2:13 a.m.
Thanks, but as discussed, even creating a user able to reset all the
userPassword attributes of all other users is not security risk free.
This is what I call a privileged user and I would like to avoid it.
Drupal already supports such a solution, but I don't find it secure
enough.
I had an interesting suggestion on the list : to create a database of
temporary security objects where drupal is the only one who knows the
passwords. Each temporary security object is able to reset one
password in the main database (by the use of regex ACLs) and only
once.
On 2/4/09, Brett Maxfield <brett.maxfield(a)gmail.com> wrote:
If we are talking about openldap, not drupal, there are probably many
ways
of doing so.. My thoughts..
You cannot bind as the user in this case, as presumably the reason they want
to reset password is that they dont know it.
You should probably give the website it's own standard read-only user, which
has been (only) allowed to update userPassword.
Giving the website manager/root access just to change a password would be
extremely unwise and inasvisable.
Drupal should let you specify any ldap user for password resers..
-----Original Message-----
From: Vincent Panel <yohonet(a)gmail.com>
Sent: Wednesday, 4 February 2009 2:16 AM
To: openldap-technical(a)openldap.org
Subject: Forgotten password recovery
Hello,
Many websites now provide a feature which allow users to reset their
password on their own, without being helped by an administrator or
another privileged person.
A website I'm working on is using drupal which is able to handle such
a situation by sending a mail to the user. The body of this mail
contains a specific url crafted by drupal so that when the user clicks
on the link, drupal can automatically authenticate the user. This URL
is only valid once.
If you try to integrate drupal with openldap, you'll find that
openldap does not support such an authentication scheme. So you are
either forced to create a privileged user in LDAP which is able to
reset all users' passwords or live with it and give up this feature.
So I'm writing to this list to know if anyone already had a similar
issue and which solution was found ? Would it be possible for openldap
or an openldap overlay to implement such an authentication mechanism ?
Is there any IETF draft about it (one can dream) ?
Vincent
7:41 a.m.
New subject: Forgotten password recovery
Vincent Panel wrote:
Thanks, but as discussed, even creating a user able to reset all the
userPassword attributes of all other users is not security risk free.
This is what I call a privileged user and I would like to avoid it.
You can't avoid it if the reset service has to run automagically.
Drupal already supports such a solution, but I don't find it
secure
enough.
Then you have to add some human admin interaction.
I had an interesting suggestion on the list : to create a database
of
temporary security objects where drupal is the only one who knows the
passwords. Each temporary security object is able to reset one
password in the main database (by the use of regex ACLs) and only
once.
Yes, but these "temporary security objects" have to be generated. If you
do this automagically you have a privileged service account which resets
the user's password in combination with a e-mail based
challenge-response check. I don't think it's a big security issue
though. IMO if you suspect your password reset web component being
compromised you should worry about much more in the whole system.
Ciao, Michael.
5344
days inactive
5344
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Michael Ströder -
Vincent Panel