Univention Bugzilla – Bug 51585
Sync "The user must change the password at next login" does only work if the password is changed at the same time
Last modified: 2020-07-01 18:15:21 CEST
Created attachment 10405 [details] Adapted ucs-test which reveals the problem +++ This bug was initially created as a clone of Bug #51298 +++ At bug #51298 the feature to sync the pwdLastSet attribute from/to AD was added. Unfortunately this only works when syncing TO AD. When syncing FROM AD, the password has to be modified as well in AD, to sync the attribute. In password.py the logic is outlined is as follows: password_sync() if nt_hash: # password has to be set if pwd_changed: # password has to differ between AD and UCS LDAP if pwdLastSet or pwdLastSet == 0: [sync pwdLastSet] I have attached a modified test 503test_password_change_next_logon which currently fails when only the pwdLastSet attribute is set to 0 for a AD user.
In a short test on a live customer system we saw that just changing the userpassword + setting pwdLastSet=0 did not sync the attribute either. By briefly looking at the code i assumed that changing both at the same time should be enough, we should doublecheck that again.
Successful build Package: univention-ad-connector Version: 13.0.0-48A~4.4.0.202006281054 Branch: ucs_4.4-0 Scope: errata4.4-4 Successful build Package: ucs-test Version: 9.0.3-2345A~4.4.0.202006271350 Branch: ucs_4.4-0 Scope: errata4.4-4 be1fff0dce Bug #51583: update yaml 4171797da4 Bug #51585: fixup f4dae2ba96 Bug #51585: yaml 2cb831b0fe Bug #51585: Update pwdChangeNextLogin also when password was not changed I adjusted the ucs-test to your suggestion and fixed the problem in the AD Connector. Tests, including the updated test are green: http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-4/job/ADConnectorMultiEnv/Version=w2k12-german/34/ As a workaround, resetting the password and checking the box "change password at next login" should work and does work on my test machine.
OK - manual test OK - ucs-test test OK - jenkins OK - yaml
<http://errata.software-univention.de/ucs/4.4/643.html>