Description of problem: No password change url on login failure when password expires Version-Release number of selected component (if applicable): 3.5 How reproducible: always Steps to Reproduce: 1. setup engine 2. configure a ad domain 3. run engine-manage-domains edit --domain=[domain] --provider=ad --user=[user]@[domain] --change-password-msg=youpasswordneedotbereset 4. restart engine 5. add new user with expired password in ad 6. login with the newly created user Actual results: login screen says: Cannot Login. User Password has expired. Use the following URL to change the password: Expected results: login screen says: Cannot Login. User Password has expired. Use the following URL to change the password: youpasswordneedotbereset Additional info: setup: # engine-manage-domains edit --domain=[domain] --provider=ad --user=[user]@[domain] --change-password-msg=youpasswordneedotbereset Enter password: Please enter message or URL to appear when user tries to login with an expired password (Not providing a value will cause the existing value to be reset):youpasswordneedotbereset The domain [domain] has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager. Users from this domain can be granted permissions by editing the domain using action edit and specifying --add-permissions or from the Web administration interface logging in as admin@internal user. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully env: # cat /etc/issue CentOS release 6.5 (Final) Kernel \r on an \m # rpm -qa |grep ovirt-engine ovirt-engine-reports-setup-3.5.1-0.2.master.20141026083150.20141026083150.git01181cf.el6.noarch ovirt-engine-reports-3.5.1-0.2.master.20141013082754.20141013082754.gitbb67a59.el6.noarch ovirt-engine-dbscripts-3.5.1-0.0.master.20141023122515.git3a48330.el6.noarch ovirt-engine-3.5.1-0.0.master.20141023122515.git3a48330.el6.noarch ovirt-engine-setup-plugin-ovirt-engine-common-3.5.1-0.0.master.20141024171931.gitdc6c57b.el6.noarch ovirt-engine-jboss-as-7.1.1-1.el6.x86_64 ovirt-engine-tools-3.5.1-0.0.master.20141023122515.git3a48330.el6.noarch ovirt-engine-lib-3.5.1-0.0.master.20141024171931.gitdc6c57b.el6.noarch ovirt-engine-setup-plugin-ovirt-engine-3.5.1-0.0.master.20141024171931.gitdc6c57b.el6.noarch ovirt-engine-websocket-proxy-3.5.1-0.0.master.20141024171931.gitdc6c57b.el6.noarch ovirt-engine-dwh-3.5.0-1.el6.noarch ovirt-engine-sdk-python-3.5.0.8-0.1.20140926.gitd3a5e4d.el6.noarch ovirt-engine-cli-3.5.0.6-0.1.20141021.gitcf7f1a1.el6.noarch ovirt-engine-backend-3.5.1-0.0.master.20141023122515.git3a48330.el6.noarch ovirt-engine-userportal-3.5.1-0.0.master.20141023122515.git3a48330.el6.noarch ovirt-engine-restapi-3.5.1-0.0.master.20141023122515.git3a48330.el6.noarch ovirt-engine-setup-base-3.5.1-0.0.master.20141024171931.gitdc6c57b.el6.noarch ovirt-engine-setup-plugin-websocket-proxy-3.5.1-0.0.master.20141024171931.gitdc6c57b.el6.noarch ovirt-engine-setup-3.5.1-0.0.master.20141024171931.gitdc6c57b.el6.noarch ovirt-engine-extensions-api-impl-3.5.1-0.0.master.20141024171931.gitdc6c57b.el6.noarch ovirt-engine-dwh-setup-3.5.0-1.el6.noarch ovirt-engine-webadmin-portal-3.5.1-0.0.master.20141023122515.git3a48330.el6.noarch
adding gshereme to CC list, just in case there some assistance will be needed to display the URL properly within the newly-styled login page (not sure what the exact problem is though, so may not be related at all).
1.) This bug reproduces for me. 2.) I've confirmed that the change password URL is: * stored in db * returned by aaa builtin extension to bll. * returned from bll * returns to the browser: function Jae$(_0,_1){_0.c=_1;return _0}function Xqb$(_0){return L7(Xqb,{292:1,300:1,316:1},0,_0)}function bti$(_0,_1,_2,_3,_4){_0.b=_1;_0.c=_3;return _0}return [(_._3=jAg(Jae$(_._4=new (kaf(Xhb)),Xqb$([0,(_._0=new Tze,Rue(Jae$(_._6=new (kaf(Xhb)),Xqb$([4,"USER_PASSWORD_EXPIRED_CHANGE_URL_PROVIDED","$URL ","USER_PASSWORD_EXPIRED_CHANGE_MSG_PROVIDED","$MSG Hay, Bye."])),_._0),_._0),0,0,null,"",(_._1=new Tze,Rue(Jae$(_._6=new (kaf(Xhb)),Xqb$([0])),_._1),_._1),(_._2=new Tze,Rue(Jae$(_._6=new (kaf(Xhb)),Xqb$([0])),_._2),_._2),1,bti$(new (kaf(BDb)),(Vsi(),Hli),null,"ENGINE",null),(Llg(),Hlg)]))),iAg(_._4,_._3),_._3)]; The message here is "Hay, Bye." Greg could you take a look (per comment 1)?
Per comment #2 moving to UX, and removing the needinfo.
reassigning to Alexander.
So I investigated this a little bit and it appears the following is happening. There are 2 options one can pass: --change-password-msg: This is an additional message besides the URL. --change-password-url: This is the URL to display in the reported message. When the password is expired the backend passes 2 failure messages into the result object. The change password URL message with the URL substituted from the above --change-password-url option. And 'Cannot login. User Password has expired. Detailed message: $MSG' with $MSG substituted from --change-password-msg. Since the first commit the LoginModel has always obtained the first message (The URL one in this case) and displayed that. The second message has always been ignored. There has been a lot of work on the authentication side of things recently and it looks like the order of the messages was reversed before. So the first error message was the one associated with --change-password-msg and the second one with --change-password-url. So the url message was silently ignored. However in the current state the order switched so now the url is first and the msg is the one ignored. It also appears there is a bug in the backend that doesn't ignore adding the url/msg if they are blank (just null). I will do the following: 1. Fix the backend to also check for blank urls or msgs. 2. Fix the LoginModel to allow multiple error messages. 3. Fix the display to properly format and show all messages.
Is there a option to set change-password-msg in the new AAA method?
(In reply to Yaniv Dary from comment #6) > Is there a option to set change-password-msg in the new AAA method? this is extension specific. in case of ldap see [1] look for: * config.authn.credentials-change.url * config.authn.credentials-change.message [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l296
When testing this please make sure the message works with the options listed in comment #7 as well.
Alexander, did you make sure that the fix is working well for the new AAA stuff as well?
Yes this will work with the new AAA, that was actually what exposed the existing issue.
moving back to POST. @Alexander - this needs a backport to ovirt-engine-3.5.
pushing TR to 3.5.4, so no need to cherry-pick the fix to the 'ovirt-engine-3.5.3' branch. Once 'ovirt-engine-3.5' is merge - please move the BZ to MODIFIED.
(In reply to Einav Cohen from comment #12) > Once 'ovirt-engine-3.5' is merge Once *the* 'ovirt-engine-3.5' *patch* is *merged*
Since oVirt 3.5.4 RC1 has been released, please ensure that the fix is included in the build and move the bug to ON_QA accordingly.
Works fine in vt16.1 for both legacy and new AAA.
This is an automated message. oVirt 3.5.4 has been released on September 3rd 2015 and should include the fix for this BZ. Moving to closed current release.