[Users] Unable to log on with expired passord

Sat Feb 1 00:41:15 UTC 2014

On 26/01/14 20:17, Itamar Heim wrote:
> On 01/26/2014 08:33 PM, Sigbjorn Lie wrote:
>> On 04/12/13 06:47, Itamar Heim wrote:
>>> On 12/04/2013 12:19 AM, Sigbjorn Lie wrote:
>>>> On 16/10/13 00:22, Itamar Heim wrote:
>>>>> On 10/15/2013 10:31 AM, Sigbjorn Lie wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am doing a POC of RHEV 3.2 VDI for a customer. Their users are
>>>>>> located in an IPA server, and
>>>>>> RHEV and IPA has been connected using rhevm-manage-domains.
>>>>>>
>>>>>> During the POC we discovered that users which have expired password
>>>>>> cannot log on. They receive an
>>>>>> Incorrect password error message.
>>>>>>
>>>>>> 1. They should at least receive a Your password has expired error
>>>>>> instead of the Incorrect
>>>>>> password error message as this is confusing for the user.
>>>>>
>>>>> 3.3 has the motd to provide some info/url to IPA password changing.
>>>>>
>>>> I've installed 3.3 as a test and I can see that it's now correctly
>>>> advising the user that his password has expired. But it does not 
>>>> provide
>>>> the user with an option to change his/her password.
>>>>
>>>>>>
>>>>>> 2. This creates a problem, as every time a password is reset in IPA,
>>>>>> it's automatically set to be
>>>>>> expired so the user will change password at next logon.
>>>>>>
>>>>>> Is there a way around this?
>>>>>
>>>>> use the IPA web form to change the password by the user.
>>>>>
>>>> This is a manual process for the user to be aware of and will generate
>>>> calls to the helpdesk. I believe it would create a much better user
>>>> experience to allow the password to the changed as a part of the login
>>>> procedure.
>>>>
>>>> Or adding an option to work the same way as our current Secure Global
>>>> Desktop solution allows us to do; Logging in the user with the expired
>>>> password, and then the password is being changed as a part of the 
>>>> login
>>>> procedure to the Linux Desktop.
>>>>
>>>> And this is a scenario that will be coming up often, as that every 
>>>> time
>>>> a new user is added or a password is reset for an existing user in Red
>>>> Hat IdM, the password is set to be expired so that the user is 
>>>> forced to
>>>> change it on next logon, and no option is provided in Red Hat IdM to
>>>> work around this.
>>>>
>>>> In our environment the users who will use the Linux VDI solution 
>>>> through
>>>> the User Portal will be using a Windows desktop and this will be their
>>>> only link into the Linux environment where they're required to log on
>>>> using a username and password from Red Hat IdM.
>>>
>>> the problem is each authentication provider has a different method to
>>> change password (no standard for this).
>>> as a first step, we added in 3.3 the motd option (message of the day),
>>> you can use that to put a text specifying in case of password
>>> expirtaion to use the IPA web url.
>>>
>>> we'll another tweak to manage domains, to allow specyfing the password
>>> expirtation web form change url per domain, and show it for password
>>> expirtaion.
>>>
>>> then we can look about actually supporting this for specific providers.
>>>
>> I've got a RHEV 3.3 test environment up running, and I'm trying the motd
>> option you recommended. I can set the UserMessageOfTheDay using
>> rhevm-config sucessfully, and I see the message displayed on the User
>> Portal web page.
>>
>> However any attempt on adding an URL (to the IPA server) with a <a
>> href..> tag or without any html tag, displays the URL and not a link the
>> user can click on as expected. Neither can I copy and paste from the 
>> MOTD.
>>
>> Is there any way to produce a clickable link in the motd? Or at least
>> allow cut and paste from the motd?
>>
>>
>> Regards,
>> Siggi
>>
>
> this was recently fixed via http://gerrit.ovirt.org/#/c/23373/ and 
> backported to 3.4 via http://gerrit.ovirt.org/#/c/23622/
> barak/yair - please review if this is stable-3.3 branch material (for 
> the older global motd config of course).
Any update on this?


Regards,
Siggi