Univention Bugzilla – Bug 51904
password won't be updated through AD-connector in UCS, if flag "change password next login" is already set
Last modified: 2024-02-19 13:13:44 CET
univention-app info UCS: 4.4-5 errata712 Installed: adconnector=12.0 itslearning=3.2 self-service=4.0 self-service-backend=4.0 ucs-to-school-transformer=1.3.2 ucsschool=4.4 v6 ucsschool-kelvin-rest-api=1.1.1 Upgradable: ucsschool-kelvin-rest-api If a *new* initial password is generated for a user, for whom the "user must change the password at the next login" flag has been set in the past, the *new* initial password will not be updated via ad connector to UCS. If the "user must change the password at the next login" flag is removed in UCS and then the password reset and the setting of the "user must change the password at the next login" flag in active directory is performed again, the password and the flag will synced properly to UCS. The current workaround works as follows: 1. After the "user must change the password at the next login" flag has been removed in the UMC, this information and the password in UCS are synchronized back to the active directory 2. Login with the old password works 3. After another password change in the active directory, the password and the flag are now synchronized to UCS again 4. Now the passwords are again identical on both sides. Test logins were successful https://forge.univention.org/bugzilla/show_bug.cgi?id=51585 was the prior task for the customer regarding the sync of the pw change flag.
Resetting the password again without touching the "change password at next login" is the one scenario where the password changes, but the attribute "pwdLastSet" does not. If "change password at next login" is set, pwdLastSet is always 0) At least one "normal" (not password) attribute has to change so that the post_ucs_modify_functions are even run. These post_ucs_modify_functions include the univention.connector.ad.password.password_sync function. This is why the password is not updated.
Removing "msDS-RevealedDSA" from the ucr variable "connector/ad/mapping/attributes/irrelevant" fixes this as a workaround. The replication time will increase due to this change though, since almost every change will then be polled and and processed by the ad connector. (See Bug #51518 )
after deploying the workaround in #comment #3 the following happend: Password + Password Reset Flag setting in AD synced successfully to UCS; Resetting the password in AD again synced the new password correctly, bud removed the Password Reset Flag in UCS, but it is still set in AD. I will attach a logfile-extract in a private comment.
Created attachment 10483 [details] evaluate correctly if pwdChangeNextLogin shall be updated In addition to setting the UCR Variable as described in comment #3, the following patch fixes this issue. One boolean expression was incorrectly constructed.
Created attachment 10484 [details] evaluate correctly if pwdChangeNextLogin shall be updated Not influencing this particular problem, but the same syntactic problem occurs twice and should be patched too.
534c8efd90 Bug #51904: yaml 23556f6c5d Bug #51904: yaml 62df2ace7c Bug #51904: changelogs 9a3051945c Bug #51904: Fix a typo, which lead pwdChangeNextLogin to change even Package: ucs-test Version: 9.0.5-9A~4.4.0.202010051916 Package: univention-ad-connector Version: 13.0.0-55A~4.4.0.202010051921 --------------------------------------------- I fixed the typo as described in comment 7 and extended the test case 503test_password_change_next_logon. We will not unset the ucr variable connector/ad/mapping/attributes/irrelevant per default. Most users won't use this corner case and profit more from the reduced load created by the ad connector due to this variable being set. We should open a new bug report, that changing the password ONLY (without changing pwdLastSet) does not work as a default.
As discussed, tests needs some modification.
2112d3cb67 Bug #51904: Create testuser with --must-change-at-next-login, unset correct ucr var http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-6/job/ADConnectorMultiEnv/9/console
TODO - merge request OK - test OK - jenkins OK - yaml
Merge request created: https://git.knut.univention.de/univention/ucs/-/merge_requests/14
OK
<https://errata.software-univention.de/#/?erratum=4.4x769>
Just for information: This error pattern could also happen, if the checkbock „Kennwort läuft nicht ab“ is set in AD, which simultaniouly undermine the „User muss Kennwort bei der nächsten Anmeldung ändern“.