Description Arvid Requate 2020-09-17 19:41:41 CEST

/usr/share/univention-heimdal/check_cracklib.py from univention-heimdal passes the  principalName to univention.password.Check. With the change from Bug #51994 and with a UCR variable setting of password/quality/mspolicy of 'true' or 'sufficient' this only checks if full principalName is part of the new password (case insensitive check).

It should pass username and displayName instead, because that's what should not be part of the password according to the MS standard password complexity criteria.

Currently this only affects domains without Samba/AD, because only univention-heimdal-kdc configures the Debian heimdal-kdc to call this script (if UCR variable kerberos/password/quality/check is active, which is the default).