OpenStack Dashboard (Horizon)

Horizon change password fails when Keystone+LDAP.

Bug #1295186 reported by Tzach Shefi on 2014-03-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Invalid	Wishlist	Unassigned

Bug Description

Description of problem:

When using Keystone+LDAP, setting\change password on Horizon fails -> Error: Unable to change password.

Version-Release number of selected component (if applicable):
RHEL 6.5
openstack-dashboard-2013.2.2-1.el6ost.noarch
openstack-keystone-2013.2.2-1.el6ost.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Build setup
2. Configure keystone to use LDAP
3. Login with user to Horizon, click settings, change password

Actual results:
Can't change password -> Error: Unable to change password.

Expected results:
As a user i'd prefer any of the below options rather than a none informative "Error: Unable to change password."

* If possible make Horizon/Keystone update LDAP and actually change the password.
* If not possible to update LDAP, than notify user "LDAP authentication in use, please change password on LDAP." Or gray out "change password" while LDAP in use.

Tags:

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2014-03-28:

Does keystone with LDAP backend support changing password?

tags:

added: keystone

Revision history for this message

Gary W. Smith (gary-w-smith) wrote on 2014-08-18:

Per the keystone documentation, http://docs.openstack.org/admin-guide-cloud/content/configuring-keystone-for-ldap-backend.html, the recommended setup when using LDAP is to use read-only, so if that is what you used, then that would explain your error.
Keystone does not have an API to identify its back-end or capabilities, so a new horizon setting would need to be created to indicate whether updating passwords are supported.

Changed in horizon:
importance:	Undecided → Wishlist

Revision history for this message

Julie Pichon (jpichon) wrote on 2014-09-25:

I set up DevStack with LDAP and was able to change my password so it seems it is supported but dependent on the configuration.

Until Keystone offers a way to query API capabilities/policies, this is mitigated by bug 1347354 which allows the deployer to hide the Change Password panel by updating the identity policy in Horizon.

Revision history for this message

Seb Hughes (sebhughes) wrote on 2014-11-01:

You can remove the password panel form Horizon by adding a file to /usr/share/openstack-dashboard/local/enabled/

e.g _50_no_password_panel.py

With the following:

PANEL = 'password'
PANEL_DASHBOARD = 'settings'
REMOVE_PANEL = True

I've raised a request so you can set a flag in the keystone.conf ldap section to enable or disabled this panel. See https://bugs.launchpad.net/horizon/+bug/1388062

Revision history for this message

Julie Pichon (jpichon) wrote on 2014-11-01:

Going to close this since it can be configured already for the environments where users aren't allowed to change their own password.

Changed in horizon:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.