On Tue, Jan 22, 2013 at 08:35:09AM +0100, Andreas B. Mundt wrote: > On Tue, Jan 22, 2013 at 05:43:59AM +0100, Mike Gabriel wrote: > > On Di 22 Jan 2013 00:38:32 CET Wolfgang Schweer wrote: > > > > >>In addition, I had to rewrite gosa-sync. > > > > > >gosa-sync seems to work here without any change. > > > > In Debian Edu squeeze and GOsa² 2.6 the gosa-sync script does not > > report back failures to GOsa², thus, passwords run out of sync. As > > we have several OTRS tickets open about this with our customers, > > this definitely would be an improvement for squeeze, at least. Are > > you really sure that error handling is correct with wheezy and GOsa² > > 2.7 (/me doubts it by what is written in this thread). > > > > Simple way to test gosa-sync failures: e.g. stop kadmind and try to > > modify or add a user with GOsa². > > > > I just tried this test, however, even with kadmind stopped, the > password can be modified as gosa-sync operates via kadmin.local > directly on the database, I guess. > > The test I used is changing to a password with just a single class of > characters, for example "12345". GOsa allows this password, but I use > a Kerberos policy that demands 2 character classes: This error is > reported in GOsa and the password modification canceled (also within > LDAP). Tests here: (1) Using Debian Edu's version of gosa-sync no error is reported in GOsa² if the provided password is too short (d-e default minlength being 5), but sync fails due to violated Kerberos policy. So maybe a possible reason for the errors mentioned by Mike were passwords beeing too short. (2) Changing to your version of gosa-sync the error is reported if the password is too short, pw change is denied. Same thing concerning character classes after changing users policy minclasses from 1 (d-e default) to 2. Funny enough, "blöd" ist considered to be a valid pw (due to the German umlaut?) although imo qualifying as being too short. postmodify is no longer required in the administration section if your version of gosa-sync is in use. Well done, Andi! Wolfgang
Attachment:
signature.asc
Description: Digital signature