[Date Prev][Date Next] [Chronological] [Thread] [Top]

Forgotten password recovery


Many websites now provide a feature which allow users to reset their
password on their own, without being helped by an administrator or
another privileged person.

A website I'm working on is using drupal which is able to handle such
a situation by sending a mail to the user. The body of this mail
contains a specific url crafted by drupal so that when the user clicks
on the link, drupal can automatically authenticate the user. This URL
is only valid once.

If you try to integrate drupal with openldap, you'll find that
openldap does not support such an authentication scheme. So you are
either forced to create a privileged user in LDAP which is able to
reset all users' passwords or live with it and give up this feature.

So I'm writing to this list to know if anyone already had a similar
issue and which solution was found ? Would it be possible for openldap
or an openldap overlay to implement such an authentication mechanism ?
Is there any IETF draft about it (one can dream) ?