Bug 45813 - Self-Service: Password change not possible if pwdChangeNextLogin=1
Self-Service: Password change not possible if pwdChangeNextLogin=1
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.2
Other other
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Florian Best
Stefan Gohmann
:
Depends on: 44111
Blocks: 46010
  Show dependency treegraph
 
Reported: 2017-12-04 11:39 CET by Michael Grandjean
Modified: 2018-01-17 14:21 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.343
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2018011021000433
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2017-12-04 11:39:09 CET
root@ucs01:~# univention-app info
UCS: 4.2-3 errata231
App Center compatibility: 4
Installed: samba4=4.6 self-service=2.0 ucsschool=4.2 v5

Scenario:
- Import/Create new users with an initial password
- Activate the option "Change password on next login"
- The user receives the initial password and needs to change it via the Self-Service App

Expected behaviour: 
- Changing the initial password works for an account that is forced to change the password (pwdChangeNextLogin=1)

Observed behaviour:
- Changing the password fails with "Invalid credentials. Password change failed.". if the option "Change password on next login" is set.
Comment 2 Stefan Gohmann univentionstaff 2018-01-10 19:58:47 CET
I was able to reproduce it in a Samba 4 default environment:

27.05.17 01:58:09.798  RESOURCES   ( INFO    ) : Reloading UCR variables
27.05.17 01:58:09.816  AUTH        ( INFO    ) : Trying to authenticate user 'stefan'
27.05.17 01:58:09.827  LDAP        ( INFO    ) : establishing new connection with retry_max=11
27.05.17 01:58:09.839  LDAP        ( INFO    ) : bind binddn=cn=master421,cn=dc,cn=computers,dc=deadlock42,dc=intranet
27.05.17 01:58:09.848  LDAP        ( INFO    ) : uldap.search filter=(&(uid=stefan)(objectClass=person)) base= scope=sub attr=['uid'] unique=1 required=0 timeout=-1 sizelimit=0
27.05.17 01:58:09.849  AUTH        ( INFO    ) : Canonicalized username: 'stefan'
27.05.17 01:58:09.887  AUTH        ( INFO    ) : PAM says: 'Sie m\xc3\xbcssen Ihr Passwort sofort \xc3\xa4ndern (Passwortablauf).'
27.05.17 01:58:09.888  AUTH        ( ERROR   ) : PAM: authentication error: ('Authentifizierungstoken ist nicht mehr g\xc3\xbcltig; neues erforderlich', 12)
27.05.17 01:58:09.888  AUTH        ( INFO    ) : The password has expired and must be renewed.
27.05.17 01:58:09.916  MODULE      ( INFO    ) : Executing 'AUTH'
27.05.17 01:58:09.917  MAIN        ( INFO    ) : Setting locale 'de_DE'
27.05.17 01:58:09.917  MODULE      ( INFO    ) : Executing 'AUTH'
27.05.17 01:58:09.917  MAIN        ( INFO    ) : Setting locale 'de_DE'
Comment 3 Stefan Gohmann univentionstaff 2018-01-11 06:40:31 CET
Can you have a look?
Comment 4 Florian Best univentionstaff 2018-01-11 12:30:51 CET
It was introduced by Bug #44111 by Alex in commit 3daf763caea7bec6732df221496944f3914885e3 / svn r78459.

The error is only frontend side.
Comment 5 Florian Best univentionstaff 2018-01-11 13:28:04 CET
The error handler of the frontend did not respect an expired password. This has been implemented.

UCS 4.2-3:
univention-self-service.yaml
5b38b6e8b86b | Bug #45813: fix changing password if pwdChangeNextLogin=1

univention-self-service (2.0.17-15)
5b38b6e8b86b | Bug #45813: fix changing password if pwdChangeNextLogin=1
ac1a89996cfc | Bug #45813: fix changing password if pwdChangeNextLogin=1

UCS 4.3-0:
univention-self-service (3.0.0-3)
6144390d61cd | Bug #45813: fix changing password if pwdChangeNextLogin=1
Comment 6 Stefan Gohmann univentionstaff 2018-01-12 06:34:26 CET
Thanks!

Tests: OK
 - pwdChangeNextLogin=1: OK
 - pwdChangeNextLogin=0: OK
 - pwdChangeNextLogin=0 and logged in: OK

Code review: OK

YAML: OK
Comment 7 Stefan Gohmann univentionstaff 2018-01-15 07:45:52 CET
I have to reopen it. I don't see the dialog that the password has been changed: Bug #45457
Comment 8 Florian Best univentionstaff 2018-01-15 14:23:21 CET
(In reply to Stefan Gohmann from comment #7)
> I have to reopen it. I don't see the dialog that the password has been
> changed: Bug #45457

Bug #45457 was about the other module "Password forgotten". Nevertheless I added the same dialog to this module as well.

https://git.knut.univention.de/univention/ucs/commit/418b1e1f1567eed6bface215c88efde8e89d2947

Merged also to UCS 4.3.
Comment 9 Stefan Gohmann univentionstaff 2018-01-16 07:46:00 CET
That makes sense. Thanks!

Directly after changing the password, the old password input field is marked as invalid. I've created a new bug for it: Bug #46051

I've updated the YAML file:
 https://git.knut.univention.de/univention/ucs/commit/d7b7d5912de36297de12b48657273b231742a0d2
Comment 10 Erik Damrose univentionstaff 2018-01-17 14:21:21 CET
<http://errata.software-univention.de/ucs/4.2/265.html>