Description:

• user tries to log in
• IF Agentinfo AND request for PW change are/should be shown the requests results in an error "ERR_TOO_MANY_REDIRECTS"

Reported by customer using:

ITSM
CustomerCompanyImportExport (c.a.p.e. IT Vers. 1.4.0)
CustomerUserImportExport (c.a.p.e. IT Vers. 1.10.0)
DynamicFieldITSMConfigItem (c.a.p.e. IT Vers. 1.1.0)
FAQ (OTRS)
GeneralCatalog (OTRS)
ImportExport (OTRS)
iPhoneHandle (OTRS)
ITSM-CIAttributeCollection (c.a.p.e. IT Vers. 2.3.0)
OTRSMAsterSlave (OTRS)
Support, Survey und TimeAccounting (OTRS)

System OTRS 3.3.5.

OTRS Log shows:

Wed Apr 30 13:39:43 2014    notice  OTRS-CGI-12     User: USERNAME authentication ok
(Method: sha256, REMOTE_ADDR: xxx.xxx.xxx.xxx).

repeated 8 times in 2 seconds.

Hi
On OTRS 6.0.30 have enabled the package Znuny4OTRS-PasswordPolicy 6.0.6, all work fine till enabled two-factor authentication (2FA) so the agents cannot change his/her password.

With both option enabled (Znuny4OTRS-PasswordPolicy and 2FA) when the Agent must change the password the system does not accept the new password because (i think) expects the token, to validate the change.

How to reproduce

After installed and configure Password Policy (these are mine settings)

Go to System Configuration > Core > Auth > Agent > TwoFactor
Enable only AuthTwoFactorModule and leave the others settings by default

When Agent have to change the password the screen are like this

from system log i see this entries

Server

• OS: OpenSUSE
• OTRS version 6.0.30

Client

• Browser: any
• Windows 10

Additional information

As mention before, if disable 2FA the add-on PasswordPolicy work well
NOTE: i changed PasswordMaxValidTimeInDays to 60 (that are differ from change password screen) to temporary permit Agent login without disable 2FA

Thanks in advance
naitso

Expected behavior

Set setting PasswordMaxLoginFailed affectes CustomerUser login.

Actual behavior

Despite the setting PasswordMaxLoginFailed and way more login attempts the CustomerUser does not become invalid-temporary like agents.

How to reproduce

Steps to reproduce the behavior:

1. Configure a value PasswordMaxLoginFailed
2. Login in multiple times (>PasswordMaxLoginFailed) as a CustomerUser with a wrong password.
3. Check that the CustomerUser is still valid.

Environment

• OS: n.a.
• Browser: n.a.
• OTRS version 6.0.35

Additional information

PasswordMaxLoginFailed is a setting form the Framework and not found in any file related to CustomerUser. It's expected to work with datasources not read-only and type DB (or wherever the valid flag can be changed)

Hi, I plan to use some customer as "service user" to permit the creation of new tickets through WSDL for an automatic task.
Is possible to inhibit the password policy for a specific group of customers? Or, are there other method to use for create a "service user" that should not expire ?
Thanks in advance
Cristian