You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@allura.apache.org by Igor Bondarenko <je...@users.sf.net> on 2014/05/13 11:06:09 UTC

[allura:tickets] #7388 #7387 Allura's LDAP provider password managing improvements



---

** [tickets:#7388] #7387 Allura's LDAP provider password managing improvements**

**Status:** open
**Milestone:** limbo
**Created:** Tue May 13, 2014 09:06 AM UTC by Igor Bondarenko
**Last Updated:** Tue May 13, 2014 09:06 AM UTC
**Owner:** nobody

- in `set_pawwsord` handle case, where old password is not provided ([#7342] for reference). Use admin credentials for LDAP in this case.
- Enable `forgotten_password_process` for LDAP provider
- Store hashed password (algorithm in [#7342]). Algorithm, # of rounds and salt length should be `.ini` options


---

Sent from sourceforge.net because dev@allura.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #7388 Allura's LDAP provider password managing improvements

Posted by Dave Brondsema <br...@users.sf.net>.
- **status**: code-review --> closed
- **QA**: Dave Brondsema
- **Milestone**: limbo --> forge-may-30



---

** [tickets:#7388] Allura's LDAP provider password managing improvements**

**Status:** closed
**Milestone:** forge-may-30
**Labels:** 42cc 
**Created:** Tue May 13, 2014 09:06 AM UTC by Igor Bondarenko
**Last Updated:** Mon May 19, 2014 01:18 PM UTC
**Owner:** nobody

- in `set_password` handle case, where old password is not provided ([#7342] for reference). Use admin credentials for LDAP in this case.
- Enable `forgotten_password_process` for LDAP provider
- Store hashed password (algorithm in [#7342]). Algorithm, # of rounds and salt length should be `.ini` options


---

Sent from sourceforge.net because dev@allura.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #7388 Allura's LDAP provider password managing improvements

Posted by Igor Bondarenko <je...@users.sf.net>.
- **status**: in-progress --> code-review
- **Comment**:

Closed #591. `je/42cc_7388`

Also fixes [#7387].

New config options:

     
     auth.ldap.password.algorithm = 6
     auth.ldap.password.rounds = 6000
     auth.ldap.password.salt_len = 16






---

** [tickets:#7388] Allura's LDAP provider password managing improvements**

**Status:** code-review
**Milestone:** limbo
**Labels:** 42cc 
**Created:** Tue May 13, 2014 09:06 AM UTC by Igor Bondarenko
**Last Updated:** Fri May 16, 2014 11:59 AM UTC
**Owner:** nobody

- in `set_password` handle case, where old password is not provided ([#7342] for reference). Use admin credentials for LDAP in this case.
- Enable `forgotten_password_process` for LDAP provider
- Store hashed password (algorithm in [#7342]). Algorithm, # of rounds and salt length should be `.ini` options


---

Sent from sourceforge.net because dev@allura.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #7388 Allura's LDAP provider password managing improvements

Posted by Igor Bondarenko <je...@users.sf.net>.
- **summary**: #7387 Allura's LDAP provider password managing improvements --> Allura's LDAP provider password managing improvements



---

** [tickets:#7388] Allura's LDAP provider password managing improvements**

**Status:** in-progress
**Milestone:** limbo
**Labels:** 42cc 
**Created:** Tue May 13, 2014 09:06 AM UTC by Igor Bondarenko
**Last Updated:** Tue May 13, 2014 09:06 AM UTC
**Owner:** nobody

- in `set_pawwsord` handle case, where old password is not provided ([#7342] for reference). Use admin credentials for LDAP in this case.
- Enable `forgotten_password_process` for LDAP provider
- Store hashed password (algorithm in [#7342]). Algorithm, # of rounds and salt length should be `.ini` options


---

Sent from sourceforge.net because dev@allura.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #7388 Allura's LDAP provider password managing improvements

Posted by Igor Bondarenko <je...@users.sf.net>.
- Description has changed:

Diff:

~~~~

--- old
+++ new
@@ -1,3 +1,3 @@
-- in `set_pawwsord` handle case, where old password is not provided ([#7342] for reference). Use admin credentials for LDAP in this case.
+- in `set_password` handle case, where old password is not provided ([#7342] for reference). Use admin credentials for LDAP in this case.
 - Enable `forgotten_password_process` for LDAP provider
 - Store hashed password (algorithm in [#7342]). Algorithm, # of rounds and salt length should be `.ini` options

~~~~




---

** [tickets:#7388] Allura's LDAP provider password managing improvements**

**Status:** in-progress
**Milestone:** limbo
**Labels:** 42cc 
**Created:** Tue May 13, 2014 09:06 AM UTC by Igor Bondarenko
**Last Updated:** Tue May 13, 2014 09:09 AM UTC
**Owner:** nobody

- in `set_password` handle case, where old password is not provided ([#7342] for reference). Use admin credentials for LDAP in this case.
- Enable `forgotten_password_process` for LDAP provider
- Store hashed password (algorithm in [#7342]). Algorithm, # of rounds and salt length should be `.ini` options


---

Sent from sourceforge.net because dev@allura.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] Re: #7388 Allura's LDAP provider password managing improvements

Posted by Dave Brondsema <br...@users.sf.net>.
Good catch.  I think we'll need deeper updates to make it really work well with LDAP though.  LDAP will often provide names and email addresses, and may or may not let users change those within Allura (e.g. have to change it somewhere else in LDAP directly).  So this will probably have to be configurable for each provider, and likely some additional methods or hooks to keep LDAP (or any other auth store) in sync with Allura changes if allowed.  Lets handle that in a separate ticket.  I can create one in a while.

For now lets just keep it as-is for name and email.  Few others like password recovery I think is fine to change to `!= 'sfx'`  (And then we can clean up the 'sfx' references later, once we get rid if it)


---

** [tickets:#7388] Allura's LDAP provider password managing improvements**

**Status:** in-progress
**Milestone:** limbo
**Labels:** 42cc 
**Created:** Tue May 13, 2014 09:06 AM UTC by Igor Bondarenko
**Last Updated:** Fri May 16, 2014 11:59 AM UTC
**Owner:** nobody

- in `set_password` handle case, where old password is not provided ([#7342] for reference). Use admin credentials for LDAP in this case.
- Enable `forgotten_password_process` for LDAP provider
- Store hashed password (algorithm in [#7342]). Algorithm, # of rounds and salt length should be `.ini` options


---

Sent from sourceforge.net because dev@allura.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #7388 Allura's LDAP provider password managing improvements

Posted by Igor Bondarenko <je...@users.sf.net>.
While working on this I've discovered that `user_prefs.html` and relevant controller does checks like this:

~~~~
  {% if tg.config.get('auth.method', 'local') == 'local' %}
~~~~

Because of them `/auth/preferences/` is almost empty, when using LDAP auth provider. I.e. you can't set display name, email, etc.

I guess, this is because sfx auth method provides those settings through legacy part of sourceforge?

To test forgotten password recovery capabilities I've changed condition to `!= 'sfx'`. 

I wonder if this change should be commited?  Maybe Allura instance on sourceforge would also rely on legacy part to provide those, but I think these preferences should be available for other deployment too, even when using LDAP auth.


---

** [tickets:#7388] Allura's LDAP provider password managing improvements**

**Status:** in-progress
**Milestone:** limbo
**Labels:** 42cc 
**Created:** Tue May 13, 2014 09:06 AM UTC by Igor Bondarenko
**Last Updated:** Tue May 13, 2014 09:10 AM UTC
**Owner:** nobody

- in `set_password` handle case, where old password is not provided ([#7342] for reference). Use admin credentials for LDAP in this case.
- Enable `forgotten_password_process` for LDAP provider
- Store hashed password (algorithm in [#7342]). Algorithm, # of rounds and salt length should be `.ini` options


---

Sent from sourceforge.net because dev@allura.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #7388 #7387 Allura's LDAP provider password managing improvements

Posted by Igor Bondarenko <je...@users.sf.net>.
- **labels**:  --> 42cc
- **status**: open --> in-progress



---

** [tickets:#7388] #7387 Allura's LDAP provider password managing improvements**

**Status:** in-progress
**Milestone:** limbo
**Labels:** 42cc 
**Created:** Tue May 13, 2014 09:06 AM UTC by Igor Bondarenko
**Last Updated:** Tue May 13, 2014 09:06 AM UTC
**Owner:** nobody

- in `set_pawwsord` handle case, where old password is not provided ([#7342] for reference). Use admin credentials for LDAP in this case.
- Enable `forgotten_password_process` for LDAP provider
- Store hashed password (algorithm in [#7342]). Algorithm, # of rounds and salt length should be `.ini` options


---

Sent from sourceforge.net because dev@allura.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.