Univention Bugzilla – Bug 52062
SAML password change & Let's Encrypt with differing FQDN: broken message if password change if password doesn't meet complexity rules
Last modified: 2021-11-12 13:14:34 CET
steps to reproduce: * environment with broken Samba4/Kerberos setup (currently not debugged) * set the "password change on next login" flag for an account * log in using SAML with this account * SAML asks to set a new password * use the current password as new password * password change failes, error message is: "Passwort ändern fehlgeschlagen. not translated (%s)" Expected behaviour: A message with translation and without string replacement failures
System is UCS 4.4-5 Errata 750 with Portal Preview App Reason for failure during password change was: password to similar Changing the password for this account in a shell session: Administrator@ucs-ma:~$ su - fiona Passwort: Sie müssen Ihr Passwort sofort ändern (Passwortablauf). Current Kerberos password: Your password will expire at Thu Jan 1 01:00:00 1970 Geben Sie ein neues Passwort ein: Schlechtes Passwort: ist dem alten zu ähnlich su: Fehler beim Ändern des Authentifizierungstoken
broken error message appears at least for "password already used" and "password is too similar to last password"
I cannot reproduce this with UCS 4.4-6-750 + Samba4.
The logs contain: Error: SSL: no alternative certificate subject name matches target host name 'ucs-ma.ucs-demopoint.intranet' Password changing response: array (#012 0 => 0,#012 1 => false,#012) This is a different hostname than the one which is used externally. The following default UCR-Variables are set: self-service/backend-server: ucs-ma.ucs-demopoint.intranet ucs/server/saml-idp-server/ucs-ma.ucs-demopoint.intranet: ucs-ma.ucs-demopoint.intranet a regular curl also fails: # curl https://ucs-ma.ucs-demopoint.intranet/ curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-ma.ucs-demopoint.intranet'
Created attachment 10505 [details] patch (git:fbest/52062-saml-password-change-errorhandling) Patch which adds correct error handling for curl errors.
I could fix the error on your machine by setting 'hostfqdn' in the simplesamlphpconfig. You probably should fix your SSL certificate handling. The hostfqdn is hardcoded in the UCR template: /etc/univention/templates/files/etc/simplesamlphp/config.php: print(" 'hostfqdn' => '%s.%s'," % (configRegistry.get('hostname', ''),configRegistry.get('domainname', '')))
(In reply to Florian Best from comment #6) > I could fix the error on your machine by setting 'hostfqdn' in the > simplesamlphpconfig. > You probably should fix your SSL certificate handling. > The hostfqdn is hardcoded in the UCR template: > /etc/univention/templates/files/etc/simplesamlphp/config.php: > print(" 'hostfqdn' => '%s.%s'," % (configRegistry.get('hostname', > ''),configRegistry.get('domainname', ''))) The host is a typical Let's encrypt setup: the UCS FQDN is "internal" / for a private IP, the FQDN in the SSL certificate is "external" / for a public IP which does a port forwarding to the private IP. Can we move the communication to localhost?
(In reply to Ingo Steuwer from comment #7) > (In reply to Florian Best from comment #6) > > I could fix the error on your machine by setting 'hostfqdn' in the > > simplesamlphpconfig. > > You probably should fix your SSL certificate handling. > > The hostfqdn is hardcoded in the UCR template: > > /etc/univention/templates/files/etc/simplesamlphp/config.php: > > print(" 'hostfqdn' => '%s.%s'," % (configRegistry.get('hostname', > > ''),configRegistry.get('domainname', ''))) > > The host is a typical Let's encrypt setup: the UCS FQDN is "internal" / for > a private IP, the FQDN in the SSL certificate is "external" / for a public > IP which does a port forwarding to the private IP. > > Can we move the communication to localhost? In theory yes, At least make it configurable. But this would break e.g. when htsts is configured.