https://dev.entrouvert.org/https://dev.entrouvert.org/favicon.ico?15861920342012-04-19T10:20:04ZRedmine Entr’ouvertAuthentic 2 - Bug #1322: login_password_profile template assumes openid user if there's no passwordhttps://dev.entrouvert.org/issues/1322?journal_id=36152012-04-19T10:20:04ZJean Christophe André
<ul></ul><p>I confirm I do hit this bug too, since I choose to base our authentication on our LDAP.</p>
I would suggest to:
<ol>
<li>save the source of the User creation somewhere</li>
<li>create a class for each source type (LDAP, OpenID, registration, ...)</li>
<li>define in these classes a method for determining if the password is changeable or not (the LDAP one would test for a “Allow password change” checkbox from the LDAP source form)</li>
<li>use this method to test if the “Change/Set password” link should be displayed or not (would solve this bug)</li>
<li>define in these classes a method for changing the password (the LDAP one would ask the user for old and new passwords and then call <code>ldap.bind_s</code> and <code>ldap.password_s</code>)</li>
</ol>
<p>Just my 2 cents...</p> Authentic 2 - Bug #1322: login_password_profile template assumes openid user if there's no passwordhttps://dev.entrouvert.org/issues/1322?journal_id=36162012-04-19T11:15:31ZBenjamin Dauvergne
<ul></ul><p><a class="email" href="mailto:redmine@entrouvert.com">redmine@entrouvert.com</a> écrivait:</p>
<blockquote>
<p>La demande <a class="issue tracker-1 status-6 priority-3 priority-lowest closed" title="Bug: login_password_profile template assumes openid user if there's no password (Rejeté)" href="https://dev.entrouvert.org/issues/1322">#1322</a> a été mise à jour par Jean Christophe André.</p>
<p>I confirm I do hit this bug too, since I choose to base our authentication on our LDAP.</p>
I would suggest to:
<ol>
<li>save the source of the User creation somewhere</li>
<li>create a class for each source type (LDAP, OpenID, registration, ...)</li>
<li>define in these classes a method for determining if the password is changeable or not (the LDAP one would test for a “Allow password change” checkbox from the LDAP source form)</li>
<li>define in these classes a method for changing the password (the LDAP one would ask the user for old and new passwords and then call <code>ldap.bind_s</code> and <code>ldap.password_s</code>)</li>
</ol>
<p>Just my 2 cents...</p>
</blockquote>
<p>For LDAP there is a complication, some LDAP directorie (from Microsoft, <br />you should know which one I'm talking about :) ) have special way of <br />changing the password and on some LDAP directories the userPasswd is not <br />accessible (sometimes because it's not event in the LDAP tree, sometimes <br />for security reasons), and in this case you must use the special command <br />PasswordModify. On those two occurrences you must send to the LDAP <br />server the old and the new password. The current password modification <br />form only works for setting the password without recalling the old <br />password.</p>
So my idea is:
<ul>
<li>overload the LDAP backend to return User class object which a new <br /> synthesized set_password() method which use LDAP commands to update the <br /> passwd instead of modifying the local User object. Something like:<br /><pre> def get_user(self, user_id):
user = super(NewLdapBackend, self).get_user(user_id)
def set_password(self, new_password):
ldap_user = self.ldap_user
ldap = ldap_user.ldap
try:
self.ldap_user.connection.modify_s(ldap_user.dn.encode('utf-8'),
[(ldap.MOD_REPLACE, 'userPassword', new_password.encode('utf-8'))])
except ldap.LDAPError:
pass
user.set_password = set_password
return user
</pre><br />This code could have more features:
<ul>
<li>handle password hashing formats for LDAP</li>
<li>call the old set_password() to also set the local passwd, allowing local connection to work if LDAP is down</li>
<li>report LDAP errors to admin and maybe to user (a special logging domain with<br />a handler able to post message to the user would be great for this)</li>
</ul></li>
</ul>
<ul>
<li>add an LDAP_PASSWORD_MODIFY_BEHAVIOUR setting to set, if we are on <br /> openldap with full access to userAttribute, on AD or if we use <br /> PasswordModify, in case of PasswordModify or AD the set_password() <br /> method synthesized we have an extra parameter current_password.</li>
<li>modify the ChangePasswordForm to have an extra input field "Current <br /> password" if the set_password() method on the current user have the <br /> extra argument "current_password".</li>
</ul> Authentic 2 - Bug #1322: login_password_profile template assumes openid user if there's no passwordhttps://dev.entrouvert.org/issues/1322?journal_id=36172012-04-19T11:24:49ZBenjamin Dauvergne
<ul></ul><p>My answer is not really related to this ticket, I should open another one.</p>
<p>The correct answer for this ticket is to copy the view from django_authopenid.views as it is not really related to OpenID but to the case where an user does not have a password but is already logged. This new view should consider that in some cases the fact that the User does not have a usable password (i.e. stored password is '!') is not a sufficent reason to allow setting the password without giving the old (see the LDAP case). But this case maybe should be resolved by overloading has_usable_password() for LDAP users.</p> Authentic 2 - Bug #1322: login_password_profile template assumes openid user if there's no passwordhttps://dev.entrouvert.org/issues/1322?journal_id=36832012-04-27T12:49:00ZMikaël Atesmates@entrouvert.com
<ul><li><strong>Version cible</strong> mis à <i>2.0.2</i></li></ul> Authentic 2 - Bug #1322: login_password_profile template assumes openid user if there's no passwordhttps://dev.entrouvert.org/issues/1322?journal_id=37652012-05-11T16:14:08ZMikaël Atesmates@entrouvert.com
<ul><li><strong>Version cible</strong> changé de <i>2.0.2</i> à <i>2.0.3</i></li></ul> Authentic 2 - Bug #1322: login_password_profile template assumes openid user if there's no passwordhttps://dev.entrouvert.org/issues/1322?journal_id=251342015-03-06T14:33:21ZBenjamin Dauvergne
<ul><li><strong>Priorité</strong> changé de <i>Normal</i> à <i>Bas</i></li></ul> Authentic 2 - Bug #1322: login_password_profile template assumes openid user if there's no passwordhttps://dev.entrouvert.org/issues/1322?journal_id=252252015-03-06T15:34:13ZBenjamin Dauvergne
<ul><li><strong>Version cible</strong> <del><i>2.0.3</i></del> supprimé</li><li><strong>Patch proposed</strong> mis à <i>Non</i></li></ul> Authentic 2 - Bug #1322: login_password_profile template assumes openid user if there's no passwordhttps://dev.entrouvert.org/issues/1322?journal_id=252662015-03-06T15:37:05ZBenjamin Dauvergne
<ul><li><strong>Version cible</strong> mis à <i>future</i></li></ul> Authentic 2 - Bug #1322: login_password_profile template assumes openid user if there's no passwordhttps://dev.entrouvert.org/issues/1322?journal_id=441672016-03-10T21:35:12ZBenjamin Dauvergne
<ul><li><strong>Statut</strong> changé de <i>Nouveau</i> à <i>Rejeté</i></li></ul><p>authopenid is not part of authentic2 anymore.</p>