Thanks for the response. Do you mean the self forgot password reset is being planned for 1.2.0 with challenge questions? That would be great.
I see 'Password Reset' can be done after logging in to the syncope by the user in 1.1.8. Regards, Suresh On Mon, Sep 15, 2014 at 1:34 PM, Francesco Chicchiriccò <[email protected] > wrote: > On 15/09/2014 07:48, Suresh Ajja wrote: > > Hi, > Yes we were able to send out e-mails, thanks for the quick response. > Though initially we tried to modify the existing NotificationJob.java > (1.1.8 Release file) and build, but did not work. It worked with java file > that you had provided in the link and adding the Property for > smpt.auth.mail and build. > > > Ok nice to know that the bug was that one and that the fix worked: I have > opened > > https://issues.apache.org/jira/browse/SYNCOPE-547 > > Regarding the password being sent in cleartext, consider below scenario: > User has locked his password by attempting n attempts in the end > application. The locked account attribute is syncope to temporarily suspend > his account. > User cannot reset his own password through syncope (account suspended). > > > It's just the default workflow definition that does not allow > modifications of suspended users; you can (actually, you should), however, > change it in the way that most suits your own requirements. > > He sends a mail to admin requesting to reset his password. > Admin logs in to the application and resets users password. On resetting > his password, mail is sent to user with his new password. User logs in to > the system and changes his password manually. (since the first time sign-in > functionality is scheduled to release later). > Since the password is sent into the users inbox directly, cleartext > password sending out does not breach security. (Passwords though should be > stored and propagated to end application in encrypted form only). > > Can the User Forgot Password(self) functionality be taken on priority (I > see in the syncope roadmap, its too late in priority list), so that user > need not request admin to reset his password. The user will be able to > reset his own password from syncope (without logging in, similar to > Self-User Registration) answering few challenge questions. This will solve > the above problem. > > > Recently the roadmap was updated and "SYNCOPE-135 Password reset" was > moved to Syncope 1.2.0. > The first milestone release for 1.2.0 was published last week: I guess > that in a couple of weeks we should be ready for the definitive 1.2.0. > > Regards. > > > On Fri, Sep 12, 2014 at 7:26 PM, Francesco Chicchiriccò < > [email protected]> wrote: > >> Hi, >> it seems you've finally been able to sent e-mails out [1]: I am curious, >> did the fix work? >> >> About your specific question, sending the cleartext password out is not >> definitely a good security practice; for this reason the password value >> provided for creation is removed before being made available to the >> template engine. >> You should better empower some kind of double opt-in. >> >> Naturally you can always tweak things - by overriding some components - >> to do it anyway but this is complex, not documented and nevertheless >> discouraged. >> >> Regards. >> >> >> On 12/09/2014 11:35, Suresh Ajja wrote: >> >> hi, The cipher encryption kept is SHA1 in the syncope. on user >> creation, I need to send mail to the user with username and password. But >> the password should be cleartext. >> How do I convert the below encrypted password to a clear text password. >> >> Mail received: >> Hi $user.getAttributeMap().get("firstname").getValues().get(0) >> $user.getAttributeMap().get("surname").getValues().get(0), welcome to >> Syncope! >> >> Your username is suresh. >> Your password is 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8. >> Your email address is [email protected]. Your email address inside a >> link <http://localhost/?email=suresh.ajja%40gmail.com>. >> >> >> Thanks >> >> Suresh >> >> [1] http://markmail.org/message/t3yfs2eyj67yrnft >> > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellencehttp://www.tirasa.net/ > > Involved at The Apache Software Foundation: > member, Syncope PMC chair, Cocoon PMC, Olingo > PMChttp://people.apache.org/~ilgrosso/ > >
