(arglist)
  File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 755, in _doit
    dn = object.create()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 558, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1242, in _create
    al.extend(self._ldap_modlist())
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 223, in _ldap_modlist
    self._check_password_complexity(pwhistoryPolicy)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 294, in _check_password_complexity
    password_minlength = max(0, pwhistoryPolicy.pwhistoryPasswordLength) or self.password_length
AttributeError: 'object' object has no attribute 'password_length'

Comment 1 Valentin Heidelberger

2020-02-26 14:11:45 CET

Besides UDM allowing users to create password policies with empty password length, it is also possible to not have a password policy at all by simply removing the default reference from the LDAP base:
cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=ldap,dc=base

Comment 2 Valentin Heidelberger

2020-02-26 14:19:12 CET

At least join script 35ucs-school-import.inst is affected by this and fails at creating the unprivileged user: https://git.knut.univention.de/univention/ucsschool/-/blob/4.4/ucs-school-import/35ucs-school-import.inst#L84

Comment 3 Erik Damrose

2020-12-17 12:17:46 CET

Workaround: extent the UDM call and add
--set overridePWLength=1

Comment 4 Jan-Luca Kiok

2025-02-05 09:28:31 CET

This issue has been filed against UCS 4.4.

UCS 4.4 is out of maintenance and components may have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer versions, please use "Clone this bug" or reopen this issue. In this case please provide information on how this issue is affecting you.