Univention Bugzilla – Bug 51354
univentionPWLength or univentionPWHistoryLen left empty breaks passwordchange for users
Last modified: 2022-03-23 14:14:33 CET
+customer +++ This bug was initially created as a clone of Bug #42780 +++ if in the password-policy for a user the values for univentionPWLength or univentionPWHistoryLen are left empty (instead of i.e. "0") this user cannot change his password. kpasswd throws: Soft error : External password quality program failed: Traceback (most recent call last): [no traceback appears...] The strace - traceback points to the solution: 7604 read(13, "Traceback (most recent call last):\n File \"/usr/share/univention-heimdal/check_cracklib.py\", line 64, in <module>\n pwdCheck = univention.password.Check(None, params['principal'])\n File \"/usr/lib/pymodules/python2.7/univention/password.py\", line 51, in __init__\n self._userPolicy(username)\n File \"/usr/lib/pymodules/python2.7/univention/password.py\", line 96, in _userPolicy\n self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0])\nKeyError: 'univentionPWHistoryLen'\n", 4096) = 527 The related codesnippet from the password.py: policy_result = self.lo.getPolicies(dn) if policy_result.get('univentionPolicyPWHistory'): self.min_length=int(policy_result['univentionPolicyPWHistory']['univentionPWLength']['value'][0]) self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0]) if policy_result['univentionPolicyPWHistory'].get('univentionPWQualityCheck'): univentionPasswordQualityCheck = policy_result['univentionPolicyPWHistory']['univentionPWQualityCheck']['value'][0] if univentionPasswordQualityCheck.lower() in ['yes', 'true', '1', 'on' ]: self.enableQualityCheck = True self.pwhistory = self.lo.search(base=dn, attr=['pwhistory'])[0][1].get('pwhistory')
Happened again in a large school customer environment. (+ customer)
Traceback (most recent call last): File "/usr/share/univention-heimdal/check_cracklib.py", line 64, in <module> pwdCheck = univention.password.Check(None, params['principal']) File "/usr/lib/pymodules/python2.7/univention/password.py", line 51, in __init__ self._userPolicy(username) File "/usr/lib/pymodules/python2.7/univention/password.py", line 96, in _userPolicy self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0]) KeyError: 'univentionPWHistoryLen' The reason is a univentionPolicyPWHistory without set univentionPWHistoryLen. You can find the objects which are causing this with the following command: univention-ldapsearch '(&(objectClass=univentionPolicyPWHistory)(!(univentionPWHistoryLen=*)))' -LLL I guess this command can be used to create such a pwassword history policy: udm policies/pwhistory create --position cn=pwhistory,cn=users,cn=policies,$(ucr get ldap/base) --set name=foo
*** Bug 42780 has been marked as a duplicate of this bug. ***
This Bug appears if ONE of univentionPWHistoryLen Or univentionPWLength is not set in policies/pwhistory. If both are set it works as expected, if both are not set it works also as expected. To reproduce, you must remove ONE of them (not both). How to reproduce: 1. Check with udm users/user list --policies=2 if univentionPWHistoryLen and univentionPWLength are both set for the user you want to test with. If both are set, go to step 2. If only one is set, go to step 4. If both are missing, go to step 3. 2. If univentionPWHistoryLen and univentionPWLength are BOTH set, remove one, "length" or "pwLength", from policies/pwhistory, but NOT both. Bug is only triggered if one of the two is missing. You can use udm policies/pwhistory modify --dn cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet --remove pwLength Check with udm users/user list --policies=2 that the user is missing the removed attribute (univentionPWHistoryLen in case you removed length, univentionPWLength in case you removed length) 3. If univentionPWHistoryLen and univentionPWLength are BOTH missing, set one, "length" or "pwLength", from policies/pwhistory, but NOT both. Bug is only triggered if one of the two is missing. You can use udm policies/pwhistory modify --dn cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet --set length=3 Check with udm users/user list --policies=2 that the user has exactly one of the attributes (univentionPWHistoryLen or univentionPWLength) 4. Trigger password change, replace "mytestusername" with the username you want to use: echo -en 'principal: mytestusername\nnew-password: univention2\nend\n' | /usr/share/univention-heimdal/check_cracklib.py You should see an KeyError with this command.
Issue has been resolved: Changing a user password is now possible again when the referenced Password History policy did not define values for password length or history length. See Comment above for how to reproduce problem. univention-python: 13.0.2-7A~5.0.0.202203091733 49a07a753d Bug #51354: fixed KeyError in _userPolicy. b1b38f8d99 Bug #51354: yaml + debian changelog 9b88bb23fa Bug #51354: Merge branch 'ssefidrodi/51354-fix-empty-password-history' into 5.0-1 52cd94b779 Bug #51354: YAML
OK: problem reproduced, it's fixed now OK: fallback to defaults (cracklib works with MIN_LENGTH -1) OK: code review OK: YAML
<https://errata.software-univention.de/#/?erratum=5.0x258>