#11946 Password reset issues on accounts.centos.org
Opened 23 days ago by vashirov. Modified 23 days ago

Hello,

TL;DR: password reset on accounts.centos.org doesn't work properly and breaks FAS credentials.

Background: I was trying to login to git.centos.org with my old centos.org credentials, but they were not accepted.
I tried to reset my password, got a link from FAS with URL https://accounts.centos.org/forgot-password/change?token=eyJ... Once I filled in my new password, it showed an error

Could not change password, please try again.

I tried again, this time error was:

You have already requested a password reset, you need to wait 27 minute(s) and 14 seconds before you can request another.

Then I tried to login to pagure.io with my FAS account, but it didn't accept neither my old password or my new password that I provided while resetting it on accounts.centos.org.

So I had to reset my password there as well. This time I got a link with https://accounts.fedoraproject.org/forgot-password/change?token=eyJ.. URL and the change was successful.
After that I was able to login to git.centos.org with my newly generated FAS password.

There is also a banner on accounts.centos.org:

You can also use your Fedora account to login here.

Is the "also" part still true? I thought that now only FAS accounts are accepted.

Thanks.


The Fedora account and FAS account should be one and the same. We consolidated your authentication infra together with CentOS, so it's now possible to login to CentOS related stuff using FAS account. I think that is what the banner means.

The reset procedure should be same for CentOS and Fedora authentication system as the service behind it is shared for both.

I tried the CentOS password procedure and it worked for me without issue. You probably hit some temporary issue at the time. But as the reset worked on Fedora I will close this as Can not fix.

Feel free to reopen the issue if you see it again.

Metadata Update from @zlopez:
- Issue close_status updated to: Will Not/Can Not fix
- Issue status updated to: Closed (was: Open)

23 days ago

Still can reproduce, reopening.
Steps to reproduce:
1. Make sure you can login with the current password, for example on pagure.io
2. Go to https://accounts.centos.org/forgot-password/ask and reset the password
3. Receive an email with a link to reset the password on https://accounts.centos.org/, provide a new password.
(here for me it fails with the error "Could not change password, please try again.")
4. Try to login with the new password OR the old password on pagure.io
(here login no longer works for me)
5. Reset password on https://accounts.fedoraproject.org/, after that login works both on pagure.io and accounts.centos.org

If needed, I can share a screen recording.
Thanks.

Metadata Update from @vashirov:
- Issue status updated to: Open (was: Closed)

23 days ago

You are right, I had the issue now, but I was still able to login with the old password.

@arrfab Do you have something set up differently on CentOS noggin deployment?

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: Needs investigation, high-gain, ops

23 days ago

@zlopez : the accounts.centos.org is deployed/maintained/managed by Fedora team so I can't answer that question :) (and don't have access there either, so myself just a user)

PS : as we already had an internal discussion with requester, I suggested to create it directly on fedora-infra tracker for that reason (deployed and managed by fedora infra on fedora ocp cluster)

I didn't know that it's hosted by us. In this case I will look into that.

If I understand it correctly, the CentOS is just replacing the header, otherwise it's the same instance as in Fedora.

Hm, looking at the OpenShift it's a different deployment alltogether.

I don't see any error in logs at first glance and the deployment is different only in few details (deployment name and url of the service), so I'm not sure what could be happening here.

accounts.centos.org runs on older version of noggin:

Powered by noggin v1.6.0 (stable:1e48480)

On acccounts.fedoraproject.org:

Powered by noggin v1.9.0 (stable:a2a7202)

I didn't notice that, thanks for pointing that out. In this case, let me try to just redeploy it.

Oh, last build was done 2 years ago. So I did a new one and it is now deployed. I tried it again and it didn't work, but now I see the error

ERROR in password: An unhandled error Denied happened while reseting the password for user zlopez: Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=zlopez,cn=users,cn=accounts,dc=fedoraproject,dc=org'.

It seems that the LDAP permissions for the noggin are not set correctly. Maybe because it's centos.org domain reaching to change user in fedoraproject.org domain.

I'm not sure when those could be adjusted, but we are getting somewhere.

I just tried to reset the password on accounts.centos.org and it worked for me. And the same password now works with accounts.fedoraproject.org.

I'm glad it works for you now :-)

Thanks :)
I'm curious if you see the same error in the logs for my username.

I checked the logs and no error for you. Let me try it again, it's possible that there was something cached.

Metadata Update from @zlopez:
- Issue assigned to zlopez

23 days ago

It seems that the issue still persists.

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog