Re: Wheezy Gosa² setup

To: debian-edu@lists.debian.org
Subject: Re: Wheezy Gosa² setup
From: "Wolfgang Schweer" <w.schweer@gmx.de>
Date: 22 Jan 2013 10:40:41 +0100
Message-id: <[🔎] 20130122094041.GA5366@schweer-online.local>
In-reply-to: <[🔎] 20130122073509.GA17391@fuzi>
References: <[🔎] 20130116205718.GA5359@schweer-online.local> <[🔎] 20130117010643.17971p25e6erh3tf@mail.das-netzwerkteam.de> <[🔎] 20130119104151.GA4390@ticino.com> <[🔎] 20130120123822.GA16810@fuzi> <[🔎] 20130120162516.GA5411@schweer-online.local> <[🔎] 20130121221737.GA7713@fuzi> <[🔎] 20130121233832.GA6800@schweer-online.local> <[🔎] 20130122054359.90814ky2h1yb1clr@mail.das-netzwerkteam.de> <[🔎] 20130122073509.GA17391@fuzi>

On Tue, Jan 22, 2013 at 08:35:09AM +0100, Andreas B. Mundt wrote:
> On Tue, Jan 22, 2013 at 05:43:59AM +0100, Mike Gabriel wrote:
> > On Di 22 Jan 2013 00:38:32 CET Wolfgang Schweer wrote:
> >
> > >>In addition, I had to rewrite gosa-sync.
> > >
> > >gosa-sync seems to work here without any change.
> >
> > In Debian Edu squeeze and GOsa² 2.6 the gosa-sync script does not
> > report back failures to GOsa², thus, passwords run out of sync. As
> > we have several OTRS tickets open about this with our customers,
> > this definitely would be an improvement for squeeze, at least. Are
> > you really sure that error handling is correct with wheezy and GOsa²
> > 2.7 (/me doubts it by what is written in this thread).
> >
> > Simple way to test gosa-sync failures: e.g. stop kadmind and try to
> > modify or add a user with GOsa².
> >
> 
> I just tried this test, however, even with kadmind stopped, the
> password can be modified as gosa-sync operates via kadmin.local
> directly on the database, I guess.
> 
> The test I used is changing to a password with just a single class of
> characters, for example "12345".  GOsa allows this password, but I use
> a Kerberos policy that demands 2 character classes:  This error is
> reported in GOsa and the password modification canceled (also within
> LDAP).

Tests here:

(1)
Using Debian Edu's version of gosa-sync no error is reported in GOsa² if 
the provided password is too short (d-e default minlength being 5), but 
sync fails due to violated Kerberos policy.  

So maybe a possible reason for the errors mentioned by Mike 
were passwords beeing too short.

(2) Changing to your version of gosa-sync the error is reported if the 
password is too short, pw change is denied. Same thing concerning 
character classes after changing users policy minclasses from 1 (d-e 
default) to 2.  Funny enough, "blöd" ist considered to be a valid pw (due 
to the German umlaut?) although imo qualifying as being too short.

postmodify is no longer required in the administration section if your 
version of gosa-sync is in use.

Well done, Andi!

Wolfgang

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Wheezy Gosa² setup
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

References:
- Wheezy Gosa² setup
  - From: "Wolfgang Schweer" <w.schweer@gmx.de>
- Re: Wheezy Gosa² setup
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Re: Wheezy Gosa² setup
  - From: Giorgio Pioda <gfwp@ticino.com>
- Wheezy Gosa² setup
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: Wheezy Gosa² setup
  - From: "Wolfgang Schweer" <w.schweer@gmx.de>
- Re: Wheezy Gosa² setup
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: Wheezy Gosa² setup
  - From: "Wolfgang Schweer" <w.schweer@gmx.de>
- Re: Wheezy Gosa² setup
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Re: Wheezy Gosa² setup
  - From: "Andreas B. Mundt" <andi.mundt@web.de>

Prev by Date: debian-edu-install_1.702_i386.changes ACCEPTED into unstable
Next by Date: debian-edu-install_1.702_i386.changes is NEW
Previous by thread: Re: Wheezy Gosa² setup
Next by thread: Re: Wheezy Gosa² setup
Index(es):
- Date
- Thread