Univention Bugzilla – Bug 51401
UMC / Portal: Changing password needs much more helpful error messages
Last modified: 2020-09-16 12:44:43 CEST
UCS: 4.4-4 errata617 Scenario: I use a simple password policy, e.g. minimum length is 8 characters. I have a user whose password expired. This is quite common for new users, when the option "change password at next login" is checked. This user tries to login to the Portal / UMC. Expected behaviour: The Login dialog tells me that my password expired. It then offers to change my password and tells me the requirements (e.g. at least 8 characters). Observed behaviour: The password change dialog lets me enter any password and then spits an error at me: "Changing password failed. The reason could not be determined. In case it helps, the raw error message will be displayed: Errorcode 20: The new password could not be set." So I'm left to trial and error. This might not be a big deal for tech-savvy admins, but since the UMC / Portal is expected to be used by end users more and more, this is quite a usability issue.
Okay, obviously I ran into Bug #51047. After maneuvering around the Errorcode 20, the error message is slightly better: "Changing password failed. The password is too simple." It would be much more helpful, if the login dialog or at least the error message would also state the required password complexity. Just stating "too simple" will still result in trial and error.
Should we display such a message by default? Or just make it configurable so that customers can set a message? When we display it by default we must evaluate if S4 is installed and what the current settings are.
I'm totally fine if the message text is configurable. I think evaluating all password policies is too much overhead.
An additional text is now configurable via the UCR variables: e.g.: ucr set umc/login/password-complexity-message/de-DE='Das Passwort muss mindestens 3 Sonderzeichen enthalten, 20 Zeichen lang sein und aus 5 unterschiedlichen Zeichen bestehen.' \ umc/login/password-complexity-message/en-US='The password must contain at least 3 special chars, at least 20 characters long and consists of at least 5 different characters.' univention-management-console.yaml 6b82d6e6ba60 | YAML Bug #51401 univention-management-console (11.0.4-105) e98ae27e9a66 | Bug #51401: add possibility to specify notes for password changes univention-web.yaml 6b82d6e6ba60 | YAML Bug #51401 univention-web (3.0.5-43) ed7128c42841 | Bug #51401: fix size of login notices
Reopen: Saml doesn't sent a language territory in the password change request. This means that en_US is always shown for saml. I'm not sure if that should be fixed here or with bug 51492.
[4.4-5] 6c21b5d6e7 Bug #51401: add possibility to specify notes for password changes ...ntion-management-console-server.univention-config-registry-variables | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
(In reply to Jürn Brodersen from comment #7) > Reopen: > Saml doesn't sent a language territory in the password change request. This > means that en_US is always shown for saml. > I'm not sure if that should be fixed here or with bug 51492. simplesamlphp doesn't store the territory, or I could not access it. So only use umc/login/password-complexity-message/{de,en}=… univention-management-console (11.0.4-106) 126f5794dac7 | Bug #51401: don't use locale territory in UCR variable
What I tested: Fallback to English (classic login / saml) -> OK English (classic login / saml) -> OK German (classic login / saml) -> OK Unset (classic login / saml) -> OK YAML -> OK Jenkins -> OK -> Verified
<https://errata.software-univention.de/#/?erratum=4.4x747> <https://errata.software-univention.de/#/?erratum=4.4x749>