How-to: Configure password history policy for UCS & UCS@school

How to:

If you want to configure a password history so that users/students can change their own password from the Burger menu and if you want to set a password history for the Users Module in the UMC.


The password history policies can be configured in 2 different places, but they must be configured identically to avoid inconsistencies.
For more informations, you could read the documentation.
6.4. Password settings for Windows clients when using Samba — Univention Corporate Server - Manual for users and administrators

Step 1: Configure the password history for the Users Module in the UMC.

The default settings for this object looks like:

udm policies/pwhistory list
DN: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=ucs5schoolhejne,dc=intranet
  expiryInterval: None
  ldapFilter: None
  length: 3
  name: default-settings
  pwLength: 8
  pwQualityCheck: FALSE

Now you could change the settings via shell like:

udm policies/pwhistory modify --dn cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=ucs5schoolhejne,dc=intranet --set length=5

or you change the settings in the UMC via WebGui.

Screenshot from 2024-03-26 16-51-26
Screenshot from 2024-03-26 16-51-44

This message appears if the active policy is successful and a password that has already been used is set:

Screenshot from 2024-03-26 18-05-04

Step 2: Configure the password history for Samba in the Burger Menu

The 2nd way is, to configure the Samba domain object so that the password history is also active in the burger menu.


This is necessary at this point because the Self-Service uses only the password policy settings from Samba. Therefore, this applies when the setting is implemented in a UCS@school or a Samba-Domain.

The default settings for the Samba domain object:

udm settings/sambadomain list
DN: sambaDomainName=UCS5SCHOOLHEJNE,cn=samba,dc=ucs5schoolhejne,dc=intranet
  NextGroupRid: 1000
  NextRid: 1000
  NextUserRid: 1000
  SID: S-1-5-21-1150003711-260972013-2878653590
  badLockoutAttempts: None
  disconnectTime: None
  domainPasswordComplex: 1
  domainPasswordStoreCleartext: 1
  domainPwdProperties: 17
  lockoutDuration: None
  logonToChangePW: None
  maxPasswordAge: None
  minPasswordAge: None
  passwordHistory: 0
  passwordLength: 8
  refuseMachinePWChange: None
  resetCountMinutes: None

You could change the setting via UDM like:

udm settings/sambadomain modify --dn sambaDomainName=UCS5SCHOOLHEJNE,cn=samba,dc=ucs5schoolhejne,dc=intranet --set passwordHistory=3


You could use the samba-tools directly to show and change the settings.


To get more information about which attribute you can change just use:

samba-tool domain passwordsettings set --help

samba-tool domain passwordsettings show
Password information for domain 'DC=ucs5schoolhejne,DC=intranet'

Password complexity: on
Store plaintext passwords: on
Password history length: 0
Minimum password length: 8
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 0
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

So you could change the password history setting for the burger menu with the samba-tool:

samba-tool domain passwordsettings set --history-length=3

There is also an possible way in the UMC via WebGui in the LDAP-Directory:
Screenshot from 2024-03-26 17-39-39
Screenshot from 2024-03-26 17-40-01

The message in the burger menu when the policy takes effect:

Screenshot from 2024-03-26 18-17-37
Screenshot from 2024-03-26 18-11-48

See also: Q&A: How to Manage Password Policies: UDM-Policy and Samba-Policy?

1 Like