The cloud operator can call the updateUser API themselves? Then they can send an email to their users telling them their new password. There is no ‘password change’ protocol at the moment. It is assumed that user provisioning and user lifecycle is best left to a different system.
From: Demetrius Tsitrelis <demetrius.tsitre...@citrix.com<mailto:demetrius.tsitre...@citrix.com>> Reply-To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Date: Thursday, August 21, 2014 at 11:28 AM To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Subject: Should CloudStack support forced password reset? For legacy reasons the MD5 and plaintext plugins are included in the list of authenticators. If a company has been using CloudStack for awhile they may want to move all their users to a stronger plugin such as SHA256SALTED (which is now the default). Is there a mechanism to do that? It doesn't appear that there is so I propose modify the API as follows: 1) Include a result in the response to the login API which indicates whether a user must change his password. 2) If a user is in this state have him call a new API called changeMyPassword. That API would require his old password and a new password. If the calls succeeds then the user can retry the login API with his new password. 3) Add a new parameter named forceUserToChangePassword to the UpdateUser API. An admin would set that parameter value to indicate that a user is required to change his password. Thoughts?
