First Last Prev Next    This bug is not in your last search results.
Bug 52439 - AD connector generates password with insufficent pwdQuality
AD connector generates password with insufficent pwdQuality
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-7-errata
Assigned To: Julia Bremer
Felix Botner
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-30 09:31 CET by Julia Bremer
Modified: 2020-12-09 13:11 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.086
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
bremer: Patch_Available+

Attachments
create complex password (1.38 KB, patch)
2020-11-30 09:31 CET, Julia Bremer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julia Bremer univentionstaff 2020-11-30 09:31:11 CET 
Created attachment 10570 [details]
create complex password

If a user is added in AD, the Ad connector sets a "random" generated password at creation of the new UCS user, before actually synchronizing the password.
This password is a long sequence of numbers.
This is not sufficient if a customer has configured the default pwdpolicy to check for pwdQuality and set "password/quality/mspolicy" to true.
The following reject is created:

24.11.2020 13:33:58.703 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1329, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1149, in add_in_ucs
    return bool(ucs_object.create())
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1241, in _create
    al.extend(self._ldap_modlist())
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1693, in _ldap_modlist
    self._check_password_complexity(pwhistoryPolicy)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1789, in _check_password_complexity
    raise univention.admin.uexceptions.pwQuality(str(e).replace('W?rterbucheintrag', 'Wörterbucheintrag').replace('enth?lt', 'enthält'))
pwQuality: Password does not meet the password complexity requirements.


The s4connector already creates a sufficient password.
We should add the same behavior to the AD connector.
Comment 1 Julia Bremer univentionstaff 2020-11-30 10:19:36 CET 
Minor nitpick:
The "generate_strong_password" function from the s4connector does not guarantee that the password contains all "charsets" (numbers, lowercase letters, uppercase letters, special characters), its just highly unlikely.
Comment 3 Julia Bremer univentionstaff 2020-12-02 10:11:35 CET 
I actually used Bugnumber 52261, Sorry about that.

367c1ad555 Bug #51804, Bug #52261, Bug #52439: yaml
e1ddf0b64f Bug #52261: changelog
5609166147 Bug #52261: Add test that checks if a user can be added from ad, when mspolicy and pwdQualityCheck is enabled
941c99e05f Bug #52261: If pwcheck is enabled, adding users from ad is rejected, because generated temporary password is not complex enough

I added the same behavior as in the s4connector and added a test case.
Waiting for test results

Successful build
Package: univention-ad-connector
Version: 13.0.0-61A~4.4.0.202012011729
Branch: ucs_4.4-0
Scope: errata4.4-7
User: jbremer
Comment 4 Julia Bremer univentionstaff 2020-12-04 09:51:29 CET 
1458ccc48f Bug #52439: pep8
Package: univention-ad-connector
Version: 13.0.0-62A~4.4.0.202012040949
Branch: ucs_4.4-0
Scope: errata4.4-7
Comment 5 Felix Botner univentionstaff 2020-12-04 11:30:09 CET 
TODO - 5.0-0 MR

OK - Jenkins Tests
OK - generate_strong_password
OK - ucs-test
OK - yaml
Comment 6 Julia Bremer univentionstaff 2020-12-04 11:55:48 CET 
Created merge-request:

https://git.knut.univention.de/univention/ucs/-/merge_requests/45
Comment 7 Felix Botner univentionstaff 2020-12-04 12:33:28 CET 
OK
First Last Prev Next    This bug is not in your last search results.