Change Password (Self Service component) - Password check not working correctly

We noticed that it’s possible to bypass the password complexity check using the Change Password application (self service module)

We have a test user and we did try to set the password to abcdefghijklmNOPQRSTUVWXYZ012345 in the System and Domain Settings / Users / Testusers / General, using the password fields.
When trying to save the password, we did get the notification “The LDAP object could not be saved: Password policy error: it is too simplistic/systematic”

Then, we logged out and opened the Change Password App
This app asks 4 different things, username, old password and twice the new password.
We filled in all 4 fields, using the password “abcdefghijklmNOPQRSTUVWXYZ012345” (without the quotes) as new password.
Then, saving this, we did get the configuration “The password has been changed successfully.”

This means it’s possible to set your password to a simple password password, while the settings should prevent this…

Settings in UCR :

password/hashing/method : SHA-512
password/quality/credit/digits : 1
password/quality/credit/lower : 1
password/quality/credit/other : 1
password/quality/credit/upper : 1
password/quality/forbidden/chars : {empty}
password/quality/required/chars : {empty}

The simple password is missing the required “other” characters

The Self Service App installed version is 3.0
Current version of UCS is 4.3-1 errata218


password quality settings are, unfortunately, a hugely confusing topic (and I don’t grok it completely myself either). There are actually two instances that check passwords for their quality, and both need to be configured in different ways. The introductory remarks in the user password configuration section of the admin manual actually states so itself. The two sides are:

  1. The OpenLDAP side. This one is configured by all those UCR variables. It is involved when you create a user in the UMC or when the user logs in to the UMC and uses the password change module there.
  2. The Samba4 LDAP side. This one is configured through policy settings on the Samba domain object in the OpenLDAP tree (confusing, isn’t it?) — and even through GPOs. This side is always involved when Kerberos is used as the mechanism for changing passwords.

So about the self-service module: what isn’t apparent is that the self-service module uses Kerberos for changing the password — unlike the other two UMC-based methods. Therefore the change is done on the Samba4 side, meaning the UCR variables don’t actually come into play.

In my opinion the UCS admin documentation could really use more clarity on this topic:

  1. It does mention that there are two authorities that use different sets of configuration options. That’s good.
  2. It does not explicitly list which method of changing passwords involves which method (from the top of my head: UMC admin modules for managing users; UMC user module for changing own password; password self-service app; Windows clients; passwd tool on the command line; kpasswd tool on the command line; slappasswd tool on the command line; directly via LDAP calls on the OpenLDAP server; directly via LDAP calls on the Samba4 LDAP…).
  3. It does not list all the ways those settings can be affected (again from the top of my head: UCR variables; Samba4 domain object in OpenLDAP; samba-tool domain passwordsettings …; group policies…) and how they interact.

Kind regards,