I was able to verify this feature works, but more importantly why this was failing for Paul. I did the following
1. Created a new user called lbragstad with a password of `password`
2. Set keystone.conf [security_compliance] change_password_upon_first_user = True
3. Restarted keystone to apply the config changes
4. Attempted to change my password as lbragstad using python-openstackclient
This actually fails because python-openstackclient is going to attempt to get a token from keystone as the user authenticating (lbragstad in this case). This is doine for discovery purposes, but it results in a 401 because of the logic in keystone.
Alternatively, if I build a request to change my password and use keystone API directly, I can successfully change my password [0].
Hopefully this helps. I agree with Morgan in that we need to update the clients and horizon to be smarter about this specific API and forego getting a token to avoid the 401.
I was able to verify this feature works, but more importantly why this was failing for Paul. I did the following
1. Created a new user called lbragstad with a password of `password` compliance] change_ password_ upon_first_ user = True openstackclient
2. Set keystone.conf [security_
3. Restarted keystone to apply the config changes
4. Attempted to change my password as lbragstad using python-
This actually fails because python- openstackclient is going to attempt to get a token from keystone as the user authenticating (lbragstad in this case). This is doine for discovery purposes, but it results in a 401 because of the logic in keystone.
Alternatively, if I build a request to change my password and use keystone API directly, I can successfully change my password [0].
Hopefully this helps. I agree with Morgan in that we need to update the clients and horizon to be smarter about this specific API and forego getting a token to avoid the 401.
[0] http:// paste.openstack .org/raw/ 731863/