[SOGo] BTS activities for Tuesday, January 31 2017
Title: BTS activities for Tuesday, January 31 2017 BTS Activities Home page: http://www.sogo.nu/bugs Project: SOGo For the period covering: Tuesday, January 31 2017 idlast updatestatus (resolution)categorysummary 3599 2017-01-31 08:00:19 assigned (open) Backend Address Book created contact gets always up & downloaded 3054 2017-01-31 16:02:22 resolved (duplicate) Backend Address Book Delete a shared contact list and it continues to display 3993 2017-01-31 14:56:50 resolved (fixed) GUI NSException after update 4010 2017-01-31 16:01:57 closed (fixed) Backend General Subscriptions should be removed when the associated calendar is deleted -- users@sogo.nuhttps://inverse.ca/sogo/lists
Re: [SOGo] end user passwd change in /SOGo
Hi Ralf, hi MJ, Thanks for the answers up to now! According to the docs [1] there is the following option for LDAP user sources: bindAsCurrentUser If set to YES, SOGo will always keep binding to the LDAP server using the DN of the currently authenticated user. If bindFields is set, bindDN and bindPassword will still be required to find the proper DN of the user. In this case the user should be able to change it's own password via SOGo. For this to work, you either need bindFields set (for looking up the users DN) or IDFieldName (the attribute which builds the users' DN (like IDFieldName=, baseDN). MJ, I don't know if that works in combination with SAML - since SOGo shouldn't know the users password, it probably binds using the given bindDN, which then would need the rights to change other users passwords. Ralf, I'm not sure what you're looking for. If you need a frontend for password self service, I would either go with the SOGo functionality built in, or with the already named LAM. In my use case I have an existing user management via a Zend Framework application, which allows that similarly to LAM (we use an admin user to set userPassword, setting a custom built crypt-hash using SHA512 with a nice number of rounds - should work with most Linux distros [2]). If you're asking regarding OpenLDAP ACLs to allow a user to change it's own password, you would find that here: [3] I don't really know much about the SOGo features itself, since I'm using SAML auth. Regards, Christoph [1] https://sogo.nu/files/docs/SOGoInstallationGuide.html#_authentication_using_ldap [2] https://en.m.wikipedia.org/wiki/Crypt_(C)#Support_in_operating_systems [3] http://www.openldap.org/lists/openldap-software/200212/msg00518.html > Am 31.01.2017 um 14:52 schrieb lists (li...@merit.unu.edu): > > Hi > >> we are looking for a password change machanism for openldap. Can you >> please share your knowledge re. this? > In active directory, end users are allowed to change their own passwords by > default. This does require that the connection is make over ldapS. > > There is a tool called ldap-account-manager (lam) that we used in the past. > It included an end-user password change portal. > (https://www.ldap-account-manager.org/) > > We are also looking currently testing RedHat's keycloak (SAML/oauth Idp) that > will prompt users to change their ldap passwords as well, if they have > expired. > (http://www.keycloak.org/) > > And you're right: Perhaps better to take this offlist if you have more > questions. (and yes, I also realise that your question was actually aimed at > Christoph) > > Best regards to all, > MJ > -- > users@sogo.nu > https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
RE: [SOGo] end user passwd change in /SOGo
Hi, > > we are looking for a password change machanism for openldap. Can you > > please share your knowledge re. this? > In active directory, end users are allowed to change their own passwords > by default. This does require that the connection is make over ldapS. > another tool worth a look is FreeIPA: https://www.freeipa.org However, it is focused on user management, and thus does not allow arbitrary LDAP schemes but requires certain user parameters. Cheers, Roland -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] end user passwd change in /SOGo
Hi we are looking for a password change machanism for openldap. Can you please share your knowledge re. this? In active directory, end users are allowed to change their own passwords by default. This does require that the connection is make over ldapS. There is a tool called ldap-account-manager (lam) that we used in the past. It included an end-user password change portal. (https://www.ldap-account-manager.org/) We are also looking currently testing RedHat's keycloak (SAML/oauth Idp) that will prompt users to change their ldap passwords as well, if they have expired. (http://www.keycloak.org/) And you're right: Perhaps better to take this offlist if you have more questions. (and yes, I also realise that your question was actually aimed at Christoph) Best regards to all, MJ -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] end user passwd change in /SOGo
Hi Christoph, On Mon, Jan 30, 2017 at 03:51:27PM +0100 you wrote: > haven't checked that, but when not using User binding but giving a bind dn, > probably the bind User is used for this action. Probably you can check that > in the AD logs. > Also, you can probably give the user only the right to modify the > userPassword attribute - at least in openldap that's possible. we are looking for a password change machanism for openldap. Can you please share your knowledge re. this? It's not strictly related to SOGo. Therefore you may reply by personal email. Thank you. Regards -- R. Cirksena -- users@sogo.nu https://inverse.ca/sogo/lists