-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
occ user:expire-password not working, when expiry is not explicitly enabled #66
Comments
@pmaier1 something to mention in docs or release notes ? known issue ? |
also to discuss: what is the expected behavior ?
|
The separation between oC admin and sysadmin is not perfect in this case but to avoid confusion I would go for 2. |
Estimate: 0.5-3md depending on what we find |
Assigning self to think about tech solution |
I still prefer 2. in #66 (comment). Still if it is more effort than 0,5 days, then go for 1.. The sysadmin can still activate it using occ app:config. |
Looking into the code it looks like having password expiration disabled would be the equivalent of having a rule "every password must expire after 0 days" but would need to limit said rule to only virtual password entries created by the admin through the command. It becomes more complicated if the admin runs the occ command not with the default date (expire now) but expiration in the future. I'm not too keen on adding this additional layer of complexity in the already complex code paths we have now unless there is a big benefit from it. Also note that with the approach with "0 days", if the admin decides to tick the checkbox "days until user password expired" the value of 0 days suddenly becomes 90 days (or whatever is in the field), which is equivalent to changing the "days" value, which, according to the docs, requires the admin to run the occ command again for all users. @pmaier1 did you hope to have this feature mostly for immediate expiry or would future expiry still be interesting despite not having any rule configured ? |
A middle-ground approach would be to allow only immediate expiration (not deferred expiration) when no expiration rules were set. This would be easier as we could directly set the "password has expired" flag for said users and would need us to send the notification right away. |
Ok, I decide to go the easy route for now: disable the command completely if no expiration rule was configured: #115 |
Actually I see this command as a (cumbersome) way to get the policy in place. Restricting to immediate expiry implies that, to put a rule in place, all users have to change their password immediately?
So you first need to enable it via webUI or appconfig, but then you can set a date for the initial expiry? |
@pmaier1 you need to first enable it via web UI or occ app:config, yes. Then the occ command will accept to work. |
and you should then use the command to set initial expiry, yes, as per release notes from the previous version. |
Great. And expiration via |
In my PR occ user:expire-password is completely disabled, neither immediate nor deferred expiry can be used if nothing was configured. It's the simplest approach. |
I mean when the policy is enabled and I want to set it up initially. Then I can specify a date for the first expiration. I am not limited to immediate expiration in this case, right? |
yes, there is no limit to the occ command. it works as it used to in the previous version when expiration is configured |
During smoke testing the release tarball, I noticed a confusion.
After installing and enabling
password_policy
app - the occ commandocc user:expire-password
is available.Withou further configuration, I have used the
occ user:expire-password user1
- but confusinglyuser1
was still able to login.Only when checking the top expiry box and using the occ command - the user was forced to change his password on login
The text was updated successfully, but these errors were encountered: