UCRV: umc/login/password-complexity-message/* Specifies a localized text for password complexity notes used on changing the password (e.g: umc/login/password-complexity-message/en='The password must contain at least 3 special chars, at least 20 characters long and consists of at least 5 different characters.') The setting of the variable leads not to the expected behavior of displaying the text in all relevant services (eg. the self-service). We should add the text on all needed places and maybe display it not only on failing password-change but also before trying to set a new one.
In the documentation add a hint that for consistent domain wide behavior the variable should be set via a UCR policy.
univention-self-service.yaml 49321ea251e8 | Bug #55529: univention-self-service 5.0.6-3A~5.0.0.202303211211 9acf4d513733 | Bug #55529: univention-self-service Advisory + changelog univention-self-service (5.0.6-3) 9acf4d513733 | Bug #55529: univention-self-service Advisory + changelog univention-self-service (5.0.6-2) 6107b45d6e76 | Bug #55529: add umc/login/password-complexity-message/* to password reset error message and create new acount univention-management-console.yaml 80a9235a82b3 | Bug #55529: univention-management-console 12.0.17-8A~5.0.0.202303211206 3b351ef30182 | Bug #55529: univention-management-console Advisory + changelog univention-management-console (12.0.17-8) 3b351ef30182 | Bug #55529: univention-management-console Advisory + changelog univention-management-console (12.0.17-7) 7db025cc2331 | Bug #55529: add umc/login/password-complexity-message/* to password change error message ucs-test (10.0.10-32) 410ce56d6440 | Bug #55529: ucs-test changelog ucs-test (10.0.10-31) de6521cb93d9 | Bug #55529: Add new ucs-test to check the password complexity message
OK: self-service account registration OK: self-service password-reset/forgotten OK: UMC login dialog: expired password OK: UMC login dialog: password does not meet complexity OK: UMC password change dialog OK: Portal password change dialog OK: YAML
Tests failed tonight: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-3/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master-part-II/testReport/83_self_service/09_check_password_complexity_message/test_expired_user_login_returns_password_complexity_message_Passwort_muss_mindestens_3_Gro_xdfbuchstaben_enthalten_de_DE_/ Traceback (most recent call last): File "/usr/share/ucs-test/83_self_service/09_check_password_complexity_message.py", line 75, in test_expired_user_login_returns_password_complexity_message umc_client.umc_auth(user.username, user.password, new_password="U1n2i3v4e5n6t7i8o9n0@#") File "/usr/lib/python3/dist-packages/_pytest/python_api.py", line 714, in __exit__ fail(self.message) File "/usr/lib/python3/dist-packages/_pytest/outcomes.py", line 113, in fail raise Failed(msg=msg, pytrace=pytrace) Failed: DID NOT RAISE <class 'Exception'> https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-3/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master-part-II/testReport/83_self_service/09_check_password_complexity_message/test_expired_user_login_returns_password_complexity_message_Password_must_contain_at_least_3_upper_case_letters_en_US_/ Traceback (most recent call last): File "/usr/share/ucs-test/83_self_service/09_check_password_complexity_message.py", line 75, in test_expired_user_login_returns_password_complexity_message umc_client.umc_auth(user.username, user.password, new_password="U1n2i3v4e5n6t7i8o9n0@#") File "/usr/lib/python3/dist-packages/_pytest/python_api.py", line 714, in __exit__ fail(self.message) File "/usr/lib/python3/dist-packages/_pytest/outcomes.py", line 113, in fail raise Failed(msg=msg, pytrace=pytrace) Failed: DID NOT RAISE <class 'Exception'>
Also tracebacks: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-3/job/AutotestJoin/lastCompletedBuild/SambaVersion=no-samba,Systemrolle=master-part-II/testReport/99_end/01_var_log_tracebacks/test_var_log_tracebacks/ 2 times in /var/log/univention/management-console-module-passwordreset.log: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-3/job/AutotestJoin/SambaVersion=no-samba,Systemrolle=master-part-II/ws/test/management-console-module-passwordreset.log Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/password.py", line 177, in check if cracklib.VeryFascistCheck(password) == password: File "/usr/lib/python3/dist-packages/cracklib.py", line 216, in VeryFascistCheck raise ValueError("is too simple") ValueError: is too simple 2 times in /var/log/univention/management-console-module-passwordreset.log: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-3/job/AutotestJoin/SambaVersion=no-samba,Systemrolle=master-part-II/ws/test/management-console-module-passwordreset.log Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1659, in _check_password_complexity pwdCheck.check(self['password'], username=self['username'], displayname=self['displayName']) File "/usr/lib/python3/dist-packages/univention/password.py", line 180, in check raise CheckFailed(str(exc)) univention.password.CheckFailed: is too simple 2 times in /var/log/univention/management-console-module-passwordreset.log: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-3/job/AutotestJoin/SambaVersion=no-samba,Systemrolle=master-part-II/ws/test/management-console-module-passwordreset.log Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/management/console/modules/passwordreset/__init__.py", line 677, in create_self_registered_account new_user.create() File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 557, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1268, in _create al.extend(self._ldap_modlist()) File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1562, in _ldap_modlist self._check_password_complexity(pwhistoryPolicy) File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1661, in _check_password_complexity raise univention.admin.uexceptions.pwQuality(str(exc)) univention.admin.uexceptions.pwQuality: Password policy error: is too simple. univention.admin.uexceptions.pwQuality: Fehler in der Passwort-Richtlinie: is too simple.
ucs-test (10.0.10-34) d0f9f624a894 | Bug #55529: fix ucs-test-self-service and create a new one to check password complexity message on password change
OK: test case fixed (different password complexity settings for Samba were necessary) OK: no tracebacks in the log occur anymore
<https://errata.software-univention.de/#/?erratum=5.0x627> <https://errata.software-univention.de/#/?erratum=5.0x631>
ucs-test (10.0.10-63) 704972abe91f | Bug #55529: Fix ucs-test to check the password complexity message
Customer affected 2025031021000158 I reopened the bug because I received a ticket from a customer who runs into exactly these errors. I can recreate the scenario on my school test system. UCS: 5.0-9 errata1212 Installed: samba4=4.16 ucsschool=5.0 v6 samba4/role: DC server/role: domaincontroller_master system/setup/boot/select/role: true ucsschool/import/roleshare/.*/path: <empty> ucsschool/import/roleshare: <empty> ucsschool/update/user/role: yes Passwörter (Schüler) Klasse oder Arbeitsgruppe Name 0 Einträge von 1 ausgewählt Name Änderung des Passwortes erforderlich Benachrichtigungen Ein Fehler ist aufgetreten: Die Anfrage konnte nicht bearbeitet werden. Interner Server-Fehler in "schoolusers/password/reset (student)". Interner Server-Fehler in "schoolusers/password/reset (student)". Request: schoolusers/password/reset (student) Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolusers/__init__.py", line 167, in password_reset _password_reset(request, ldap_user_write) File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolusers/__init__.py", line 160, in _password_reset user.modify() File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1288, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 693, in modify dn = self._modify(modify_childs, ignore_license=ignore_license, response=response, serverctrls=serverctrls) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1398, in _modify ml = self._ldap_modlist() File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1580, in _ldap_modlist self._check_password_complexity(pwhistoryPolicy) File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1677, in _check_password_complexity raise univention.admin.uexceptions.pwToShort(_('The password is too short, at least %d characters needed!') % (password_minlength,)) univention.admin.uexceptions.pwToShort: Fehler in der Passwort-Richtlinie: Das Passwort ist zu kurz, mindestens 10 Zeichen erforderlich! During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/udm/connections.py", line 71, in _wrap_connection return func(**kwargs) File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 161, in getAdminConnection lo = univention.uldap.getAdminConnection(start_tls, decode_ignorelist=decode_ignorelist) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 132, in getAdminConnection bindpw = open('/etc/ldap.secret').read().rstrip('\n') FileNotFoundError: [Errno 2] Datei oder Verzeichnis nicht gefunden: '/etc/ldap.secret' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/management/console/base.py", line 388, in __error_handling six.reraise(etype, exc, etraceback) File "/usr/lib/python3/dist-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3/dist-packages/univention/management/console/base.py", line 285, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/python3/dist-packages/univention/management/console/modules/decorators.py", line 189, in _response return function(self, request) File "/usr/lib/python3/dist-packages/ucsschool/lib/school_umc_ldap_connection.py", line 156, in wrapper_func return func(*args, **kwargs) File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolusers/__init__.py", line 173, in password_reset udm_admin_save_user_with_extended_attributes(request.options["userDN"]) File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolusers/__init__.py", line 89, in udm_admin_save_user_with_extended_attributes user = get_udm_user_mod().get(dn) File "/usr/lib/python3/dist-packages/univention/management/console/modules/schoolusers/__init__.py", line 60, in get_udm_user_mod return UDM.admin().version(2).get("users/user") File "/usr/lib/python3/dist-packages/univention/udm/udm.py", line 165, in admin connection = LDAP_connection.get_admin_connection() File "/usr/lib/python3/dist-packages/univention/udm/connections.py", line 87, in get_admin_connection cls._connection_admin, _po = cls._wrap_connection(univention.admin.uldap.getAdminConnection) File "/usr/lib/python3/dist-packages/univention/udm/connections.py", line 73, in _wrap_connection six.reraise(ConnectionError, ConnectionError('Could not read secret file'), sys.exc_info()[2]) File "/usr/lib/python3/dist-packages/six.py", line 692, in reraise raise value.with_traceback(tb) File "/usr/lib/python3/dist-packages/univention/udm/connections.py", line 71, in _wrap_connection return func(**kwargs) File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 161, in getAdminConnection lo = univention.uldap.getAdminConnection(start_tls, decode_ignorelist=decode_ignorelist) File "/usr/lib/python3/dist-packages/univention/uldap.py", line 132, in getAdminConnection bindpw = open('/etc/ldap.secret').read().rstrip('\n') univention.udm.exceptions.ConnectionError: Could not read secret file
It would be very good and helpful for non-admin users if instead of the current display that an error has occurred and the traceback can be viewed, help or a hint is displayed as to why the password cannot be reset or set. We cannot expect a school teacher to have the skills to read and understand a traceback.
This issue happend again in a customer environment. Cloned this bug https://forge.univention.org/bugzilla/show_bug.cgi?id=58189
This bug is already released: <https://errata.software-univention.de/#/?erratum=5.0x627> <https://errata.software-univention.de/#/?erratum=5.0x631> → Continue in Bug #58189