Bug 35847 - Revise user password changes via UMC
Revise user password changes via UMC
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Password changes
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 4.0
Assigned To: Florian Best
Alexander Kläser
: interim-3
: 8973 36319 (view as bug list)
Depends on: 35985
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-09 13:51 CEST by Stefan Gohmann
Modified: 2014-11-26 06:54 CET (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Roadmap discussion
Max CVSS v3 score:


Attachments
fix_posix_works_but_acct_mgmt_expired.patch (1.27 KB, patch)
2014-11-06 13:14 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-09-09 13:51:11 CEST
We should revise the user password changed via UMC:

- The password should be changed via Kerberos. Thus, the user don't need access to the LDAP attributes.

- The user should also insert the old password and it should be checked.

- I don't think we have to hold on the user-self module for the password change. But the user-self module is still needed for various apps, so it should not be removed completely.

- The password change dialog should be callable through the UMC users menu from the header.

- The password change service should be linked on the UCS overview site for users.

- After changing the password the user should not be redirected to an empty page.
Comment 1 Stefan Gohmann univentionstaff 2014-09-09 13:51:56 CEST
*** Bug 8973 has been marked as a duplicate of this bug. ***
Comment 2 Florian Best univentionstaff 2014-09-09 14:27:11 CEST
Which password change functionality do you mean? I guess users/self?
There is currently also a password change functionality which is implemented in the login dialog if the user password is expired. There you already have to reenter the old password and afaik this uses kerberos (it uses PAM which underlying uses kerberos afaik). This is already an UMC-server feature and can be implemented in the UMC header. We could remove the udm/self flavor then.
Comment 3 Stefan Gohmann univentionstaff 2014-09-09 15:23:59 CEST
(In reply to Florian Best from comment #2)
> Which password change functionality do you mean? I guess users/self?
> There is currently also a password change functionality which is implemented
> in the login dialog if the user password is expired. There you already have
> to reenter the old password and afaik this uses kerberos (it uses PAM which
> underlying uses kerberos afaik). This is already an UMC-server feature and
> can be implemented in the UMC header. 

Yes, I think we should reuse the functionality. Currently, you can only use it if the password is expired.

> We could remove the udm/self flavor then.

No, some Apps use udm/self. They extend it with extended attributes.
Comment 4 Stefan Gohmann univentionstaff 2014-10-27 07:26:34 CET
For UCS 4.0 we should:

- Hide the old UDM password change module by default and rename the module

- Add a new password change UMC module. The module should be available in the users menu and for domain users should be a module button as well

- The old password should be asked and tested

- The user should get a message after the password has been changed
Comment 5 Florian Best univentionstaff 2014-10-29 13:01:05 CET
(In reply to Stefan Gohmann from comment #4)
> For UCS 4.0 we should:
> 
> - Hide the old UDM password change module by default and rename the module
module is deactivated by default, renamed to 'User settings' / 'Benutzereinstellungen'

> - Add a new password change UMC module. The module should be available in
> the users menu and for domain users should be a module button as well
Added management/univention-managment-console-module-passwordchange which also adds a menu entry to the settings menu. The permissions for the module is added to 'default-umc-users'.

> - The old password should be asked and tested
The old password is sent to the backend and questioned by PAM.

> - The user should get a message after the password has been changed
A notification is added after changing the password, the module closes itself then. If an error occurs a Pop up occurs.

No changelog added yet.
Comment 6 Florian Best univentionstaff 2014-10-29 16:56:36 CET
Changelog added
Comment 7 Alexander Kläser univentionstaff 2014-10-30 09:31:06 CET
If I have seen correctly, there is no loading animation when saving the password.
Comment 8 Florian Best univentionstaff 2014-10-30 10:08:23 CET
(In reply to Alexander Kläser from comment #7)
> If I have seen correctly, there is no loading animation when saving the
> password.
You are right, fixed it.
Comment 9 Alexander Kläser univentionstaff 2014-11-05 19:34:59 CET
When changing the password with an incorrect old password, I get the following error message:
> Could not fulfill the request.
> 
> Server error message:
> 
> Changing password failed. The reason could not be determined. In case it helps, 
> the raw error message will be displayed: Current Kerberos password

After a password change, the password fields are not cleared.
Comment 10 Alexander Kläser univentionstaff 2014-11-05 21:29:43 CET
Please change the following error messages:

> Nevertheless an error occured while updating the password for running
> modules. Please relogin to UMC to solve this problem.

> In case it helps, the raw error message will be displayed

Otherwise the module + the UMC changes look good.
Comment 11 Arvid Requate univentionstaff 2014-11-06 13:14:25 CET
Created attachment 6316 [details]
fix_posix_works_but_acct_mgmt_expired.patch

Bug 36319 Comment 3 indicates that the detection of expired passwords during UMC logon needs another patch for the case where POSIX authentication still works (i.e. is not locked), but pam account managment detects that something is expired.
The attached patch is a proposal how this may be fixed.
Comment 12 Arvid Requate univentionstaff 2014-11-06 13:36:40 CET
*** Bug 36319 has been marked as a duplicate of this bug. ***
Comment 13 Florian Best univentionstaff 2014-11-10 13:35:31 CET
* Password fields are now reset
* error message fixed
* patch from comment #11 applied
Comment 14 Alexander Kläser univentionstaff 2014-11-11 13:07:30 CET
(In reply to Florian Best from comment #13)
> * Password fields are now reset
> * error message fixed
> * patch from comment #11 applied

Looks good now.

I just noticed that the keyboard focus remains within the form field, i.e. during the standby animation I can resend the password multiple times in parallel. But that seems to be a generic UMC thing, I guess.
Comment 15 Stefan Gohmann univentionstaff 2014-11-26 06:54:34 CET
UCS 4.0-0 has been released:
 http://docs.univention.de/release-notes-4.0-0-en.html
 http://docs.univention.de/release-notes-4.0-0-de.html

If this error occurs again, please use "Clone This Bug".