Univention Bugzilla – Bug 52052
univention-heimdal/check_cracklib.py doesn't support checking if password contains user/displayname
Last modified: 2021-01-27 15:06:04 CET
/usr/share/univention-heimdal/check_cracklib.py from univention-heimdal passes the principalName to univention.password.Check. With the change from Bug #51994 and with a UCR variable setting of password/quality/mspolicy of 'true' or 'sufficient' this only checks if full principalName is part of the new password (case insensitive check). It should pass username and displayName instead, because that's what should not be part of the password according to the MS standard password complexity criteria. Currently this only affects domains without Samba/AD, because only univention-heimdal-kdc configures the Debian heimdal-kdc to call this script (if UCR variable kerberos/password/quality/check is active, which is the default).
*** This bug has been marked as a duplicate of bug 52061 ***