Thanks, but as discussed, even creating a user able to reset all the userPassword attributes of all other users is not security risk free. This is what I call a privileged user and I would like to avoid it. Drupal already supports such a solution, but I don't find it secure enough.
I had an interesting suggestion on the list : to create a database of temporary security objects where drupal is the only one who knows the passwords. Each temporary security object is able to reset one password in the main database (by the use of regex ACLs) and only once.
On 2/4/09, Brett Maxfield brett.maxfield@gmail.com wrote:
If we are talking about openldap, not drupal, there are probably many ways of doing so.. My thoughts..
You cannot bind as the user in this case, as presumably the reason they want to reset password is that they dont know it.
You should probably give the website it's own standard read-only user, which has been (only) allowed to update userPassword.
Giving the website manager/root access just to change a password would be extremely unwise and inasvisable.
Drupal should let you specify any ldap user for password resers..
-----Original Message----- From: Vincent Panel yohonet@gmail.com Sent: Wednesday, 4 February 2009 2:16 AM To: openldap-technical@openldap.org Subject: Forgotten password recovery
Hello,
Many websites now provide a feature which allow users to reset their password on their own, without being helped by an administrator or another privileged person.
A website I'm working on is using drupal which is able to handle such a situation by sending a mail to the user. The body of this mail contains a specific url crafted by drupal so that when the user clicks on the link, drupal can automatically authenticate the user. This URL is only valid once.
If you try to integrate drupal with openldap, you'll find that openldap does not support such an authentication scheme. So you are either forced to create a privileged user in LDAP which is able to reset all users' passwords or live with it and give up this feature.
So I'm writing to this list to know if anyone already had a similar issue and which solution was found ? Would it be possible for openldap or an openldap overlay to implement such an authentication mechanism ? Is there any IETF draft about it (one can dream) ?
Vincent
Vincent Panel wrote:
Thanks, but as discussed, even creating a user able to reset all the userPassword attributes of all other users is not security risk free. This is what I call a privileged user and I would like to avoid it.
You can't avoid it if the reset service has to run automagically.
Drupal already supports such a solution, but I don't find it secure enough.
Then you have to add some human admin interaction.
I had an interesting suggestion on the list : to create a database of temporary security objects where drupal is the only one who knows the passwords. Each temporary security object is able to reset one password in the main database (by the use of regex ACLs) and only once.
Yes, but these "temporary security objects" have to be generated. If you do this automagically you have a privileged service account which resets the user's password in combination with a e-mail based challenge-response check. I don't think it's a big security issue though. IMO if you suspect your password reset web component being compromised you should worry about much more in the whole system.
Ciao, Michael.
openldap-technical@openldap.org