We have a ticket, #2276, to allow resetting the password using forms-based login. As a step towards that it would be good to be able to detect that a reset is required. Right now it reports an incorrect password.
At current state Web UI can detect that user needs to set new password from error message, but it is unreliable. The error message is dependant on locale and therefore it may vary. It would be better if server would also send some error code in the response.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=811296
We're not sure kinit gives us the necessary information to determine a failed login is do to password reset, but ...
On IRC there was a suggestion from rcrit and simo that we should lookup the password expiration in LDAP. We should always do this even if the kinit succeeded so that we can provide advance warning to the user their password will expired shortly (if the expiration is within a time window).
see ticket #2625 as well
attachment freeipa-rcrit-1006-expired.patch
Two patches. The first is to add a new header, X-IPA-Rejection-Reason to rpcserver.py. The second has the UI interpret the reason code and display different messages.
master: [[br]] 7b515bd[[br]] c64bcaf[[br]]
ipa-2-2: [[br]] d05a5c6[[br]] bd84fb4
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
Login to comment on this ticket.