[Users] Unable to log on with expired passord
Itamar Heim
iheim at redhat.com
Sun Jan 26 14:17:22 EST 2014
On 01/26/2014 08:33 PM, Sigbjorn Lie wrote:
> On 04/12/13 06:47, Itamar Heim wrote:
>> On 12/04/2013 12:19 AM, Sigbjorn Lie wrote:
>>> On 16/10/13 00:22, Itamar Heim wrote:
>>>> On 10/15/2013 10:31 AM, Sigbjorn Lie wrote:
>>>>> Hi,
>>>>>
>>>>> I am doing a POC of RHEV 3.2 VDI for a customer. Their users are
>>>>> located in an IPA server, and
>>>>> RHEV and IPA has been connected using rhevm-manage-domains.
>>>>>
>>>>> During the POC we discovered that users which have expired password
>>>>> cannot log on. They receive an
>>>>> Incorrect password error message.
>>>>>
>>>>> 1. They should at least receive a Your password has expired error
>>>>> instead of the Incorrect
>>>>> password error message as this is confusing for the user.
>>>>
>>>> 3.3 has the motd to provide some info/url to IPA password changing.
>>>>
>>> I've installed 3.3 as a test and I can see that it's now correctly
>>> advising the user that his password has expired. But it does not provide
>>> the user with an option to change his/her password.
>>>
>>>>>
>>>>> 2. This creates a problem, as every time a password is reset in IPA,
>>>>> it's automatically set to be
>>>>> expired so the user will change password at next logon.
>>>>>
>>>>> Is there a way around this?
>>>>
>>>> use the IPA web form to change the password by the user.
>>>>
>>> This is a manual process for the user to be aware of and will generate
>>> calls to the helpdesk. I believe it would create a much better user
>>> experience to allow the password to the changed as a part of the login
>>> procedure.
>>>
>>> Or adding an option to work the same way as our current Secure Global
>>> Desktop solution allows us to do; Logging in the user with the expired
>>> password, and then the password is being changed as a part of the login
>>> procedure to the Linux Desktop.
>>>
>>> And this is a scenario that will be coming up often, as that every time
>>> a new user is added or a password is reset for an existing user in Red
>>> Hat IdM, the password is set to be expired so that the user is forced to
>>> change it on next logon, and no option is provided in Red Hat IdM to
>>> work around this.
>>>
>>> In our environment the users who will use the Linux VDI solution through
>>> the User Portal will be using a Windows desktop and this will be their
>>> only link into the Linux environment where they're required to log on
>>> using a username and password from Red Hat IdM.
>>
>> the problem is each authentication provider has a different method to
>> change password (no standard for this).
>> as a first step, we added in 3.3 the motd option (message of the day),
>> you can use that to put a text specifying in case of password
>> expirtaion to use the IPA web url.
>>
>> we'll another tweak to manage domains, to allow specyfing the password
>> expirtation web form change url per domain, and show it for password
>> expirtaion.
>>
>> then we can look about actually supporting this for specific providers.
>>
> I've got a RHEV 3.3 test environment up running, and I'm trying the motd
> option you recommended. I can set the UserMessageOfTheDay using
> rhevm-config sucessfully, and I see the message displayed on the User
> Portal web page.
>
> However any attempt on adding an URL (to the IPA server) with a <a
> href..> tag or without any html tag, displays the URL and not a link the
> user can click on as expected. Neither can I copy and paste from the MOTD.
>
> Is there any way to produce a clickable link in the motd? Or at least
> allow cut and paste from the motd?
>
>
> Regards,
> Siggi
>
this was recently fixed via http://gerrit.ovirt.org/#/c/23373/ and
backported to 3.4 via http://gerrit.ovirt.org/#/c/23622/
barak/yair - please review if this is stable-3.3 branch material (for
the older global motd config of course).
Thanks,
Itamar
More information about the Users
mailing list