Ticket #1946 (new enhancement)

Opened 6 years ago

Last modified 2 years ago

login via https, client certificate should anyway allow to set a password or create an account

Reported by: ThurnerRupert Assigned to: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: needinfo authentication password reset
Cc: Trac Release: 0.10

Description

we use ssl x509 client certificates for logging in, so req.user is set. but, an account is not created, and there is also no possiblitiy to set a password (error: old password cannot be empty).

it would be nice if this somehow worked. useage:

  • for eclipse xml-rpc login, as there is no client certificate possible currently.
  • we use the created accounts also for svn. here as well there is no client cert off a chip card possible.

Attachments

Change History

05/04/08 15:54:12 changed by anonymous

  • priority changed from normal to highest.
  • severity changed from normal to critical.

10/29/08 05:27:41 changed by pacopablo

  • owner changed from mgood to pacopablo.
  • status changed from new to assigned.

OK, I'm assuming that if you're using x509 certs for auth, then apache is handling the auth. In this case, would the HttpAuthStore not be enough?

02/15/09 06:45:23 changed by mgood

  • priority changed from highest to normal.
  • type changed from defect to enhancement.
  • severity changed from critical to normal.

(follow-ups: ↓ 5 ↓ 6 ) 07/31/09 13:24:42 changed by ThurnerRupert

we use c509 certs for auth, correct. and if a client has no support of certificates, a fallback to username/password.

the problem is that a user logged in via the certificate cannot set a password, as there is no "old password". and the request was to allow to (re)set the password without knowing it.

i am unsure how HttpAuthStore would help in this case?

(in reply to: ↑ 4 ) 10/13/10 00:55:04 changed by hasienda

  • status changed from assigned to new.
  • owner changed from pacopablo to hasienda.
  • keywords set to needinfo authentication password reset.

Replying to ThurnerRupert:

we use c509 certs for auth, correct. and if a client has no support of certificates, a fallback to username/password.

Would you dare to disclose a little more about your setup, please? I fail to understand your configuration, and I may need to validate any possible solution in a test setup anyway.

the problem is that a user logged in via the certificate cannot set a password, as there is no "old password". and the request was to allow to (re)set the password without knowing it.

Hm, at first glance blindly resetting a password doesn't sound like a sane concept.

However this may be similar to other non-password-based authenticaton methods, where an implementation for these class of AuthStores has already been requested (see #1061).

(in reply to: ↑ 4 ) 06/28/11 00:13:54 changed by hasienda

Replying to ThurnerRupert:

[...] and the request was to allow to (re)set the password without knowing it.

Hm, while not at all related to any login procedure, you might have a look at the reworked 'forgot password' procedure (see #816). This is at least a way to "reset the password without knowing it", and after successful login it'll get written to AcctMgr's preferred authentication store. And afterwards you're able to change it, right?

Add/Change #1946 (login via https, client certificate should anyway allow to set a password or create an account)




Change Properties
Action