Univention Bugzilla – Bug 29971
Allow user password change expired password at UMC login prompt
Last modified: 2013-03-25 19:57:18 CET
Whith UCS 2.4 it was possible to change expired user passwords via UDM. Starting with UCS 3.x, users with expired passwords (e.g. "change password on next login") can not login via UMC and therefore can't change their passwords.
This feature would certainly be nice from a usability point of view. As UMC currently uses PAM, it would be necessary to detect an expired password and change it through PAM.
Created attachment 5024 [details] pamtest.py With this test script it works for me to change the password via python PAM: echo "password sufficient pam_krb5.so use_first_pass" >> /etc/pam.d/univention-management-console root@master501:~# ./pamtest.py stefan Password: Current Kerberos password: Your password will expire at Thu Jan 1 01:00:00 1970 Enter new Kerberos password: Retype new Kerberos password: root@master501:~# ./pamtest.py stefan Password: Good to go! root@master501:~#
*** Bug 30571 has been marked as a duplicate of this bug. ***
Changing the password this way should only be able via a https connection
(In reply to comment #4) > Changing the password this way should only be able via a https connection Agreed, but not implemented. Reason: You can login via HTTP, this is not different from changing a password via HTTP. In both cases, the password is sent unencrypted.
Fixed in univention-management-console 5.0.61-1.726.201303111755 and univention-management-console-frontend 2.0.220-1.591.201303111757 If an expired password is detected, the LoginDialog shows two additional inputs (New Password and Retype), summing up to 4 inputs. If username/password is given again and a new password is chosen, UMC tries to update the password (only works if old password is really expired) in PAM/Kerberos. At least Firefox asks if a saved password shall be updated (other browsers not tested). New Status Code added (415). QA: Not fully tested: Does it behave differently in a Samba None/3/4 environment? Not fully tested: Can it be used on Master/Backup/Slaves without problems? Does a new password via LoginDialog pass every test that a new password via UDM update passes? Is at least every possible error message ("too short", "already used", ...) presented to the user? Sometimes there were problems with localisation. Changelog entry added.
(In reply to comment #6) > Fixed in > univention-management-console 5.0.61-1.726.201303111755 > and > univention-management-console-frontend 2.0.220-1.591.201303111757 > > If an expired password is detected, the LoginDialog shows two additional inputs > (New Password and Retype), summing up to 4 inputs. If username/password is > given again and a new password is chosen, UMC tries to update the password > (only works if old password is really expired) in PAM/Kerberos. At least > Firefox asks if a saved password shall be updated (other browsers not tested). > New Status Code added (415). Currently the user has to fill in the user name and the old password again. I think these should be pre-filled. If I change the password to an password which is too short or which is in the history I get no message.
(In reply to comment #7) > Currently the user has to fill in the user name and the old password again. I > think these should be pre-filled. Fixed in univention-management-console-frontend 2.0.226-1.595.201303131309
The changes have the effect that IE9 is not proposing to store the entered username + password. This is due to the dynamic changes in the form through JavaScript (adding dijitHidden), in this case IE9 is refusing to store a password field. A possible solution would be to set dijitHidden as CSS class in the HTML code and to remove it when the password needs to be changed. This would probably have the only problem that upon the next login after changing the password, IE would propose the old password the first time. But I think that is less of a problem.
More error messages are recognized, localisation added (done in the frontend, the backend sends english where it is possible), overall login.html and LoginDialog improvements. univention-management-console-frontend 2.0.231-1.601.201303152007 univention-management-console 5.0.62-1.727.201303152004
OK, works with FF, Chrome, IE8 and IE10. Changelog entry exists.
(In reply to comment #11) > OK, works with FF, Chrome, IE8 and IE10. Maybe also a quick check with iPad and Android would be good?
(In reply to comment #12) > (In reply to comment #11) > > OK, works with FF, Chrome, IE8 and IE10. > > Maybe also a quick check with iPad and Android would be good? ok, works with both
UCS 3.1-1 has been released: http://download.univention.de/doc/release-notes-3.1-1_en.pdf http://download.univention.de/doc/release-notes-3.1-1.pdf If this error occurs again, please use "Clone This Bug".