Bug 52706 - With complexity checking enabled, UDM throws a traceback when creating a simple authentication User.
With complexity checking enabled, UDM throws a traceback when creating a simp...
Status: RESOLVED DUPLICATE of bug 52446
Product: UCS
Classification: Unclassified
Component: univention-lib
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on: 51994
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-27 13:03 CET by Dirk Schnick
Modified: 2021-01-27 15:06 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021012621000791
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Schnick univentionstaff 2021-01-27 13:03:29 CET
+++ This bug was initially created as a clone of Bug #51994 +++

Currently univention.password.Check doesn't support configuration of standard MS password criteria:

https://docs.microsoft.com/de-de/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements

We currently use cracklib, which doesn't offer the "minclass" configuration option which e.g. pam_cracklib offers.

On the other hand cracklib checks to much, e.g. for palindrom and social security number format.

We should provide a way for customers to configure the standard MS password criteria,
even if they don't use Samba/AD. And those who do may benefit of this too, because univention.password.Check is used in UDM users/user to check passwords set via UMC/UDM-web or UDM-cli.

=====================================================================

With complexity checking enabled, UDM throws a traceback when creating a Simple Authentication User. According to Erik a regression of bug 51994.
A simple authentification user has no attribut display name...

root@dc0:~ # udm users/ldap create --position cn=users,$(ucr get ldap/base) --set username="authacc3" --set password="univention"
Traceback (most recent call last):
  File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 219, in doit
    output = univention.admincli.admin.doit(arglist)
  File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 409, in doit
    out = _doit(arglist)
  File "/usr/lib/python2.7/dist-packages/univention/admincli/admin.py", line 755, in _doit
    dn = object.create()
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1241, in _create
    al.extend(self._ldap_modlist())
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 223, in _ldap_modlist
    self._check_password_complexity(pwhistoryPolicy)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/ldap.py", line 302, in _check_password_complexity
    pwdCheck.check(self['password'], username=self['username'], displayname=self['displayName'])
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 478, in __getitem__
    elif key not in self.__no_default and self.descriptions[key].editable:
KeyError: 'displayName'
Comment 1 Arvid Requate univentionstaff 2021-01-27 15:06:04 CET

*** This bug has been marked as a duplicate of bug 52446 ***