Univention Bugzilla – Bug 35847
Revise user password changes via UMC
Last modified: 2014-11-26 06:54:34 CET
We should revise the user password changed via UMC: - The password should be changed via Kerberos. Thus, the user don't need access to the LDAP attributes. - The user should also insert the old password and it should be checked. - I don't think we have to hold on the user-self module for the password change. But the user-self module is still needed for various apps, so it should not be removed completely. - The password change dialog should be callable through the UMC users menu from the header. - The password change service should be linked on the UCS overview site for users. - After changing the password the user should not be redirected to an empty page.
*** Bug 8973 has been marked as a duplicate of this bug. ***
Which password change functionality do you mean? I guess users/self? There is currently also a password change functionality which is implemented in the login dialog if the user password is expired. There you already have to reenter the old password and afaik this uses kerberos (it uses PAM which underlying uses kerberos afaik). This is already an UMC-server feature and can be implemented in the UMC header. We could remove the udm/self flavor then.
(In reply to Florian Best from comment #2) > Which password change functionality do you mean? I guess users/self? > There is currently also a password change functionality which is implemented > in the login dialog if the user password is expired. There you already have > to reenter the old password and afaik this uses kerberos (it uses PAM which > underlying uses kerberos afaik). This is already an UMC-server feature and > can be implemented in the UMC header. Yes, I think we should reuse the functionality. Currently, you can only use it if the password is expired. > We could remove the udm/self flavor then. No, some Apps use udm/self. They extend it with extended attributes.
For UCS 4.0 we should: - Hide the old UDM password change module by default and rename the module - Add a new password change UMC module. The module should be available in the users menu and for domain users should be a module button as well - The old password should be asked and tested - The user should get a message after the password has been changed
(In reply to Stefan Gohmann from comment #4) > For UCS 4.0 we should: > > - Hide the old UDM password change module by default and rename the module module is deactivated by default, renamed to 'User settings' / 'Benutzereinstellungen' > - Add a new password change UMC module. The module should be available in > the users menu and for domain users should be a module button as well Added management/univention-managment-console-module-passwordchange which also adds a menu entry to the settings menu. The permissions for the module is added to 'default-umc-users'. > - The old password should be asked and tested The old password is sent to the backend and questioned by PAM. > - The user should get a message after the password has been changed A notification is added after changing the password, the module closes itself then. If an error occurs a Pop up occurs. No changelog added yet.
Changelog added
If I have seen correctly, there is no loading animation when saving the password.
(In reply to Alexander Kläser from comment #7) > If I have seen correctly, there is no loading animation when saving the > password. You are right, fixed it.
When changing the password with an incorrect old password, I get the following error message: > Could not fulfill the request. > > Server error message: > > Changing password failed. The reason could not be determined. In case it helps, > the raw error message will be displayed: Current Kerberos password After a password change, the password fields are not cleared.
Please change the following error messages: > Nevertheless an error occured while updating the password for running > modules. Please relogin to UMC to solve this problem. > In case it helps, the raw error message will be displayed Otherwise the module + the UMC changes look good.
Created attachment 6316 [details] fix_posix_works_but_acct_mgmt_expired.patch Bug 36319 Comment 3 indicates that the detection of expired passwords during UMC logon needs another patch for the case where POSIX authentication still works (i.e. is not locked), but pam account managment detects that something is expired. The attached patch is a proposal how this may be fixed.
*** Bug 36319 has been marked as a duplicate of this bug. ***
* Password fields are now reset * error message fixed * patch from comment #11 applied
(In reply to Florian Best from comment #13) > * Password fields are now reset > * error message fixed > * patch from comment #11 applied Looks good now. I just noticed that the keyboard focus remains within the form field, i.e. during the standby animation I can resend the password multiple times in parallel. But that seems to be a generic UMC thing, I guess.
UCS 4.0-0 has been released: http://docs.univention.de/release-notes-4.0-0-en.html http://docs.univention.de/release-notes-4.0-0-de.html If this error occurs again, please use "Clone This Bug".