Univention Bugzilla – Bug 45813
Self-Service: Password change not possible if pwdChangeNextLogin=1
Last modified: 2018-01-17 14:21:21 CET
root@ucs01:~# univention-app info UCS: 4.2-3 errata231 App Center compatibility: 4 Installed: samba4=4.6 self-service=2.0 ucsschool=4.2 v5 Scenario: - Import/Create new users with an initial password - Activate the option "Change password on next login" - The user receives the initial password and needs to change it via the Self-Service App Expected behaviour: - Changing the initial password works for an account that is forced to change the password (pwdChangeNextLogin=1) Observed behaviour: - Changing the password fails with "Invalid credentials. Password change failed.". if the option "Change password on next login" is set.
Happend again: https://help.univention.com/t/self-service-password-change-for-user-with-expired-password-doesnt-work/7476
I was able to reproduce it in a Samba 4 default environment: 27.05.17 01:58:09.798 RESOURCES ( INFO ) : Reloading UCR variables 27.05.17 01:58:09.816 AUTH ( INFO ) : Trying to authenticate user 'stefan' 27.05.17 01:58:09.827 LDAP ( INFO ) : establishing new connection with retry_max=11 27.05.17 01:58:09.839 LDAP ( INFO ) : bind binddn=cn=master421,cn=dc,cn=computers,dc=deadlock42,dc=intranet 27.05.17 01:58:09.848 LDAP ( INFO ) : uldap.search filter=(&(uid=stefan)(objectClass=person)) base= scope=sub attr=['uid'] unique=1 required=0 timeout=-1 sizelimit=0 27.05.17 01:58:09.849 AUTH ( INFO ) : Canonicalized username: 'stefan' 27.05.17 01:58:09.887 AUTH ( INFO ) : PAM says: 'Sie m\xc3\xbcssen Ihr Passwort sofort \xc3\xa4ndern (Passwortablauf).' 27.05.17 01:58:09.888 AUTH ( ERROR ) : PAM: authentication error: ('Authentifizierungstoken ist nicht mehr g\xc3\xbcltig; neues erforderlich', 12) 27.05.17 01:58:09.888 AUTH ( INFO ) : The password has expired and must be renewed. 27.05.17 01:58:09.916 MODULE ( INFO ) : Executing 'AUTH' 27.05.17 01:58:09.917 MAIN ( INFO ) : Setting locale 'de_DE' 27.05.17 01:58:09.917 MODULE ( INFO ) : Executing 'AUTH' 27.05.17 01:58:09.917 MAIN ( INFO ) : Setting locale 'de_DE'
Can you have a look?
It was introduced by Bug #44111 by Alex in commit 3daf763caea7bec6732df221496944f3914885e3 / svn r78459. The error is only frontend side.
The error handler of the frontend did not respect an expired password. This has been implemented. UCS 4.2-3: univention-self-service.yaml 5b38b6e8b86b | Bug #45813: fix changing password if pwdChangeNextLogin=1 univention-self-service (2.0.17-15) 5b38b6e8b86b | Bug #45813: fix changing password if pwdChangeNextLogin=1 ac1a89996cfc | Bug #45813: fix changing password if pwdChangeNextLogin=1 UCS 4.3-0: univention-self-service (3.0.0-3) 6144390d61cd | Bug #45813: fix changing password if pwdChangeNextLogin=1
Thanks! Tests: OK - pwdChangeNextLogin=1: OK - pwdChangeNextLogin=0: OK - pwdChangeNextLogin=0 and logged in: OK Code review: OK YAML: OK
I have to reopen it. I don't see the dialog that the password has been changed: Bug #45457
(In reply to Stefan Gohmann from comment #7) > I have to reopen it. I don't see the dialog that the password has been > changed: Bug #45457 Bug #45457 was about the other module "Password forgotten". Nevertheless I added the same dialog to this module as well. https://git.knut.univention.de/univention/ucs/commit/418b1e1f1567eed6bface215c88efde8e89d2947 Merged also to UCS 4.3.
That makes sense. Thanks! Directly after changing the password, the old password input field is marked as invalid. I've created a new bug for it: Bug #46051 I've updated the YAML file: https://git.knut.univention.de/univention/ucs/commit/d7b7d5912de36297de12b48657273b231742a0d2
<http://errata.software-univention.de/ucs/4.2/265.html>