Bug 52446 - 35ucs-school-import.inst traceback in password quality check when creating users/ldap "importhttpapi-dc-backup"
35ucs-school-import.inst traceback in password quality check when creating us...
Status: NEW
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
: 52706 (view as bug list)
Depends on: 51994
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-30 17:41 CET by Christina Scheinig
Modified: 2021-03-03 13:56 CET (History)
8 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020112421000492, 2021012621000791
Bug group (optional): Regression
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2020-11-30 17:41:49 CET
Configure 35ucs-school-import.inst Mon Nov 30 14:37:38 CET 2020
2020-11-30 14:37:38.379475972+01:00 (in joinscript_init)
Creating password for unprivileged LDAP user importhttpapi-dc-backup.
Creating unprivileged LDAP user importhttpapi-dc-backup...
Traceback (most recent call last):
  File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 219, in doit
    output = univention.admincli.admin.doit(arglist)
  File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 409, in doit
    out = _doit(arglist)
  File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 755, in _doit
    dn = object.create()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1241, in _create
    al.extend(self._ldap_modlist())
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 223, in _ldap_modlist
    self._check_password_complexity(pwhistoryPolicy)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 302, in _check_password_complexity
    pwdCheck.check(self['password'], username=self['username'], displayname=self['displayName'])
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 478, in __getitem__
    elif key not in self.__no_default and self.descriptions[key].editable:
KeyError: 'displayName'


First displayName is much confusing, because a simple authentication accound doe not have a 'display name'. So maybe looking for 'description'?   

So removing the quality check in the default password policy fixed the problem temporarily and the joinscript got finished.
Comment 1 Florian Best univentionstaff 2020-11-30 17:51:54 CET
It's a regression caused by Bug #51994.
Comment 3 Ingo Steuwer univentionstaff 2021-01-25 09:01:54 CET
I think we have two things here:

1. the password generated for importhttpapi-dc-backup doesn't meet the complexity criterias
2. the error message is misleading

We should focus on 1. here, so I change the component.
Comment 4 Arvid Requate univentionstaff 2021-01-27 15:05:11 CET
No, the code is wrong. user/ldap doesn't have a displayName
and thus the check gerenates the traceback no matter how
complex the password is.
Comment 5 Arvid Requate univentionstaff 2021-01-27 15:06:04 CET
*** Bug 52706 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Tröder univentionstaff 2021-02-11 13:36:46 CET
The part of the join script generating a password not secure enough is handled in Bug 52770.
This bug (52446) will handle the error in UDM.
Comment 9 Erik Damrose univentionstaff 2021-03-03 13:56:57 CET
(In reply to Daniel Tröder from comment #6)
> The part of the join script generating a password not secure enough is
> handled in Bug 52770.

With this done, the 'school customer affected' flag can be removed from this bug.