Univention Bugzilla – Full Text Bug Listing |
Summary: | Password change is case sensitive | ||
---|---|---|---|
Product: | UCS | Reporter: | Stefan Gohmann <gohmann> |
Component: | UMC (Generic) | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | normal | ||
Priority: | P5 | CC: | best, meybohm, requate, walkenhorst |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.0-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=45728 | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Stefan Gohmann
2015-07-03 07:54:59 CEST
Quoting https://ssimo.org/blog/id_016.html: "Principal names are considered case sensitive by the reference implementation (MIT Kerberos) but some implementation treat them in a case-insensitive way (Active Directory for example). It is safer to always treat principal names in a case sensitive way. (Active Directory will generally always provide the canonicalized form in tickets although it may accept mismatching cases when requesting tickets)." So we should maybe not adjust Heimdal (or MIT) Kerberos but rather canonicalize the name by other means before doing kpasswd (e.g. via the pam stack). A ldap search for the uid attribute of the user is done now. The found value is used as username to change the password. univention-management-console (7.1.63-22): r62116 | Bug #38826: make password change case insensitive Code review: OK: r62116 + r62122 Tests: OK YAML: OK (small adjustments r62141) Merge to UCS 4.1: OK |