Bug 51496 - Improve Self-Service error messages
Improve Self-Service error messages
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-5-errata
Assigned To: Florian Best
Jürn Brodersen
https://help.univention.com/t/problem...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-15 14:33 CEST by Christina Scheinig
Modified: 2020-09-16 12:44 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020061221000612
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2020-06-15 14:33:10 CEST
The error message 
"Invalid credentials. Password change failed."
or 
"Ungültige Zugangsdaten. Passwortwechsel fehlgeschlagen"
are really missleading if the cause of the error are the two ad ucr variables, which are not set and are recommended using an AD connection.

ucr info ad/reset/username
ad/reset/username: <empty>

ucr info ad/reset/password
ad/reset/password: <empty>
 
---------------------
The supposed error message:
"The configuration of the password reset service is not complete. The UCR variables "ad/reset/username" and "ad/reset/password" need to be set properly. Please inform an administration."

was not shown.
Comment 1 Florian Best univentionstaff 2020-06-15 14:59:02 CEST
What is the UCR variable ad/member? And what is the univentionObjectFlag attribute of the user where you try to change the password?
Comment 2 Christina Scheinig univentionstaff 2020-06-15 15:59:09 CEST
The Server is not in ad member mode, but these ucr variables may help?

connector/ad/mapping/syncmode: read
connector/ad/mapping/user/ignorelist: Administrator,krbtgt,root,pcpatch
connector/ad/mapping/user/syncmode: sync
Comment 3 Erik Damrose univentionstaff 2020-06-17 17:00:55 CEST
In this forum thread the expected error message works as expected https://help.univention.com/t/15361
Comment 4 Christina Scheinig univentionstaff 2020-06-17 17:40:20 CEST
(In reply to Erik Damrose from comment #3)
> In this forum thread the expected error message works as expected
> https://help.univention.com/t/15361

Yes this UCS in AD membermode. This is different to this environment. Here the UCS is not a member, so there is just the AD-connection used.
Comment 5 Marc Schwarz univentionstaff 2020-08-10 10:19:02 CEST
Experiencing the same issue in a larger environment, but UCRs are already set as following:

~# ucr search ad/reset
ad/reset/password: Secret
ad/reset/username: Administrator

The system is working with ad-connector as following:

~# ucr search connector/ad/mapping/user
connector/ad/mapping/user/ignorelist: Administrator,krbtgt,root,pcpatch
connector/ad/mapping/user/syncmode: sync
connector/ad/mapping/syncmode: read

The password-change itself is working fine, if username, old pw, new pw are entered correctly. If the username or old pw is entered wrong or new pw is not long or save enough, the same error-messages come up:

(In reply to Christina Scheinig from comment #0)
> The error message 
> "Invalid credentials. Password change failed."
> or 
> "Ungültige Zugangsdaten. Passwortwechsel fehlgeschlagen"
Comment 6 Florian Best univentionstaff 2020-09-04 10:47:59 CEST
The error message was always "Invalid credentials. Password change failed." without caring if the old or the new password was wrong.
The message has been changed to "Changing password failed. The username and/or the old password is not correct." in case the original password was entered wrong.
In case the new password does not meet the password complexity criterias the message from the UMC-Server is used, which is e.g. "Changing password failed. The password is too simple.".

Comment #0 is invalid. The UCR Variables are only for ad/member systems. And they work if an AD user tries to change its password.

univention-management-console (11.0.4-104)
8af988d94658 | Bug #51496: add flag that password changing failed

univention-management-console.yaml
8646feb2048c | YAML Bug #51496

univention-self-service.yaml
8646feb2048c | YAML Bug #51496

univention-self-service (4.0.3-38)
a15dc432b4ca | Bug #51496: fix error message in case password changing failed
Comment 7 Christina Scheinig univentionstaff 2020-09-04 14:24:02 CEST
(In reply to Florian Best from comment #6)
> The error message was always "Invalid credentials. Password change failed."
> without caring if the old or the new password was wrong.
> The message has been changed to "Changing password failed. The username
> and/or the old password is not correct." in case the original password was
> entered wrong.
> In case the new password does not meet the password complexity criterias the
> message from the UMC-Server is used, which is e.g. "Changing password
> failed. The password is too simple.".
> 
> Comment #0 is invalid. The UCR Variables are only for ad/member systems. And
> they work if an AD user tries to change its password.

These variables had to be set to make self service work on a master which is in sync to an ad server. Without these variables the self service did not work, and the problem was to find out, that these variables had to be set. So therefor a helpful error message would be useful pointing to that missing variables in this kind of scenario if possible.
Comment 8 Jürn Brodersen univentionstaff 2020-09-08 10:01:38 CEST
What I tested:
The user is informed that the current credentials were wrong -> OK

YAML -> OK

-> Verified