Univention Bugzilla – Bug 52446
35ucs-school-import.inst traceback in password quality check when creating users/ldap "importhttpapi-dc-backup"
Last modified: 2021-06-02 17:09:33 CEST
Configure 35ucs-school-import.inst Mon Nov 30 14:37:38 CET 2020 2020-11-30 14:37:38.379475972+01:00 (in joinscript_init) Creating password for unprivileged LDAP user importhttpapi-dc-backup. Creating unprivileged LDAP user importhttpapi-dc-backup... Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 219, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 409, in doit out = _doit(arglist) File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 755, in _doit dn = object.create() File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1241, in _create al.extend(self._ldap_modlist()) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 223, in _ldap_modlist self._check_password_complexity(pwhistoryPolicy) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 302, in _check_password_complexity pwdCheck.check(self['password'], username=self['username'], displayname=self['displayName']) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 478, in __getitem__ elif key not in self.__no_default and self.descriptions[key].editable: KeyError: 'displayName' First displayName is much confusing, because a simple authentication accound doe not have a 'display name'. So maybe looking for 'description'? So removing the quality check in the default password policy fixed the problem temporarily and the joinscript got finished.
It's a regression caused by Bug #51994.
I think we have two things here: 1. the password generated for importhttpapi-dc-backup doesn't meet the complexity criterias 2. the error message is misleading We should focus on 1. here, so I change the component.
No, the code is wrong. user/ldap doesn't have a displayName and thus the check gerenates the traceback no matter how complex the password is.
*** Bug 52706 has been marked as a duplicate of this bug. ***
The part of the join script generating a password not secure enough is handled in Bug 52770. This bug (52446) will handle the error in UDM.
(In reply to Daniel Tröder from comment #6) > The part of the join script generating a password not secure enough is > handled in Bug 52770. With this done, the 'school customer affected' flag can be removed from this bug.
Successful build Package: univention-directory-manager-modules Version: 14.0.20-11A~4.4.0.202105181748 Branch: ucs_4.4-0 Scope: errata4.4-8 User: jbremer 1e596d4dc2 Bug #52446: yaml 659cd55a3c Bug #52446: Dont evaluate displayname with users/ldap when checking mspolicy complexity Added the test test/ucs-test/tests/61_udm-users/54_udm_users_ldap_mspolicy Waiting for test results
Tests were successful, created merge request https://git.knut.univention.de/univention/ucs/-/merge_requests/95
# Tests done 1. Setup the environment (in a 4.8. system): ``` $ ucr set password/quality/mspolicy=true $ udm policies/pwhistory modify --dn cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=univention,dc=intranet --set pwQualityCheck=TRUE ``` 2. Reproduce the error ``` $ udm users/ldap create --ignore_exists --set username=jdoe2 --set lastname=Doe2 --set password=1test2test3! Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 219, in doit output = univention.admincli.admin.doit(arglist) File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 409, in doit out = _doit(arglist) File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 755, in _doit dn = object.create() File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1241, in _create al.extend(self._ldap_modlist()) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 223, in _ldap_modlist self._check_password_complexity(pwhistoryPolicy) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 302, in _check_password_complexity pwdCheck.check(self['password'], username=self['username'], displayname=self['displayName']) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 478, in __getitem__ elif key not in self.__no_default and self.descriptions[key].editable: KeyError: 'displayName' ``` 3. Apply patch and test again * added test servers to /etc/apt/sources.list * updated the system (checked, that it contained an update of univention-directory-manager-modules) ``` udm users/ldap create --ignore_exists --set username=jdoe2 --set lastname=Doe2 --set password=1test2test3! WARNING: The object is not going to be created underneath of its default containers. Object created: uid=jdoe2,dc=univention,dc=intranet ``` > The fix works.
<https://errata.software-univention.de/#/?erratum=4.4x986>