Opened 17 years ago
Closed 4 years ago
#1946 closed enhancement (wontfix)
login via https, client certificate should anyway allow to set a password or create an account
| Reported by: | rupert thurner | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | AccountManagerPlugin |
| Severity: | normal | Keywords: | needinfo authentication password reset |
| Cc: | Trac Release: | 0.10 |
Description
we use ssl x509 client certificates for logging in, so req.user is set. but, an account is not created, and there is also no possiblitiy to set a password (error: old password cannot be empty).
it would be nice if this somehow worked. useage:
- for eclipse xml-rpc login, as there is no client certificate possible currently.
- we use the created accounts also for svn. here as well there is no client cert off a chip card possible.
Attachments (0)
Change History (8)
comment:1 Changed 16 years ago by
| Priority: | normal → highest |
|---|---|
| Severity: | normal → critical |
comment:2 Changed 15 years ago by
| Owner: | changed from Matt Good to John Hampton |
|---|---|
| Status: | new → assigned |
comment:3 Changed 15 years ago by
| Priority: | highest → normal |
|---|---|
| Severity: | critical → normal |
| Type: | defect → enhancement |
comment:4 follow-ups: 5 6 Changed 15 years ago by
we use c509 certs for auth, correct. and if a client has no support of certificates, a fallback to username/password.
the problem is that a user logged in via the certificate cannot set a password, as there is no "old password". and the request was to allow to (re)set the password without knowing it.
i am unsure how HttpAuthStore would help in this case?
comment:5 Changed 14 years ago by
| Keywords: | needinfo authentication password reset added |
|---|---|
| Owner: | changed from John Hampton to Steffen Hoffmann |
| Status: | assigned → new |
Replying to ThurnerRupert:
we use c509 certs for auth, correct. and if a client has no support of certificates, a fallback to username/password.
Would you dare to disclose a little more about your setup, please? I fail to understand your configuration, and I may need to validate any possible solution in a test setup anyway.
the problem is that a user logged in via the certificate cannot set a password, as there is no "old password". and the request was to allow to (re)set the password without knowing it.
Hm, at first glance blindly resetting a password doesn't sound like a sane concept.
However this may be similar to other non-password-based authenticaton methods, where an implementation for these class of AuthStores has already been requested (see #1061).
comment:6 Changed 13 years ago by
Replying to ThurnerRupert:
![...] and the request was to allow to (re)set the password without knowing it.
Hm, while not at all related to any login procedure, you might have a look at the reworked 'forgot password' procedure (see #816). This is at least a way to "reset the password without knowing it", and after successful login it'll get written to AcctMgr's preferred authentication store. And afterwards you're able to change it, right?
comment:7 Changed 7 years ago by
| Owner: | Steffen Hoffmann deleted |
|---|
comment:8 Changed 4 years ago by
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Closing since this ticket is old and the configuration sounds like a bit of an outlier.
OK, I'm assuming that if you're using x509 certs for auth, then apache is handling the auth. In this case, would the HttpAuthStore not be enough?