Re: [Bodington-developers] Bodington with SP and IdP - SSO and v2.6

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> Some Authenticators would
> want to disable the changing of passwords (WebAuth, Shibb SP, etc).
got you now! I see what you mean by SP. Presumably a user who gets into a
bod that is operating as an SP will have access to such things as user
preferences etc.

I imagine in a lot of applications, the user preferences will have things
like changing their password.

Yet again we're shining a light onto a very dark area of web applications
accessed through shibboleth.

Not only must they provide some programmatic way to create accounts on th=
e
fly but they'll need to metamorphose based on what the user is - local or
shibbed.

Have a cake on me ;)

Alistair

--=20
Alistair Young
Senior Software Engineer
UHI@Sabhal M=F2r Ostaig
Isle of Skye
Scotland

> Alistair Young wrote:
>> IdP/SP don't have anything at all to do with bod passwords. If you're
>> using a bod authenticator that authenticates outwith bodington then
>> you'll
>> have the problem of changing passwords. Whether it's
>> ldap/webauth/windows.
>>
>> To sort it, somehow tie the authenticator to the change password
>> functionality, i.e. ldap would disable it entirely.
>
> I think this is what we are talking about. Some Authenticators would
> want to disable the changing of passwords (WebAuth, Shibb SP, etc).
>
>> Even if you login with a windows username/password (though I don't thi=
nk
>> you can - bod can't authenticate to windows) you still can't change th=
at
>> password in bod.
>
> Yep, so the Windows password authenticator should return false from
> isPasswordChangable() and the template should display differently as a
> result.
>
>> If bod becomes part of a larger SSO solution, such as ldap or webauth
>> then
>> it's password changing functionality should be disabled.
>>
>> Now we're on the subject I think it's time bod stopped storing passwor=
ds
>> in plain text.
>>
>
> Indeed. I had a quick look at this a little while ago and I think I hav=
e
> a patch hanging around somewhere which was a half hack at this. It
> wasn't as easy as I had hoped as the API was a bit muddled but I'll try
> and dig it out clean it up and send it to the list.
>
>
> --
> +--Matthew Buckett-----------------------------------------+
> | VLE Developer, Learning Technologies Group               |
> | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/       |
> +------------Computing Services, University of Oxford------+
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dcl=
ick
> _______________________________________________
> Bodington-developers mailing list
> Bod...@li...
> https://lists.sourceforge.net/lists/listinfo/bodington-developers
>