Bug 51354 – univentionPWLength or univentionPWHistoryLen left empty breaks passwordchange for users

Bug 51354 - univentionPWLength or univentionPWHistoryLen left empty breaks passwordchange for users


Summary:	univentionPWLength or univentionPWHistoryLen left empty breaks passwordchange...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Password changes
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-1-errata
Assigned To:	Siavash Sefid Rodi
QA Contact:	Florian Best

URL:
Keywords:

Duplicates:	42780 (view as bug list)
Depends on:	42780
Blocks:
	Show dependency tree / graph

Reported:	2020-05-25 23:16 CEST by Michel Smidt
Modified:	2022-03-23 14:14 CET (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.086
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2016102621000533
Bug group (optional):	Error handling, External feedback
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michel Smidt 2020-05-25 23:16:04 CEST

+customer


+++ This bug was initially created as a clone of Bug #42780 +++

if in the password-policy for a user the values for univentionPWLength or univentionPWHistoryLen are left empty (instead of i.e. "0") this user cannot change his password. 

kpasswd throws:

Soft error : External password quality program failed: Traceback (most recent call last): [no traceback appears...]

The strace - traceback points to the solution: 
7604  read(13, "Traceback (most recent call last):\n  File \"/usr/share/univention-heimdal/check_cracklib.py\", line 64, in <module>\n    pwdCheck = univention.password.Check(None, params['principal'])\n  File \"/usr/lib/pymodules/python2.7/univention/password.py\", line 51, in __init__\n    self._userPolicy(username)\n  File \"/usr/lib/pymodules/python2.7/univention/password.py\", line 96, in _userPolicy\n    self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0])\nKeyError: 'univentionPWHistoryLen'\n", 4096) = 527

The related codesnippet from the password.py:
                policy_result = self.lo.getPolicies(dn)
                if policy_result.get('univentionPolicyPWHistory'):
                        self.min_length=int(policy_result['univentionPolicyPWHistory']['univentionPWLength']['value'][0])
                        self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0])
                        if policy_result['univentionPolicyPWHistory'].get('univentionPWQualityCheck'):
                                univentionPasswordQualityCheck = policy_result['univentionPolicyPWHistory']['univentionPWQualityCheck']['value'][0]
                                if univentionPasswordQualityCheck.lower() in ['yes', 'true', '1', 'on' ]:
                                        self.enableQualityCheck = True
                self.pwhistory = self.lo.search(base=dn, attr=['pwhistory'])[0][1].get('pwhistory')

Comment 1 Sönke Schwardt-Krummrich

2021-09-21 14:20:13 CEST

Happened again in a large school customer environment.
(+ customer)

Comment 3 Florian Best

2022-03-08 09:11:25 CET

Traceback (most recent call last):
  File "/usr/share/univention-heimdal/check_cracklib.py", line 64, in <module>
    pwdCheck = univention.password.Check(None, params['principal'])
  File "/usr/lib/pymodules/python2.7/univention/password.py", line 51, in __init__
    self._userPolicy(username)
  File "/usr/lib/pymodules/python2.7/univention/password.py", line 96, in _userPolicy
    self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0])
KeyError: 'univentionPWHistoryLen'

The reason is a univentionPolicyPWHistory without set univentionPWHistoryLen.

You can find the objects which are causing this with the following command:
univention-ldapsearch '(&(objectClass=univentionPolicyPWHistory)(!(univentionPWHistoryLen=*)))' -LLL

I guess this command can be used to create such a pwassword history policy:
udm policies/pwhistory create --position cn=pwhistory,cn=users,cn=policies,$(ucr get ldap/base) --set name=foo

Comment 4 Florian Best

2022-03-08 09:31:53 CET

*** Bug 42780 has been marked as a duplicate of this bug. ***

Comment 5 Siavash Sefid Rodi

2022-03-09 08:56:59 CET

This Bug appears if ONE of univentionPWHistoryLen Or univentionPWLength is not set in policies/pwhistory. If both are set it works as expected, if both are not set it works also as expected. To reproduce, you must remove ONE of them (not both).

How to reproduce:

1. Check with

udm users/user list --policies=2

if univentionPWHistoryLen and univentionPWLength are both set for the user you want to test with. If both are set, go to step 2. If only one is set, go to step 4. If both are missing, go to step 3.

2. If univentionPWHistoryLen and univentionPWLength are BOTH set, remove one, "length" or "pwLength", from policies/pwhistory, but NOT both. Bug is only triggered if one of the two is missing. You can use

udm policies/pwhistory modify --dn cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet --remove pwLength

Check with

udm users/user list --policies=2

that the user is missing the removed attribute (univentionPWHistoryLen in case you removed length, univentionPWLength in case you removed length)

3. If univentionPWHistoryLen and univentionPWLength are BOTH missing, set one, "length" or "pwLength", from policies/pwhistory, but NOT both. Bug is only triggered if one of the two is missing. You can use

udm policies/pwhistory modify --dn cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=mydomain,dc=intranet --set length=3

Check with

udm users/user list --policies=2

that the user has exactly one of the attributes (univentionPWHistoryLen or univentionPWLength)

4. Trigger password change, replace "mytestusername" with the username you want to use:

echo -en 'principal: mytestusername\nnew-password: univention2\nend\n' | /usr/share/univention-heimdal/check_cracklib.py

You should see an KeyError with this command.

Comment 6 Siavash Sefid Rodi

2022-03-10 08:48:07 CET

Issue has been resolved: 

Changing a user password is now possible again when the referenced 
Password History policy did not define values for password length or
history length. See Comment above for how to reproduce problem. 

univention-python: 13.0.2-7A~5.0.0.202203091733

49a07a753d Bug #51354: fixed KeyError in _userPolicy.
b1b38f8d99 Bug #51354: yaml + debian changelog
9b88bb23fa Bug #51354: Merge branch 'ssefidrodi/51354-fix-empty-password-history' into 5.0-1
52cd94b779 Bug #51354: YAML

Comment 7 Florian Best

2022-03-14 12:39:41 CET

OK: problem reproduced, it's fixed now
OK: fallback to defaults (cracklib works with MIN_LENGTH -1)
OK: code review
OK: YAML

Comment 8 Julia Bremer

2022-03-23 14:14:33 CET

<https://errata.software-univention.de/#/?erratum=5.0x258>