[Freeipa-devel] [PATCH] 1006 detect expired passwords in forms login
Rob Crittenden
rcritten at redhat.com
Tue Apr 17 14:13:57 UTC 2012
Martin Kosek wrote:
> On Mon, 2012-04-16 at 09:34 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Petr Vobornik wrote:
>>>> On 04/13/2012 09:28 PM, Rob Crittenden wrote:
>>>>> When doing a forms-based login there is no notification that a password
>>>>> needs to be reset. We don't currently provide a facility for that but we
>>>>> should at least tell users what is going on.
>>>>>
>>>>> This patch adds an LDAP bind to test the password to see if it is
>>>>> expired and returns the string "Password Expired" along with the 401 if
>>>>> it is. I'm told this is all the UI will need to be able to identify this
>>>>> condition.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>> UI can work with it. I have a patch ready. I'll send it when this will
>>>> be ACKed.
>>>>
>>>> Some notes:
>>>>
>>>> 1) The error templates and the 'Password Expired' message are hardcoded
>>>> to be English. It's fine at the moment. Will we internationalize them
>>>> sometime in future? If so, we will run into the same problem again.
>>>
>>> No plans to. I can update the patch with a comment specifically to not
>>> internationalize it if you'd like.
>>>
>>>> 2) conn.destroy_connection() won't be called if an exception occurs. Not
>>>> sure if it is a problem, GC and __del__ should take care of it.
>>>
>>> Hmm, this is due to a late stage change I made. I originally had this
>>> broken out into two blocks where the only thing done in the first
>>> try/except block was the connection, so the only exception that could
>>> happen was a failed connection.
>>>
>>> That isn't true any more. I'll update the patch.
>>
>> And here you go.
>>
>> rob
>
> I still think that deciding based on error message string is not right,
> we may want to have it internationalized and thus hit the same error.
> What about returning a custom HTTP header specifying the reason?
>
> Something like that:
>
> X-rejection-reason: password-expired
> OR
> X-rejection-reason: password-invalid
> OR
> X-rejection-reason: account-locked
>
> Web UI could customize next actions based on this header instead of
> parsing the error message.
>
> If you decide to rather stick with current solution and file my proposal
> as an enhancement ticket (or discard it entirely), then ACK.
>
> Martin
>
I think this is a better solution. I've updated my patch.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1006-3-expired.patch
Type: text/x-diff
Size: 5426 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120417/016f6b7d/attachment.bin>
More information about the Freeipa-devel
mailing list