Bug 1037844

Summary: [RFE][AAA] Allow the user to change an expired password as a part of the User Portal login process
Product: [oVirt] ovirt-engine Reporter: Sigbjorn Lie <sigbjorn>
Component: RFEsAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Gonza <grafuls>
Severity: medium Docs Contact:
Priority: unspecified    
Version: ---CC: bazulay, bugs, emesika, grafuls, iheim, mgoldboi, mperina, oourfali, pstehlik, rbalakri, rnori, sbonazzo, sigbjorn, sraje, srevivo, trichard, ykaul
Target Milestone: ovirt-4.0.0-alphaKeywords: FutureFeature
Target Release: 4.0.0Flags: rule-engine: ovirt-4.0.0+
pstehlik: testing_plan_complete+
mgoldboi: planning_ack+
mperina: devel_ack+
pstehlik: testing_ack+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt 4.0.0 alpha1 Doc Type: Enhancement
Doc Text:
Previously, if a user password expired, it needed to be reset on the LDAP server. Now there is a new capability added to the LDAP and JDBC extensions to enable changing passwords from the front end in a new change password screen.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-01 12:25:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1092744    
Bug Blocks: 1076964, 1425412    

Description Sigbjorn Lie 2013-12-03 22:02:16 UTC 
Description of problem:
Allow the user to change an expired password as a part of the User Portal login process

Version-Release number of selected component (if applicable):


How reproducible:
Every time

Steps to Reproduce:
1. Attempt to log on to the User Portal with an account that's expired in Red Hat IdM
2. Message is displayed showing password has expired.
3. 

Actual results:
No further action is possible and no further information is provided to the user for how to change his/her expired password.

Expected results:
A password change dialog appearing allowing the user to change his/her expired password as a part of the login process to the User Portal.

Additional info:
Comment 1 Sigbjorn Lie 2013-12-03 22:24:08 UTC 
Some further info:

http://comments.gmane.org/gmane.comp.emulators.ovirt.user/11486

>
>>
>> 2. This creates a problem, as every time a password is reset in IPA, it's automatically set to be
>> expired so the user will change password at next logon.
>>
>> Is there a way around this?
>
> use the IPA web form to change the password by the user.
>
This is a manual process for the user to be aware of and will generate calls to the helpdesk. I believe it would create a much better user experience to allow the password to the changed as a part of the login procedure.

Or adding an option to work the same way as our current Secure Global Desktop solution allows us to do; Logging in the user with the expired password, and then the password is being changed as a part of the login procedure to the Linux Desktop.

And this is a scenario that will be coming up often, as that every time a new user is added or a password is reset for an existing user in Red Hat IdM, the password is set to be expired so that the user is forced to change it on next logon, and no option is provided in Red Hat IdM to work around this.

In our environment the users who will use the Linux VDI solution through the User Portal will be using a Windows desktop and this will be their only link into the Linux environment where they're required to log on using a username and password from Red Hat IdM.
Comment 4 Itamar Heim 2013-12-04 06:01:46 UTC 
3.3 allows adding a message of the day (motd) which can be use to specify the url.
next step will be to add such url at per-domain level via manage-domain.
can we use this bug to track the per-domain level url message?
after that is implemented, worth revisiting if trying to solve per specific authentication domains the change password integrated implementation (since there is no standard to doing this)
Comment 5 Oved Ourfali 2013-12-04 08:27:56 UTC 
*** Bug 1037843 has been marked as a duplicate of this bug. ***
Comment 6 Sigbjorn Lie 2013-12-04 09:51:56 UTC 
Ok. I have not found the motd option in 3.3 yet. I'm testing RHEV 3.3 beta. Was this motd feature removed in RHEV?

Would your path to implementing a password change mechanism for Red Hat IdM (IPA) be easier as the IPA team has already developed this for their web interface, and perhaps some of this can be re-used for ovirt/rhev?
Comment 7 Itamar Heim 2013-12-07 20:56:47 UTC 
packaging/etc/engine-config/engine-config.properties:UserMessageOfTheDay.description="Message of the day to be displayed in the User Po
packaging/etc/engine-config/engine-config.properties:UserMessageOfTheDay.type=String

you can set UserMessageOfTheDay via the config utility
Comment 8 Sigbjorn Lie 2013-12-20 07:09:23 UTC 
I don't have the 3.3 beta env available to me just now, but I suppose this will have to do for 3.3. 

However I would like to keep the request open for enabling a password change feature in (hopefully) the next version of ovirt/rhev.
Comment 9 Alon Bar-Lev 2014-03-16 21:35:14 UTC 
The generic ldap provider will be able to change password if ldap server supports the rfc or modify attribute.

The question is if we can make it in time to modify the UI as well.
Comment 10 Alon Bar-Lev 2014-06-11 13:32:32 UTC 
supported at extension side if ldap support password modify extended request and supports anonymous bind to achieve this (support changing expired password).

 * active directory does not support password modify extended request.
 * ipa supports password modify extended request but for some reason it requires non anonymous bind[1]

so in theory we can support in future ipa, after it will be fixed.

the effort is still to enable the front-end/backup logic.

[1] https://fedorahosted.org/freeipa/ticket/1539
Comment 11 Alon Bar-Lev 2014-06-27 13:14:22 UTC 
AAA extension API support password modify, LDAP extension supports the password modify extension, now it is the engine task to actually use it.
Comment 12 Alon Bar-Lev 2014-07-21 10:29:13 UTC 
Hi Mooli,
Your provider will be the first that support proper password change, I suggest you implement the engine side as well.
Thanks,
Comment 13 Moran Goldboim 2015-07-20 13:10:11 UTC 
moving to 4.0, wasn't delivered feature freeze
Comment 14 Sandro Bonazzola 2015-09-04 09:01:35 UTC 
This is an automated message.
This Bugzilla report has been opened on a version which is not maintained anymore.
Please check if this bug is still relevant in oVirt 3.5.4.
If it's not relevant anymore, please close it (you may use EOL or CURRENT RELEASE resolution)
If it's an RFE please update the version to 4.0 if still relevant.
Comment 15 Sigbjorn Lie 2015-09-28 14:26:52 UTC 
I requested this feature for changing password on an IPA domain as a part of the login process to the user portal. As far as I am aware IPA still only supports password changes over Kerberos.
Comment 16 Sandro Bonazzola 2015-09-30 09:52:23 UTC 
Alon, why setting version to the unmaintained 3.3?
According to https://bugzilla.redhat.com/page.cgi?id=fields.html#version
If bug report is a feature request, it should be set to the version you would like to see problem fixed in.
So it should be 4.0.0.
Comment 17 Alon Bar-Lev 2015-09-30 10:26:45 UTC 
this is an issue in 3.3, removed version if you think it is a feature request and not a bug... feature request should have the target release, not version.
Comment 18 Red Hat Bugzilla Rules Engine 2015-10-19 10:59:42 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 19 Oved Ourfali 2016-01-20 07:55:48 UTC 
Ravi - this should move to you, right?
And depends on the SSO RFE, right?
Comment 20 Ravi Nori 2016-01-20 14:39:48 UTC 
Oved is right this depends on SSO RFE and will be handled as part of the SSO work targeted for 4.0
Comment 21 Gonza 2016-07-18 13:30:59 UTC 
Verified with:
rhevm-4.0.0.5-0.1.el7ev.noarch