Hello,
Many websites now provide a feature which allow users to reset their password on their own, without being helped by an administrator or another privileged person.
A website I'm working on is using drupal which is able to handle such a situation by sending a mail to the user. The body of this mail contains a specific url crafted by drupal so that when the user clicks on the link, drupal can automatically authenticate the user. This URL is only valid once.
If you try to integrate drupal with openldap, you'll find that openldap does not support such an authentication scheme. So you are either forced to create a privileged user in LDAP which is able to reset all users' passwords or live with it and give up this feature.
So I'm writing to this list to know if anyone already had a similar issue and which solution was found ? Would it be possible for openldap or an openldap overlay to implement such an authentication mechanism ? Is there any IETF draft about it (one can dream) ?
Vincent