Univention Bugzilla – Bug 52439
AD connector generates password with insufficent pwdQuality
Last modified: 2020-12-09 13:11:55 CET
Created attachment 10570 [details] create complex password If a user is added in AD, the Ad connector sets a "random" generated password at creation of the new UCS user, before actually synchronizing the password. This password is a long sequence of numbers. This is not sufficient if a customer has configured the default pwdpolicy to check for pwdQuality and set "password/quality/mspolicy" to true. The following reject is created: 24.11.2020 13:33:58.703 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1329, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1149, in add_in_ucs return bool(ucs_object.create()) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1241, in _create al.extend(self._ldap_modlist()) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1693, in _ldap_modlist self._check_password_complexity(pwhistoryPolicy) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1789, in _check_password_complexity raise univention.admin.uexceptions.pwQuality(str(e).replace('W?rterbucheintrag', 'Wörterbucheintrag').replace('enth?lt', 'enthält')) pwQuality: Password does not meet the password complexity requirements. The s4connector already creates a sufficient password. We should add the same behavior to the AD connector.
Minor nitpick: The "generate_strong_password" function from the s4connector does not guarantee that the password contains all "charsets" (numbers, lowercase letters, uppercase letters, special characters), its just highly unlikely.
I actually used Bugnumber 52261, Sorry about that. 367c1ad555 Bug #51804, Bug #52261, Bug #52439: yaml e1ddf0b64f Bug #52261: changelog 5609166147 Bug #52261: Add test that checks if a user can be added from ad, when mspolicy and pwdQualityCheck is enabled 941c99e05f Bug #52261: If pwcheck is enabled, adding users from ad is rejected, because generated temporary password is not complex enough I added the same behavior as in the s4connector and added a test case. Waiting for test results Successful build Package: univention-ad-connector Version: 13.0.0-61A~4.4.0.202012011729 Branch: ucs_4.4-0 Scope: errata4.4-7 User: jbremer
1458ccc48f Bug #52439: pep8 Package: univention-ad-connector Version: 13.0.0-62A~4.4.0.202012040949 Branch: ucs_4.4-0 Scope: errata4.4-7
TODO - 5.0-0 MR OK - Jenkins Tests OK - generate_strong_password OK - ucs-test OK - yaml
Created merge-request: https://git.knut.univention.de/univention/ucs/-/merge_requests/45
OK
<https://errata.software-univention.de/#/?erratum=4.4x833>