[sork] Passwd backends

Eric Rostetter eric.rostetter at physics.utexas.edu
Thu Jan 27 15:16:36 PST 2005


Quoting "Peter Borg (General)" <general at peter-b.org>:

> Re: hooks; yup, I'd considered this and even tried it, but having previously
> searched around for information on this issue (and a related one, more on
> that in a few days), I'd realised that I wasn't alone in this requirement,
> and that it's quite a common one.

But the hook should solve the problem, common or not, unless I'm not
understanding the problem correctly.
 
> The thing that led me to suggest this modification, rather than just hacking
> my own installation and keeping quiet, was that there is a similar setting
> in imp/config/servers.php - 'hordeauth' - which I have used for my
> particular installation.

Yeah, and another, called realm.  That doesn't mean every application
should have those though...

I always thought of hordeauth as using the same username/password credentials
that Horde uses for login/authentication.  Since passwd doesn't do this per
se - it is to change a password, not to login to something - I never thought
it was appropriate to use it here.

None-the-less, I'd support the addition of a hordeauth solution if it
was clean, to login/authenticate against the backend being used to
change the password.  It would still need to prompt for the old and
new passwords (and optionally the username) separate from the hordeauth
though to maintain backwards compatibility (think of the case where a
user is changing the password for another user, ala a helpdesk).

> It seemed strange that this setting existed in imp but not in passwd. After

The setting came along (in gollem and imp, maybe others) not that long ago
in Horde-years, and I think it was only put into applications to avoid
a double login situation.  This is not really the situation in passwd,
as we don't consider it a double login (we consider it a security issue).

> setting it in imp I went looking for it in passwd and was surprised not to
> find it. Therefore I thought it might be good to provide a similar setting
> in passwd.

It might be.  Not sure.  You'd have to convince us of the merit.

> I would suggest that it is not an uncommon requirement; I suspect that
> Horde/Imp is used as a webmail solution in many virtual hosting environments
> where the full user & domain name is required for authentication and
> authorisation.

That's why the hook was put into the sork apps that use usernames (IIRC).

> The ability to change a password in the webmail environment
> is probably incredibly desirable in many such situations, as typically the
> user interface for password changes is a separate one provided by the
> hosting software, and in my experience is absolutely dreadful!

But, that doesn't mean you don't need to ask the user for a username/password
to use.  That is a separate issue (security).
 
> Peter.
> 
> -----Original Message-----
> From: sork-bounces at lists.horde.org [mailto:sork-bounces at lists.horde.org] On
> Behalf Of Eric Rostetter
> Sent: 27 January 2005 22:09
> To: sork at lists.horde.org
> Subject: Re: [sork] Passwd backends
> 
> Quoting "Peter Borg (horde)" <horde at peter-b.org>:
> 
> > I've recently installed Horde 3 and the various modules that are
> > immediately available for it.
> >
> > In addition, because it's an essential tool for my users, I've picked
> > up the HEAD release of passwd from CVS to use it - seems to work fine for
> me!
> 
> Great!
> 
> > However, I had to modify it to be able to use it successfully as my
> > various
> 
> Are you sure?
> 
> > authentications require the full username (Auth::getAuth) as opposed
> > to the domain-stripped username (Auth::getBareAuth).
> 
> Isn't there a hook in it just for this purpose?
> 
> > I don't want users to be able
> > to enter the username for which they want to change the password, nor
> > to select the back-end.
> 
> Are not these configuration options?
> 
> > I was considering submitting a patch for this, but the modification
> > I've made wouldn't necessarily suit everyone. Reviewing the options, I
> > was wondering what people's views are on this.
> 
> I've not looked at the code recently, but I thought all those changes were
> already there as configuration options.  If not, I'd support changes to
> allow them as configuration changes.
> 
> > Clearly, there's a need for a
> > parameter to control which type of username is presented to the user
> > or passed to the backend, but should this be global for all backends,
> > or backend specific.
> 
> It should be a hook, so it is more flexible.
> 
> > In which case, it seems fairly trivial to add an extra property to
> > each back-end definition in backends.php; require_full_username set to
> > either true or false would seem sensible.
> 
> This has traditionally been done with hooks, and should stay that way to be
> consistent with other Horde applications.
> 
> > Discuss?
> 
> Sure.
> 
> > (As an aside, I wasn't sure if anyone was working on passwd at the
> > moment,
> 
> Not really.  But it isn't forgotten or anything.
> 
> > so wasn't sure which version to submit a patch for. Seems foolish to
> > submit a patch to HEAD if it's being worked on!)
> 
> Always submit against HEAD.
> 
> > Peter.
> 
> --
> Eric Rostetter
> The Department of Physics
> The University of Texas at Austin
> 
> Why get even? Get odd!
> --
> Sork mailing list - Join the hunt: http://horde.org/bounties/#sork
> Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail:
> sork-unsubscribe at lists.horde.org
> 
> 
> --
> Sork mailing list - Join the hunt: http://horde.org/bounties/#sork
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: sork-unsubscribe at lists.horde.org
> 


-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin
 
Why get even? Get odd!


More information about the sork mailing list