How to:
If you want to configure a password history so that users/students can change their own password from the Burger menu and if you want to set a password history for the Users Module in the UMC.
Hint
The password history policies can be configured in 2 different places, but they must be configured identically to avoid inconsistencies.
For more informations, you could read the documentation.
6.4. Password settings for Windows clients when using Samba — Univention Corporate Server - Manual for users and administrators
Step 1: Configure the password history for the Users Module in the UMC.
The default settings for this object looks like:
udm policies/pwhistory list
DN: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=ucs5schoolhejne,dc=intranet
expiryInterval: None
ldapFilter: None
length: 3
name: default-settings
pwLength: 8
pwQualityCheck: FALSE
Now you could change the settings via shell like:
udm policies/pwhistory modify --dn cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=ucs5schoolhejne,dc=intranet --set length=5
or you change the settings in the UMC via WebGui.
This message appears if the active policy is successful and a password that has already been used is set:
Step 2: Configure the password history for Samba in the Burger Menu
The 2nd way is, to configure the Samba domain object so that the password history is also active in the burger menu.
Hint
This is necessary at this point because the Self-Service uses only the password policy settings from Samba. Therefore, this applies when the setting is implemented in a UCS@school or a Samba-Domain.
The default settings for the Samba domain object:
udm settings/sambadomain list
DN: sambaDomainName=UCS5SCHOOLHEJNE,cn=samba,dc=ucs5schoolhejne,dc=intranet
NextGroupRid: 1000
NextRid: 1000
NextUserRid: 1000
SID: S-1-5-21-1150003711-260972013-2878653590
badLockoutAttempts: None
disconnectTime: None
domainPasswordComplex: 1
domainPasswordStoreCleartext: 1
domainPwdProperties: 17
lockoutDuration: None
logonToChangePW: None
maxPasswordAge: None
minPasswordAge: None
name: UCS5SCHOOLHEJNE
passwordHistory: 0
passwordLength: 8
refuseMachinePWChange: None
resetCountMinutes: None
You could change the setting via UDM like:
udm settings/sambadomain modify --dn sambaDomainName=UCS5SCHOOLHEJNE,cn=samba,dc=ucs5schoolhejne,dc=intranet --set passwordHistory=3
or
You could use the samba-tools directly to show and change the settings.
Hint
To get more information about which attribute you can change just use:
samba-tool domain passwordsettings set --help
samba-tool domain passwordsettings show
Password information for domain 'DC=ucs5schoolhejne,DC=intranet'
Password complexity: on
Store plaintext passwords: on
Password history length: 0
Minimum password length: 8
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 0
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
So you could change the password history setting for the burger menu with the samba-tool:
samba-tool domain passwordsettings set --history-length=3
There is also an possible way in the UMC via WebGui in the LDAP-Directory:
The message in the burger menu when the policy takes effect:
See also: Q&A: How to Manage Password Policies: UDM-Policy and Samba-Policy?