Modify

Opened 10 years ago

Last modified 3 months ago

#1946 new enhancement

login via https, client certificate should anyway allow to set a password or create an account

Reported by: rupert thurner Owned by:
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: needinfo authentication password reset
Cc: Trac Release: 0.10

Description

we use ssl x509 client certificates for logging in, so req.user is set. but, an account is not created, and there is also no possiblitiy to set a password (error: old password cannot be empty).

it would be nice if this somehow worked. useage:

  • for eclipse xml-rpc login, as there is no client certificate possible currently.
  • we use the created accounts also for svn. here as well there is no client cert off a chip card possible.

Attachments (0)

Change History (7)

comment:1 Changed 9 years ago by anonymous

Priority: normalhighest
Severity: normalcritical

comment:2 Changed 8 years ago by John Hampton

Owner: changed from Matt Good to John Hampton
Status: newassigned

OK, I'm assuming that if you're using x509 certs for auth, then apache is handling the auth. In this case, would the HttpAuthStore not be enough?

comment:3 Changed 8 years ago by Matt Good

Priority: highestnormal
Severity: criticalnormal
Type: defectenhancement

comment:4 Changed 8 years ago by rupert thurner

we use c509 certs for auth, correct. and if a client has no support of certificates, a fallback to username/password.

the problem is that a user logged in via the certificate cannot set a password, as there is no "old password". and the request was to allow to (re)set the password without knowing it.

i am unsure how HttpAuthStore would help in this case?

comment:5 in reply to:  4 Changed 6 years ago by Steffen Hoffmann

Keywords: needinfo authentication password reset added
Owner: changed from John Hampton to Steffen Hoffmann
Status: assignednew

Replying to ThurnerRupert:

we use c509 certs for auth, correct. and if a client has no support of certificates, a fallback to username/password.

Would you dare to disclose a little more about your setup, please? I fail to understand your configuration, and I may need to validate any possible solution in a test setup anyway.

the problem is that a user logged in via the certificate cannot set a password, as there is no "old password". and the request was to allow to (re)set the password without knowing it.

Hm, at first glance blindly resetting a password doesn't sound like a sane concept.

However this may be similar to other non-password-based authenticaton methods, where an implementation for these class of AuthStores has already been requested (see #1061).

comment:6 in reply to:  4 Changed 6 years ago by Steffen Hoffmann

Replying to ThurnerRupert:

![...] and the request was to allow to (re)set the password without knowing it.

Hm, while not at all related to any login procedure, you might have a look at the reworked 'forgot password' procedure (see #816). This is at least a way to "reset the password without knowing it", and after successful login it'll get written to AcctMgr's preferred authentication store. And afterwards you're able to change it, right?

comment:7 Changed 3 months ago by Ryan J Ollos

Owner: Steffen Hoffmann deleted

Modify Ticket

Action
as new The ticket will remain with no owner.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.