Centos 7, openldap 2.4.44 (slapd)
configured the ppolicy password policy. I need to make sure that the user cannot change his password more than 1 time (so that he can change the password only once, after which he would not have such an opportunity). can someone implemented similarly and be able to suggest what attributes / policies I can achieve such a restriction? in the ppolicy documentation, I did not find an attribute / directive suitable for such a case
my case is something like a subscription method:
an account is created for the user
the pwdMaxAge policy attribute sets the lifetime of the account password (thereby, the account validity period is limited, since in such a case an expired password = non-working account)
2.1 but the password lifetime limitation in the pwdMaxAge attribute can be bypassed simply by re-creating the password (change), and the pwdMaxAge countdown will start over.
After creating the account, the user is sent a password, which he will have to change to his own.
3.1 to change the password for users, self-service-password (https://github.com/ltb-project/self-service-password) was deployed - where users can change it by entering the password sent to them as "old" and setting a new one your password - at this point the pwdMaxAge password policies are reset, this is normal.
now the problem: the user can even after half a year log into the web form and change his password, thereby resetting the pwdMaxAge countdown and extending the password and account expiration date. Therefore, I want to limit the number of attempts to change the password to one: when the user changes the password sent to him to his own from clause 3.1 and so that after that he cannot change the password again
I found how to restrict the user from changing the password at once:
pwdMinAge attribute
pwdMinAge=3600
This attribute controls the minimum time (in seconds) between password changes. In the above example, the password can be changed no more than once an hour (3600 seconds). Attempts to change the password before this time has expired will be rejected. The default value is 0, which allows the password to be changed at any time since the last change.
it means that:
pwdMinAge = 3600
pwdMaxAge = 3600
and for the entire period (1 hour) the user can change his password only once.
Related
The requirement is to find user password expiration time.
Now in ldap, you enforce expiration through password policy.
The password policy attribute pwdMaxAge specifies after how many seconds from the time the password was changed does the password expire.
ldap password policy
The moment you change/create user password, the operational attribute pwdChangedTime gets added with the timestamp.
Sadly, ldap does not add any operational attribute for the expiration time, it's something we need to calculate, by doing a pwdChangedTime + pwdMaxAge < current_time
In your mods-enabled/ldap file you can fetch the pwdChangedTime attribute. Cool! But how do I fetch pwdMaxAge attribute. This file only has structure for users, groups, profiles, clients but not for the password policy. raddb mods-available details here.
(I can do this programmatically, by writing code/script for fetching these attributes using cli and then doing my manipulation, but is it possible doing this through the config? Coz, if you look at it, this expiration time is something related to user attribute and there should be a way to return it along with bare minimum user data like name and organization that we return)
Thanks!
There is no such operational attribute pwdMaxAge in the user's entry.
The password expiry warning during checking the password is returned by the server in a response control if the client sends the bind request with the appropriate request control (see draft-behera-ldap-password-policy, section 6.1 and 6.2).
This means that the LDAP client (FreeRADIUS in your case) has to support this. Furthermore all intermediate components (RADIUS server, Wifi access point, etc.) have to propely handle the response and return some useful information up the chain to the user. In practice this does not really work.
Therefore I'd recommend to send password expiry warning via e-mail. There are ready-to-use scripts out there like checkLdapPwdExpiration.sh provided by LDAP Tool Box project.
I am new to token based authentication and doing the following:
Authenticate the user by email and password,
get a token back from backend,
store the token in local storage,
check to see if a token is present. If yes then user is logged in.
What what I want to achieve is that if the user changes his password then the client should prompt for fresh login. How can this be done?
This depends whether you are using Refresh Tokens or not as user Gopinath Shiva describes in his answer to question about somewhat same domain.
If you use Refresh Tokens, then
When the user changes his password, change the refresh token of the user. Hence the remaining session will get logged out soon.
If you don't, then
When the user changes his password, note the change password time in the user db, so when the change password time is greater than the token creation time, then token is not valid. Hence the remaining session will get logged out soon.
I would like to change the expiration time of my OpenDS-installation. First I'd like to know how to determine what the actual timeout is set to. Later I'd like to edit the timeout but didn't manage to find the information within the documentation.
All i managed to find was the description of the process that describes when a user is marked as 'locked': OpenDS: Which attribute tells that an account was locked due to password expiration
The background is that I would like to set the password expiration time to a very low amount so I can test against some locked users.
All hints are greatly appreciated.
Password expiration time is computed based on the last time the password was changed. If no pwdChangedTime is set, the server will use the createTimeStamp attribute if present, otherwise, it's impossible to determine when the password is due to expire.
So the easiest way to test password expiration, is to configure it (use dsconfig to set max age in the default password policy), and change the password of the test user.
BTW, OpenDS is no longer active, so I suggest you look at OpenDJ and its documentation.
Regards,
Ludovic.
I have a unique user creation flow which is as follows:
User comes to my site for the first time and they click a button.
I create a User in the DB for them and set a localStorage key with the UID.
Use goes about creating data and I save the data in the DB and associate it with the UID.
User comes back, and if they have UID set in localStorage, I show them the data they previously created.
User can click Register to create a "real" account from which point they will have to login with username and password or another service (e.g. Facebook).
So, how would I accomplish this with Meteor Accounts and the User model?
In a nutshell:
I need to create User mongo document with no information (about the user).
I need to authenticate a user by just having a UID (acting as a "password").
Register onCreateUser to add an "anonymous" field ({anonymous:1})
when a random password is used, maybe generated with Meteor.uuid().
Add a timestamp field
({created:new Date()}) to clean out old, anonymous accounts.
Perform old anonymous user maintenance, like deleting anonymous users more
than one hour old:
Meteor.autorun(function()
{Meteor.users.find({anonymous:1,$where:"new Date() - this.created >
360000"}).forEach(function (user) {
Meteor.users.remove({_id:user._id})}});
On the client:
Always prompt
for a "nickname." This will become the official username, or will
sit in the system forever used.
Check if client is logged in. If
not, create a user with nickname and a "magic number" password,
which logs you in. When they click register, write "Register" at the
top, but actually just change their password and $set:{anonymous:0}
Don't use localStorage, and don't use UIDs. The session cookie IS your UID.
I don't know how to help with the authentication, but as for creating a blank User object, I've successfully done the following on the server-side (with a different name...):
Meteor.users.insert({profile: {name: 'Oompa Loompa'}, foo: 'bar'});
We're setting up a feature to enable users to reset their password when they can't get access ot their account. We ask for their email address (which they use for logging into the site), send them an email with a unique link.
The questions are:
Should the link expire on first-click or should the link expire on first-use (ie, they reset their password successfully)?
Should the link have 24 hour validity (or something similar)?
Should the user be logged in after he clicks that link?
The link should expire after the password is changed. If you expired the link on the first click this can cause problems. Let's say I've got bad internet connection, and the page didn't load completely to my browser. I reload the page and it says link is expired. I wouldn't be happy user to see that.
Yes, you should limit the link to some reasonable time. 24 hours looks reasonable enough. If you don't limit the link lifetime, first of all you will have to store the generated id forever, secondly the longer you keep this link active the higher probability that link will be stolen by attacker, which will lead to stealing account.
You should let user in only after user changes his/her password. If you just log them in, they probably will decide that they don't have to change password anymore. This way they can keep logging into the system forever without ever changing/knowing their password.
The link should expire after they have reset their password successfully. If somehow the user ended up needing guidance on a password reset and wanted to return later, they should be able to.
That being said the reset should expire eventually, 48 hours?
Yes they should be logged in after a password reset, otherwise there is another frustrating step in the way of your user doing what they came to do on your site.