[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Forgotten password recovery
Maybe generate a random challenge, store it in ldap as an additional hashed password value maybe with a special {challenge} hash type as a marker, assuming ldap will try *all* passwords when logging in.
openldap would need to know the marker {challenge} hash type is like {plain} or some other hash type for purposes of comparison.
You cannot allow reset of a password (destroying the old one) immediately, as otherwise you are allowing a denial of service attack where people could randomly reset passwords.
But given the random challenge (returned by the user) could now be used for authentication, the user could authenticate as themselves and reset thier own password, and remove the temporary challenge password.
This probably requires a marker "hash" type to identify temporary hash password, to allow reliable removal of old or expired challenge passwords.
-----Original Message-----
From: Vincent Panel <yohonet@gmail.com>
Sent: Thursday, 5 February 2009 1:59 AM
To: openldap-technical@openldap.org
Subject: Forgotten password recovery
On 2/4/09, Michael Ströder <michael@stroeder.com> wrote:
> Yes, but these "temporary security objects" have to be generated. If you
> do this automagically you have a privileged service account which resets
> the user's password in combination with a e-mail based
> challenge-response check.
I agree, but until I get your replies, I did not find any satisfying
solution integrating this "e-mail based challenge-response check". I
wanted the ldap server to validate the challenge which is going to be
possible if I make drupal create those security objects with the
challenge answer as the password.
Once a user comes back with its response to the challenge, drupal will
try to bind to the LDAP server as this temporary security object with
the password being the "challenge" url. If the bind is successful,
then drupal will automatically be granted the right to reset the
corresponding user's password (thanks to regex ACLs). Once this is
done, the user will be able to log in (or actually, drupal will log
the user in)
This is probably a bit complex to implement, but I'm gonna try.