6.1.1. Password policies

This section describes the behavior specific to Nubus for UCS and the configuration for the user password management. For a general introduction to user password management in Nubus, first read User password management in Nubus Manual 1.x [4].

6.1.1.1. Password policy types

Nubus has various types of password policy settings. Which policy applies depends on who initiates the password change and if the domain of Nubus for UCS has Samba installed through the Active Directory Domain Controller app.

Password Policy in UDM

For the description, see Password Policy in UDM in Nubus Manual 1.x [4].

Important

If you have Samba installed in your domain of Nubus for UCS, configure the password requirement settings of the user password policy to match the Samba domain object as described in Samba domain password policy.

UDM policies apply when administrators change passwords through administrative tools. Samba domain policies apply when users change their own passwords through any service. Because these are separate services, Univention recommends configuring them identically to ensure consistent behavior.

If the policies are inconsistent, the services use the policies as configured. However, the different settings may confuse users. Identical settings in both policies reduce user confusion.

Password policy for the Samba domain

If you have Samba installed in your domain of Nubus for UCS, the Samba domain has its own password policy. The Samba password policy always applies when a user changes their password, regardless of which service they use: Portal, End User Self Service, Microsoft Windows, or Kerberos.

To configure the password policy for the Samba domain, see Samba domain password policy.

See also

Installation

in Univention Corporate Server - Manual for users and administrators [3] for more information about installing Samba.

Services for Windows

in Univention Corporate Server - Manual for users and administrators [3] for general information about Samba providing Services for Windows.

6.1.1.2. Change the user password

This section amends Change the user password in Nubus Manual 1.x [4] with content specific to Nubus for UCS.

Portal

See Portal in Nubus Manual 1.x [4].

End User Self Service

See End User Self Service in Nubus Manual 1.x [4].

Microsoft Windows

Users can change their user password through their Microsoft Windows client that’s joined to the domain of Nubus for UCS through Samba.

Kerberos

Users can change their user password through Kerberos-joined clients in the domain of Nubus for UCS using the client’s built-in password change feature.

To administratively change a user password, use any of the following methods:

Management UI

To change a user password through the Management UI as administrator, follow the steps described in Change the user password in Nubus Manual 1.x [4].

Command-line

To change a user password through the UDM command-line, use the following steps:

1. Obtain the DN of the user account for the password change.

2. Open a terminal on the Primary Directory Node, either locally or remote through SSH.

3. Write the password to a file to avoid leaking it to the command history. The example uses the file password.txt.

4. Run the commands in Listing 6.1.

Listing 6.1 Change user password through UDM command-line

$ export USER_DN="<the obtained user DN>"
$ udm users/user modify \
  --dn "$USER_DN" \
  --set password="$(cat password.txt)"

6.1.1.3. Password policy settings

For the password policy settings, first read Password policy settings in Nubus Manual 1.x [4]. Some settings have additional options in Nubus for UCS as outlined in the following.

Password length

See Password policy settings in Nubus Manual 1.x [4].

You can configure a default value per Nubus for UCS system through the UCR variable password/quality/length/min.

The password policy for the affected user account takes precedence over the UCR variable.

Password quality check

See Password quality check in Nubus Manual 1.x [4].

You configure the quality checks through the following Univention Configuration Registry variables. For more information, refer to linked variable descriptions. You can enforce the following checks:

• password/quality/credit/digits

• password/quality/credit/upper

• password/quality/credit/lower

• password/quality/credit/other

• password/quality/forbidden/chars

• password/quality/required/chars

• password/quality/mspolicy

Important

To apply the password quality check on all UCS sign-in systems, you need to set the Univention Configuration Registry variables on all UCS sign-in servers.