[horde] passwd and forced changes

Simon B simon.buongiorno at gmail.com
Fri Jan 3 14:20:50 UTC 2014


On 3 January 2014 13:33, Ralf Lang <lang at b1-systems.de> wrote:
> On 03.01.2014 13:25, Simon B wrote:
>> On 2 January 2014 22:30, Ralf Lang <lang at b1-systems.de> wrote:
>>> Hi Simon,
>>>
>>> On 02.01.2014 17:01, Simon B wrote:
>>>> Hi
>>> If I understand you correctly, you want a price tag for the following:
>>>
>>> For all backends that support listing/For SQL and LDAP/For the SQL
>>> backend only
>>
>> Well, I'm only concerned about SQL backend.
>>
>>> The admin should see a list of users and be able to select users which
>>> have to reset their Password upon next login. He should see which users
>>> are already blocked.
>>
>> Yes
>>
>>> The users should authenticate to the reset password screen
>>> with their old password/with their forgot password secret
>>
>> If the Force_Change flag is set, then when the user logs in (with a
>> supplied temporary password), then they will be given a splash screen
>> to force the password change.  They cannot access imp, turba,
>> kronolith, etc, until they've done so.
>
> Who supplies this temporary password to the user. How? Why is this
> better than the "forgot password" dialog which already exists?
>
>>> The feature should be implemented
>>> * as an addon to passwd (passwd's live password check and restrictions
>>> apply)
>>> * in the horde base module (no password restrictions apply)
>>
>> I think in the horde base module is not possible because there's no
>> guarantee that the system has the possibility to change the password
>> unless passwd is installed.
>>
>>> Please select options or correct me so we know where's talking about the
>>> same thing.
>>>
>>> It's generally all possible. The question is which version is fit for
>>> horde upstream and can we agree on a price and who does it.
>>
>> As per the other replies, the first thing I have to do is look at
>> actually moving to a real SQL backend :)  However, I would have
>> thought this could be implemented even using IMAP to authenticate (in
>> the passwd module).  If not using an auth-backend that lists users,
>> the admin should be able to type in the user that has to be forced to
>> change their password.  e.g.
>
> It could be implemented for any backend. We currently have this lock-out
> feature which uses an sql database regardless of the authentication
> backend. But when the backend doesn't allow listing, we can only list
> users which already have the reset password flag and adding the flag
> would require manual typing.
>
>> User forgets their password or account is compromised
>> Admin/helpdesk reset password and notify the user of the temporary password.
>> Admin/helpdesk uses the console to set the Force_Change flag for that
>> email address/username
>> User logs into Horde with the temporary credentials.  Because of the
>> Force_Change flag user is unable to proceed to applications until the
>> password change (using the passwd modiule) is done.
>
> I don't like the temporary password thing much but it would work.
> But consider:
> If we need to send something to the user, we can send him a one-time
> ticket / link to the reset password screen. If we cannot reach the user,
> we can use the "forgot password" question/answer.

I'm less concerned with people who've forgotten their password and can
access the forgot password question/answer.

I'm more concerned with:
- initial user login - i.e. we create a password (such as Password1234
and want the user to change it immediately)
- account has been compromised and we've reset the password to
safhl$#HXs to prevent further unauthorised access, but when we give
the user this password we don't want them to just save it in the
browser and proceed - we actually want them to change it.
- Sometimes people forget what the password hint is trying to tell
them (I know I do).

Simon


More information about the horde mailing list