[sork] Passwd backends

Eric Rostetter eric.rostetter at physics.utexas.edu
Fri Jan 28 10:55:17 PST 2005 

Quoting - Fredde - <nagash303 at hotmail.com>:

> How do I use hook to include the @mydomain.com in the "username" field?

In the horde/passwd/config/conf.php you set:

$conf['hooks']['username'] = true;

And in horde/config/hooks.php you add some code such as:

if (!function_exists('_passwd_hook_username')) {
     function _passwd_hook_username($userid)
     {
         return $userid . '@mydomain.com';
     }
}

The above code is off the top of my head and not checked for accuracy,
and would only work if you only have one domain (since the domain name
is hard coded in the code).

If you need more complex stuff (multiple domains, etc) then let me know
and I'll try to help the best I can in the 30 seconds of free time I
have.

> >Yeah, and another, called realm.  That doesn't mean every application
> >should have those though...
> 
> Why? I think it could be a big improvement in the passwd module. As for now,
> I have to enable the username field to be able to use this module, and users
> have to remember to add the "@mydomain.com" othervise its not working (using
> the backend vpopmail).

The old versions had the ability to add the realm.  New versions have a hook
to do any manipulation you want, as the hook is infinitely more flexible
than a single "add domain or strip domain" option (for example, it
can format it as user.domain instead of user at domain, it can correct the
case if needed, it can convert it to windows domain styles ala 
domain\subdomain\user, etc).

> >None-the-less, I'd support the addition of a hordeauth solution if it
> >was clean, to login/authenticate against the backend being used to
> >change the password.  It would still need to prompt for the old and
> >new passwords (and optionally the username) separate from the hordeauth
> >though to maintain backwards compatibility (think of the case where a
> >user is changing the password for another user, ala a helpdesk).
> 
> As I said, an option that include "@mydomain.com" should be great!

That is what the hook is for, and it replaces the old option to do that
as it is more flexible and accomodates more cases.

> Security issue? Cant see what diffrense including domainname or not could be
> an security issue?

The security issue is if the user has to know credentials before he changes
someone's password.  

If stupid user A leaves his machine while still logged in to Horde, should
hacker B be able to come up to his machine and change his password without
knowing his login credentials?  Now, each site can have its own policy.
Passwd has evolved such that it can support most if not all those site
policies.
 
Hordeauth implies that the hacker B would be able to step up to user
A's machine and change the password without knowing/verifying user A's
username, password, or any other data.  If Hacker B then logs out of
the Horde session, user A is now locked out of his account, and hacker
B now has full access to user A's account.  Not a good setup.

> > > setting it in imp I went looking for it in passwd and was surprised not
> >to
> > > find it. Therefore I thought it might be good to provide a similar
> >setting
> > > in passwd.
> >
> >It might be.  Not sure.  You'd have to convince us of the merit.
> 
> convinced?

No, not yet.

> > > The ability to change a password in the webmail environment
> > > is probably incredibly desirable in many such situations, as typically
> >the
> > > user interface for password changes is a separate one provided by the
> > > hosting software, and in my experience is absolutely dreadful!
> >
> >But, that doesn't mean you don't need to ask the user for a
> >username/password
> >to use.  That is a separate issue (security).
> 
> Mabe, but its useless if you dont have the option to include the domain
> (even if its just included in the $userid for the username field), unvice I
> like to have lots of support issues people complaining about the passord
> cant be changed.

But you can include the domain, via a hook.  Nothing is stopping you from
adding the domain, except perhaps lack of documentation/help.

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin
 
Why get even? Get odd!

More information about the sork mailing list