[horde] passwd and forced changes

[Ralf Lang]

On 03.01.2014 13:25, Simon B wrote:
> On 2 January 2014 22:30, Ralf Lang <lang at b1-systems.de> wrote:
>> Hi Simon,
>>
>> On 02.01.2014 17:01, Simon B wrote:
>>> Hi
>> If I understand you correctly, you want a price tag for the following:
>>
>> For all backends that support listing/For SQL and LDAP/For the SQL
>> backend only
> 
> Well, I'm only concerned about SQL backend.
> 
>> The admin should see a list of users and be able to select users which
>> have to reset their Password upon next login. He should see which users
>> are already blocked.
> 
> Yes
> 
>> The users should authenticate to the reset password screen
>> with their old password/with their forgot password secret
> 
> If the Force_Change flag is set, then when the user logs in (with a
> supplied temporary password), then they will be given a splash screen
> to force the password change.  They cannot access imp, turba,
> kronolith, etc, until they've done so.

Who supplies this temporary password to the user. How? Why is this
better than the "forgot password" dialog which already exists?

>> The feature should be implemented
>> * as an addon to passwd (passwd's live password check and restrictions
>> apply)
>> * in the horde base module (no password restrictions apply)
> 
> I think in the horde base module is not possible because there's no
> guarantee that the system has the possibility to change the password
> unless passwd is installed.
> 
>> Please select options or correct me so we know where's talking about the
>> same thing.
>>
>> It's generally all possible. The question is which version is fit for
>> horde upstream and can we agree on a price and who does it.
> 
> As per the other replies, the first thing I have to do is look at
> actually moving to a real SQL backend :)  However, I would have
> thought this could be implemented even using IMAP to authenticate (in
> the passwd module).  If not using an auth-backend that lists users,
> the admin should be able to type in the user that has to be forced to
> change their password.  e.g.

It could be implemented for any backend. We currently have this lock-out
feature which uses an sql database regardless of the authentication
backend. But when the backend doesn't allow listing, we can only list
users which already have the reset password flag and adding the flag
would require manual typing.

> User forgets their password or account is compromised
> Admin/helpdesk reset password and notify the user of the temporary password.
> Admin/helpdesk uses the console to set the Force_Change flag for that
> email address/username
> User logs into Horde with the temporary credentials.  Because of the
> Force_Change flag user is unable to proceed to applications until the
> password change (using the passwd modiule) is done.

I don't like the temporary password thing much but it would work.
But consider:
If we need to send something to the user, we can send him a one-time
ticket / link to the reset password screen. If we cannot reach the user,
we can use the "forgot password" question/answer.


-- 
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/horde/attachments/20140103/9e50c5a3/attachment.bin>