Problem: userPassword contains invalid characters

fschneider · November 20, 2025, 11:35am

Problem

Receiving a list of all users or modifying existing fails with the following error message:

Traceback (most recent call last):
 File "/usr/lib/python3/dist-packages/univention/management/console/modules/decorators.py", line 259, in _run
   result = self._function(*args, **kwargs)  # type: Union[BaseException, _T]
 File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/__init__.py", line 644, in query
   result = module.search(container, objectProperty, objectPropertyValue, superordinate, scope=scope, hidden=hidden, allow_asterisks=USE_ASTERISKS)
 File "/usr/lib/python3/dist-packages/univention/management/console/modules/udm/udm_ldap.py", line 696, in search
   result = self.module.lookup(None, ldap_connection, filter_s, base=container, superordinate=superordinate, scope=scope, sizelimit=sizelimit, **kwargs)
 File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1894, in lookup
   result.append(cls(co, lo, None, dn=dn, superordinate=superordinate, attributes=attrs))
 File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1139, in __init__
   univention.admin.handlers.simpleLdap.__init__(self, co, lo, position, dn, superordinate, attributes=attributes)
 File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 262, in __init__
   oldinfo = self.mapping.unmapValues(self.oldattr)
 File "/usr/lib/python3/dist-packages/univention/admin/mapping.py", line 634, in unmapValues
   info[key] = func(oldattr, **kwargs)
 File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 884, in unmapDisabled
   unmapPosixDisabled(oldattr) or isPosixLocked(oldattr),
 File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 938, in isPosixLocked
   userPassword = oldattr.get('userPassword', [b''])[0].decode('ASCII')
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 5: ordinal not in range(128)
"

Solution

Remove / overwrite the users invalid userPassword value, e.g. by using the following ldif:

dn: ${user_dn?}
changetype: modify
replace: userPassword
userPassword: e0s1S0VZfQ==

Afterwards simply apply it:
ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret

Afterwards the users password should be updated / set again.

Investigation

Individual users have invalid values in their userPassword. This can be checked as follows:

create helper script (test-pw.py, chmod +x)

#!/usr/bin/python3
import sys
import base64

base64v = sys.argv[1]
d = base64.b64decode(base64v)
try:
       d.decode("ascii")
except UnicodeDecodeError:
       print(str(base64v) + " - " + str(d))

Find affected values

$ univention-ldapsearch univentionObjectType=users/user uid -LLL userPassword | grep userPassword: | cut -d " " -f 2 | while read line; do ./test-pw.py "${line}"; done
w3Rlc3Q= - b'\xc3test'

Find affected users

$ univention-ldapsearch univentionObjectType=users/user uid -LLL userPassword | grep -B2 w3Rlc3Q=

system · November 21, 2025, 11:36am

This topic was automatically closed after 24 hours. New replies are no longer allowed.