Modify

Opened 7 years ago

Last modified 3 years ago

#1946 new enhancement

login via https, client certificate should anyway allow to set a password or create an account

Reported by: ThurnerRupert Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: needinfo authentication password reset
Cc: Trac Release: 0.10

Description

we use ssl x509 client certificates for logging in, so req.user is set. but, an account is not created, and there is also no possiblitiy to set a password (error: old password cannot be empty).

it would be nice if this somehow worked. useage:

  • for eclipse xml-rpc login, as there is no client certificate possible currently.
  • we use the created accounts also for svn. here as well there is no client cert off a chip card possible.

Attachments (0)

Change History (6)

comment:1 Changed 7 years ago by anonymous

  • Priority changed from normal to highest
  • Severity changed from normal to critical

comment:2 Changed 6 years ago by pacopablo

  • Owner changed from mgood to pacopablo
  • Status changed from new to assigned

OK, I'm assuming that if you're using x509 certs for auth, then apache is handling the auth. In this case, would the HttpAuthStore not be enough?

comment:3 Changed 6 years ago by mgood

  • Priority changed from highest to normal
  • Severity changed from critical to normal
  • Type changed from defect to enhancement

comment:4 follow-ups: Changed 5 years ago by ThurnerRupert

we use c509 certs for auth, correct. and if a client has no support of certificates, a fallback to username/password.

the problem is that a user logged in via the certificate cannot set a password, as there is no "old password". and the request was to allow to (re)set the password without knowing it.

i am unsure how HttpAuthStore would help in this case?

comment:5 in reply to: ↑ 4 Changed 4 years ago by hasienda

  • Keywords needinfo authentication password reset added
  • Owner changed from pacopablo to hasienda
  • Status changed from assigned to new

Replying to ThurnerRupert:

we use c509 certs for auth, correct. and if a client has no support of certificates, a fallback to username/password.

Would you dare to disclose a little more about your setup, please? I fail to understand your configuration, and I may need to validate any possible solution in a test setup anyway.

the problem is that a user logged in via the certificate cannot set a password, as there is no "old password". and the request was to allow to (re)set the password without knowing it.

Hm, at first glance blindly resetting a password doesn't sound like a sane concept.

However this may be similar to other non-password-based authenticaton methods, where an implementation for these class of AuthStores has already been requested (see #1061).

comment:6 in reply to: ↑ 4 Changed 3 years ago by hasienda

Replying to ThurnerRupert:

![...] and the request was to allow to (re)set the password without knowing it.

Hm, while not at all related to any login procedure, you might have a look at the reworked 'forgot password' procedure (see #816). This is at least a way to "reset the password without knowing it", and after successful login it'll get written to AcctMgr's preferred authentication store. And afterwards you're able to change it, right?

Add Comment

Modify Ticket

Action
as new The owner will remain hasienda.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.