[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forgotten password recovery

To: Brett Maxfield <brett.maxfield@gmail.com>
Subject: Re: Forgotten password recovery
From: Vincent Panel <yohonet@gmail.com>
Date: Wed, 4 Feb 2009 11:13:54 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <4988d49e.1e018e0a.1d5f.ffff90b2@mx.google.com>
References: <4988d49e.1e018e0a.1d5f.ffff90b2@mx.google.com>

Thanks, but as discussed, even creating a user able to reset all the
userPassword attributes of all other users is not security risk free.
This is what I call a privileged user and I would like to avoid it.
Drupal already supports such a solution, but I don't find it secure
enough.

I had an interesting suggestion on the list : to create a database of
temporary security objects where drupal is the only one who knows the
passwords. Each temporary security object is able to reset one
password in the main database (by the use of regex ACLs) and only
once.

On 2/4/09, Brett Maxfield <brett.maxfield@gmail.com> wrote:
> If we are talking about openldap, not drupal, there are probably many ways
> of doing so.. My thoughts..
>
> You cannot bind as the user in this case, as presumably the reason they want
> to reset password is that they dont know it.
>
> You should probably give the website it's own standard read-only user, which
> has been (only) allowed to update userPassword.
>
> Giving the website manager/root access just to change a password would be
> extremely unwise and inasvisable.
>
> Drupal should let you specify any ldap user for password resers..
>
> -----Original Message-----
> From: Vincent Panel <yohonet@gmail.com>
> Sent: Wednesday, 4 February 2009 2:16 AM
> To: openldap-technical@openldap.org
> Subject: Forgotten password recovery
>
> Hello,
>
> Many websites now provide a feature which allow users to reset their
> password on their own, without being helped by an administrator or
> another privileged person.
>
> A website I'm working on is using drupal which is able to handle such
> a situation by sending a mail to the user. The body of this mail
> contains a specific url crafted by drupal so that when the user clicks
> on the link, drupal can automatically authenticate the user. This URL
> is only valid once.
>
> If you try to integrate drupal with openldap, you'll find that
> openldap does not support such an authentication scheme. So you are
> either forced to create a privileged user in LDAP which is able to
> reset all users' passwords or live with it and give up this feature.
>
> So I'm writing to this list to know if anyone already had a similar
> issue and which solution was found ? Would it be possible for openldap
> or an openldap overlay to implement such an authentication mechanism ?
> Is there any IETF draft about it (one can dream) ?
>
> Vincent
>
>

Follow-Ups:
- Re: Forgotten password recovery
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Forgotten password recovery
Next by Date: connection.c segfault with new sasl mechanism
Index(es):
- Chronological
- Thread