We are closing this issue, since a clearer error message is shown. A new issue has been linked to make this message configurable.

I'm running Crowd 2.0.4 connecting to Active Directory running on Server 2008R2 and I'm not seeing the new error message noted by Justin.

When changing the password on Windows to a simple password, I receive the error message "The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements."

However, via Crowd user self-management, the error message when attempting to change the password is "You do not have permission to change your password."

Obviously, changing to a password that meets the requirements works.

For reference, the error in the Crowd logs is:

org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0]; remaining name 'cn=daniel (test) harvey,ou=amristar domain users,dc=amristar,dc=localnet'

Re: Justin's comment: I think it would be more ideal if the information about password complexity simply showed up on the change password screen from the start: Adding a new field to the directory configuration page as a "Regex Description" or "Minimum Password Requirements Description" that would automatically display when the user went to change password would be perfect. Ideally, a textarea, allowing significant descriptive text, not simply a textfield(255) or anything.

The downside here is admins who mess up their regex and describe something the regex doesn't actually check: In an ideal world, tied to a few other issues here from the past, some sort of regex validator could be incorporated (no clue if such a thing exists, research to commence shortly) that would either generate descriptive information about the regex, or at the very least, generate multiple examples of passwords that validate allowing admins to double check the regex v. their conception and description of it.

Personally, I care less about validation than about just being able to show users what they must do, but the additional help might provide a more user friendly experience overall ... However, that should be developed independently of the simple field addition, which would alleviate much of the pain immediately.

It is very frustrating for users if there is no hint which explains why a password is bad ... and this will get very frustrating for a crowd admin who has to deal with a directory with some non-trivial, but usual, password restrictions.

As of 2.0 we are showing the credential exception message:

"Your new password does not meet the directory complexity requirements".

But we still need to provide a hint option for administrators to improve this message further.

Are we planning to display some configurable text on the UI screen which end users see, and provide a facility where administrators can supply the text to be displayed?

That will be awesome! Can we generalise it, so that we can add it to other screens as well?

So:
1) Every screen potentially has a text display field, maybe via an expand/collapse widget.
2) There's a new admin feature which lists the UI screens available and allows the admin to enter their customised help text for each screen.

Let's get this done for 1.6.2

This is really causing problems for our users. This just seems so easy to implement - status update on this?

Thanks – Marcus