[SOGo] BTS activities for Tuesday, January 31 2017

[SOGo reporter]

Title: BTS activities for Tuesday, January 31 2017





  
BTS Activities

  Home page: http://www.sogo.nu/bugs
  Project: SOGo
  For the period covering: Tuesday, January 31 2017

  
  
idlast updatestatus (resolution)categorysummary
	
	
	  
	
3599
	2017-01-31 08:00:19
	assigned (open)
	Backend Address Book
	created contact gets always up & downloaded
	
	  
	
3054
	2017-01-31 16:02:22
	resolved (duplicate)
	Backend Address Book
	Delete a shared contact list and it continues to display
	
	  
	
3993
	2017-01-31 14:56:50
	resolved (fixed)
	GUI
	NSException after update
	
	  
	
4010
	2017-01-31 16:01:57
	closed (fixed)
	Backend General
	Subscriptions should be removed when the associated calendar is deleted
	
	  
	
  
  


-- users@sogo.nuhttps://inverse.ca/sogo/lists

Re: [SOGo] end user passwd change in /SOGo

[Christoph Kreutzer]

Hi Ralf, hi MJ,

Thanks for the answers up to now!

According to the docs [1] there is the following option for LDAP user sources:

bindAsCurrentUser
If set to YES, SOGo will always keep binding to the LDAP server using the DN of 
the currently authenticated user. If bindFields is set, bindDN and bindPassword 
will still be required to find the proper DN of the user.

In this case the user should be able to change it's own password via SOGo.
For this to work, you either need bindFields set (for looking up the users DN) 
or IDFieldName (the attribute which builds the users' DN (like 
IDFieldName=, baseDN).

MJ, I don't know if that works in combination with SAML - since SOGo shouldn't 
know the users password, it probably binds using the given bindDN, which then 
would need the rights to change other users passwords.

Ralf, I'm not sure what you're looking for. If you need a frontend for password 
self service, I would either go with the SOGo functionality built in, or with 
the already named LAM. In my use case I have an existing user management via a 
Zend Framework application, which allows that similarly to LAM (we use an admin 
user to set userPassword, setting a custom built crypt-hash using SHA512 with a 
nice number of rounds - should work with most Linux distros [2]).
If you're asking regarding OpenLDAP ACLs to allow a user to change it's own 
password, you would find that here: [3]
I don't really know much about the SOGo features itself, since I'm using SAML 
auth.

Regards,
Christoph

[1] 
https://sogo.nu/files/docs/SOGoInstallationGuide.html#_authentication_using_ldap
[2] https://en.m.wikipedia.org/wiki/Crypt_(C)#Support_in_operating_systems
[3] http://www.openldap.org/lists/openldap-software/200212/msg00518.html

> Am 31.01.2017 um 14:52 schrieb lists (li...@merit.unu.edu) :
> 
> Hi
> 
>> we are looking for a password change machanism for openldap. Can you
>> please share your knowledge re. this?
> In active directory, end users are allowed to change their own passwords by 
> default. This does require that the connection is make over ldapS.
> 
> There is a tool called ldap-account-manager (lam) that we used in the past. 
> It included an end-user password change portal.
> (https://www.ldap-account-manager.org/)
> 
> We are also looking currently testing RedHat's keycloak (SAML/oauth Idp) that 
> will prompt users to change their ldap passwords as well, if they have 
> expired.
> (http://www.keycloak.org/)
> 
> And you're right: Perhaps better to take this offlist if you have more 
> questions. (and yes, I also realise that your question was actually aimed at 
> Christoph)
> 
> Best regards to all,
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

RE: [SOGo] end user passwd change in /SOGo

[Roland Wolters]

Hi,

> > we are looking for a password change machanism for openldap. Can you
> > please share your knowledge re. this?
> In active directory, end users are allowed to change their own passwords 
> by default. This does require that the connection is make over ldapS.
> 
another tool worth a look is FreeIPA: https://www.freeipa.org
However, it is focused on user management, and thus does not allow arbitrary 
LDAP schemes but requires certain user parameters.

Cheers,

Roland

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] end user passwd change in /SOGo

[lists]

Hi


we are looking for a password change machanism for openldap. Can you
please share your knowledge re. this?
In active directory, end users are allowed to change their own passwords 
by default. This does require that the connection is make over ldapS.


There is a tool called ldap-account-manager (lam) that we used in the 
past. It included an end-user password change portal.

(https://www.ldap-account-manager.org/)

We are also looking currently testing RedHat's keycloak (SAML/oauth Idp) 
that will prompt users to change their ldap passwords as well, if they 
have expired.

(http://www.keycloak.org/)

And you're right: Perhaps better to take this offlist if you have more 
questions. (and yes, I also realise that your question was actually 
aimed at Christoph)


Best regards to all,
MJ
--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] end user passwd change in /SOGo

[Ralf Cirksena]

Hi Christoph,

On Mon, Jan 30, 2017 at 03:51:27PM +0100 you wrote:

> haven't checked that, but when not using User binding but giving a bind dn, 
> probably the bind User is used for this action. Probably you can check that 
> in the AD logs.
> Also, you can probably give the user only the right to modify the 
> userPassword attribute - at least in openldap that's possible.

we are looking for a password change machanism for openldap. Can you
please share your knowledge re. this?

It's not strictly related to SOGo. Therefore you may reply by personal
email.

Thank you.


Regards
-- 
R. Cirksena 
-- 
users@sogo.nu
https://inverse.ca/sogo/lists