On 2/4/09, Michael Ströder michael@stroeder.com wrote:

Yes, but these "temporary security objects" have to be generated. If you do this automagically you have a privileged service account which resets the user's password in combination with a e-mail based challenge-response check.

I agree, but until I get your replies, I did not find any satisfying solution integrating this "e-mail based challenge-response check". I wanted the ldap server to validate the challenge which is going to be possible if I make drupal create those security objects with the challenge answer as the password.

Once a user comes back with its response to the challenge, drupal will try to bind to the LDAP server as this temporary security object with the password being the "challenge" url. If the bind is successful, then drupal will automatically be granted the right to reset the corresponding user's password (thanks to regex ACLs). Once this is done, the user will be able to log in (or actually, drupal will log the user in)

This is probably a bit complex to implement, but I'm gonna try.