[sork] Passwd backends

Peter Borg (General) general at peter-b.org
Fri Jan 28 02:03:19 PST 2005 

Fredde, 

I've mailed you separately with the hack I've implemented for my
installation, as I didn't feel it was appropriate to post to the list. It
really is just a hack at the moment, and certainly nothing like the
functional patch I'm suggesting.

However, if anyone else wants it pending the outcome of the decision
regarding a possible patch, drop me a line.

Peter. 

-----Original Message-----
From: sork-bounces at lists.horde.org [mailto:sork-bounces at lists.horde.org] On
Behalf Of - Fredde -
Sent: 28 January 2005 09:36
To: sork at lists.horde.org
Subject: RE: [sork] Passwd backends

> > Re: hooks; yup, I'd considered this and even tried it, but having
>previously
> > searched around for information on this issue (and a related one, 
> > more
>on
> > that in a few days), I'd realised that I wasn't alone in this
>requirement,
> > and that it's quite a common one.
>
>But the hook should solve the problem, common or not, unless I'm not 
>understanding the problem correctly.

How do I use hook to include the @mydomain.com in the "username" field?

> > The thing that led me to suggest this modification, rather than just
>hacking
> > my own installation and keeping quiet, was that there is a similar
>setting
> > in imp/config/servers.php - 'hordeauth' - which I have used for my 
> > particular installation.
>
>Yeah, and another, called realm.  That doesn't mean every application 
>should have those though...

Why? I think it could be a big improvement in the passwd module. As for now,
I have to enable the username field to be able to use this module, and users
have to remember to add the "@mydomain.com" othervise its not working (using
the backend vpopmail).

>I always thought of hordeauth as using the same username/password 
>credentials that Horde uses for login/authentication.  Since passwd 
>doesn't do this per se - it is to change a password, not to login to 
>something - I never thought it was appropriate to use it here.

See abow.

>None-the-less, I'd support the addition of a hordeauth solution if it 
>was clean, to login/authenticate against the backend being used to 
>change the password.  It would still need to prompt for the old and new 
>passwords (and optionally the username) separate from the hordeauth 
>though to maintain backwards compatibility (think of the case where a 
>user is changing the password for another user, ala a helpdesk).

As I said, an option that include "@mydomain.com" should be great!

> > It seemed strange that this setting existed in imp but not in passwd. 
>After
>
>The setting came along (in gollem and imp, maybe others) not that long 
>ago in Horde-years, and I think it was only put into applications to 
>avoid a double login situation.  This is not really the situation in 
>passwd, as we don't consider it a double login (we consider it a security
issue).

Security issue? Cant see what diffrense including domainname or not could be
an security issue?

> > setting it in imp I went looking for it in passwd and was surprised 
> > not
>to
> > find it. Therefore I thought it might be good to provide a similar
>setting
> > in passwd.
>
>It might be.  Not sure.  You'd have to convince us of the merit.

convinced?

> > I would suggest that it is not an uncommon requirement; I suspect 
> > that Horde/Imp is used as a webmail solution in many virtual hosting
>environments
> > where the full user & domain name is required for authentication and 
> > authorisation.

Agree!

>That's why the hook was put into the sork apps that use usernames (IIRC).
>
> > The ability to change a password in the webmail environment is 
> > probably incredibly desirable in many such situations, as typically
>the
> > user interface for password changes is a separate one provided by 
> > the hosting software, and in my experience is absolutely dreadful!
>
>But, that doesn't mean you don't need to ask the user for a 
>username/password to use.  That is a separate issue (security).

Mabe, but its useless if you dont have the option to include the domain
(even if its just included in the $userid for the username field), unvice I
like to have lots of support issues people complaining about the passord
cant be changed.

- - -

Peter, Im intrested in the patch you have, ill be happy to see it posted!

- - -

> > Peter.
> >
> > -----Original Message-----
> > From: sork-bounces at lists.horde.org 
> > [mailto:sork-bounces at lists.horde.org]
>On
> > Behalf Of Eric Rostetter
> > Sent: 27 January 2005 22:09
> > To: sork at lists.horde.org
> > Subject: Re: [sork] Passwd backends
> >
> > Quoting "Peter Borg (horde)" <horde at peter-b.org>:
> >
> > > I've recently installed Horde 3 and the various modules that are 
> > > immediately available for it.
> > >
> > > In addition, because it's an essential tool for my users, I've 
> > > picked up the HEAD release of passwd from CVS to use it - seems to 
> > > work fine
>for
> > me!
> >
> > Great!
> >
> > > However, I had to modify it to be able to use it successfully as 
> > > my various
> >
> > Are you sure?
> >
> > > authentications require the full username (Auth::getAuth) as 
> > > opposed to the domain-stripped username (Auth::getBareAuth).
> >
> > Isn't there a hook in it just for this purpose?
> >
> > > I don't want users to be able
> > > to enter the username for which they want to change the password, 
> > > nor to select the back-end.
> >
> > Are not these configuration options?
> >
> > > I was considering submitting a patch for this, but the 
> > > modification I've made wouldn't necessarily suit everyone. 
> > > Reviewing the options, I was wondering what people's views are on
this.
> >
> > I've not looked at the code recently, but I thought all those 
> > changes
>were
> > already there as configuration options.  If not, I'd support changes 
> > to allow them as configuration changes.
> >
> > > Clearly, there's a need for a
> > > parameter to control which type of username is presented to the 
> > > user or passed to the backend, but should this be global for all 
> > > backends, or backend specific.
> >
> > It should be a hook, so it is more flexible.
> >
> > > In which case, it seems fairly trivial to add an extra property to 
> > > each back-end definition in backends.php; require_full_username 
> > > set to either true or false would seem sensible.
> >
> > This has traditionally been done with hooks, and should stay that 
> > way to
>be
> > consistent with other Horde applications.
> >
> > > Discuss?
> >
> > Sure.
> >
> > > (As an aside, I wasn't sure if anyone was working on passwd at the 
> > > moment,
> >
> > Not really.  But it isn't forgotten or anything.
> >
> > > so wasn't sure which version to submit a patch for. Seems foolish 
> > > to submit a patch to HEAD if it's being worked on!)
> >
> > Always submit against HEAD.
> >
> > > Peter.
> >
> > --
> > Eric Rostetter
> > The Department of Physics
> > The University of Texas at Austin
> >
> > Why get even? Get odd!
> > --
> > Sork mailing list - Join the hunt: http://horde.org/bounties/#sork 
> > Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail:
> > sork-unsubscribe at lists.horde.org
> >
> >
> > --
> > Sork mailing list - Join the hunt: http://horde.org/bounties/#sork 
> > Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, 
> > mail: sork-unsubscribe at lists.horde.org
> >
>
>
>--
>Eric Rostetter
>The Department of Physics
>The University of Texas at Austin
>
>Why get even? Get odd!
>--
>Sork mailing list - Join the hunt: http://horde.org/bounties/#sork 
>Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: 
>sork-unsubscribe at lists.horde.org

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

--
Sork mailing list - Join the hunt: http://horde.org/bounties/#sork
Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail:
sork-unsubscribe at lists.horde.org

More information about the sork mailing list