[horde] passwd and forced changes

[Simon B]

On 2 January 2014 22:30, Ralf Lang <lang at b1-systems.de> wrote:
> Hi Simon,
>
> On 02.01.2014 17:01, Simon B wrote:
>> Hi
>>
>> I use SQL as a backend - consequently Horde tells me I cannot list or
>> add users.  That's all well and good and I have no wish to move to
>> Kolab or LDAP.  However, what I would like is the ability to force
>> users to change their password - either at first log in, perhaps at a
>> pre-defined interval or possibly just when I decide (for example, the
>> account is compromised, I reset the password, but would then like the
>> user to change it again).
>
> You can create a hook that sets the
> $conf[auth][params][hard_expiration_field] field. See also
> $conf[auth][params][hard_expiration_window].
>
>> Whilst I can see why the SQL backend can't be used for adding users
>> (this should actually be possible, perhaps by intergrating
>> phpmyadmin?)
>
> No need to. The SQL Backend can do this.
>
>> , I can't see why it can't list the users
> The SQL Backend can do this.
>
>> allow me to put a tick next to the ones I want to force to change the
>> password).  rampage_users lists all the users that have logged in, so
>> surely that's the list it should display, no?
>
> No. It should use horde_users or whatever the user source field of your
> installation is.
>
>> What would it cost to implement this enhancement?
>
> Implement what exactly?
>
> * Listing users is already implemented
> * Adding users in SQL backend is implemented
> * There is a backend-independent feature to block users temporarily (for
> example for a series of bad logins) or permanently (through the user
> admin UI).
>
> If I understand you correctly, you want a price tag for the following:
>
> For all backends that support listing/For SQL and LDAP/For the SQL
> backend only

Well, I'm only concerned about SQL backend.

> The admin should see a list of users and be able to select users which
> have to reset their Password upon next login. He should see which users
> are already blocked.

Yes

> The users should authenticate to the reset password screen
> with their old password/with their forgot password secret

If the Force_Change flag is set, then when the user logs in (with a
supplied temporary password), then they will be given a splash screen
to force the password change.  They cannot access imp, turba,
kronolith, etc, until they've done so.

> The feature should be implemented
> * as an addon to passwd (passwd's live password check and restrictions
> apply)
> * in the horde base module (no password restrictions apply)

I think in the horde base module is not possible because there's no
guarantee that the system has the possibility to change the password
unless passwd is installed.

> Please select options or correct me so we know where's talking about the
> same thing.
>
> It's generally all possible. The question is which version is fit for
> horde upstream and can we agree on a price and who does it.

As per the other replies, the first thing I have to do is look at
actually moving to a real SQL backend :)  However, I would have
thought this could be implemented even using IMAP to authenticate (in
the passwd module).  If not using an auth-backend that lists users,
the admin should be able to type in the user that has to be forced to
change their password.  e.g.

User forgets their password or account is compromised
Admin/helpdesk reset password and notify the user of the temporary password.
Admin/helpdesk uses the console to set the Force_Change flag for that
email address/username
User logs into Horde with the temporary credentials.  Because of the
Force_Change flag user is unable to proceed to applications until the
password change (using the passwd modiule) is done.

At least that's how I see it working (although obviously it would be
more coherent to be using an SQL backend.

Cheers.

Simon