5.4. User password management#
Most internet users find it difficult to select the right password. The password is the key to accessing user accounts, also in Nubus. Passwords that are difficult to guess and regular password changes are an essential element of the system security. To prevent users from choosing weak passwords, administrators can configure several properties in a password policy.
This section describes how to define password policies, such as a minimum password length and an expiration time interval. Nubus applies the password policy when users change their passwords.
Nubus stores the user password for every user as hash in different attributes of the corresponding user account LDAP object:
krb5Key:stores the Kerberos password.
userPassword:stores the Unix password. Other Linux distributions store it in
/etc/shadow.sambaNTPassword:stores the NT password hash used by Samba.
See also
- Creating Secure Passwords by German Federal Office of Information Security
for more information and tips about creating a secure and good password.
5.4.1. Password policy types#
Nubus has various types of password policy settings as outlined in this section. What policy applies depends on who runs the password change.
- Password Policy in UDM
The Password Policy is a policy that applies to user password changes done through management modules in the Management UI which in turn use UDM in the backend. The Password Policy applies, when an administrator changes a user’s password through the Management UI, the UDM HTTP REST API or UDM. It also applies, when a user changes their password.
Nubus defines a default password policy. Password policy settings describes the available settings for the Password Policy. To enhance the Password quality check, see Password quality check. You can create additional password policies and assign them to user account objects in the LDAP directory tree. For more information about policies, see Policies module.
- Other password policy types
For other password policy types that apply to the UCS appliance, see Password policy types in Univention Corporate Server - Manual for users and administrators [2].
5.4.2. Change the user password#
Changing the user password has the following triggers:
Nubus requires the user to change their password, for example, because the password reached the expiration interval. See the following settings:
Through a setting at the user account. For example, an administrator requests the user to change their password upon next sign-in.
The user decides to change their password.
When a user decides to change their password, they can use the following ways:
- Portal
Nubus for Kubernetes and a UCS domain of UCS appliances have the Portal installed. To change the password, use the following steps:
Sign in to the Portal.
Navigate to the user menu. It’s the “burger menu” in top right corner.
Select .
Provide your current password and set a new password. Retype it and confirm.
- End User Self Service
The End User Self Service offers a direct link to the password change so that administrators can add a prominent tile to the Portal for the password change. Furthermore, it offers a way to reset the user password when users forgot it.
The User self services is a dedicated app in the Univention App Center.
The End User Self Service is part of a Nubus for Kubernetes installation.
See also
- Change the user password
in Univention Corporate Server - Manual for users and administrators [2] for more methods to change the user password in a UCS appliance environment.
5.4.3. Password policy settings#
Administrators can define the minimum password length, the expiry interval and the password history length through password policies in the Policies module in the Management UI.
Fig. 5.5 shows the password policy settings. This section provides a reference of the available settings.
Fig. 5.5 Configuring a password policy#
On the General tab of a password policy, you can configure the following settings.
- History length
The password history saves the last used password hashes. The History length determines the length of that history, for example, if the history stores the last three or the last seven passwords. Users can’t reuse passwords from the password history for setting a new password. Nubus doesn’t store the passwords retroactively.
To deactivate the validation for the password history, set the value to
0.- Example
If Nubus stored ten passwords, and you reduce the value for the password history length to
3, Nubus deletes the oldest seven passwords from the password history during the next password change. If you then change the password history length, the number of stored passwords stays at three and increases by each password change.
- Password length
The Password length is the minimum length in characters that a user password must comply with. If you don’t set a value, Nubus applies the minimum length of
8characters.The default value always applies if you don’t set a policy, and you activated the Override password check checkbox. It even applies if you deleted the default-settings password policy.
To deactivate the validation for the password length, set the value to
0.
- Password expiry interval
A Password expiry interval demands regular password changes. Nubus requires a user to change their password during sign-in to the Management UI, to Kerberos, and on UCS appliance systems if the expiry interval in days passed.
Nubus shows the remaining validity of the user password in the Users management module at Password expiry date on the Account tab. To deactivate the Password expiry interval, leave the value blank.
- Password quality check
If you activate the option Password quality check, Nubus runs additional password checks, including dictionary checks, for password changes through the Management UI and Kerberos.
See also
- Password policy settings in UMC
in Univention Corporate Server - Manual for users and administrators [2] for more configuration settings in a UCS appliance environment.