search

LDAPAccountManager / lam

LDAP Account Manager
https://www.ldap-account-manager.org
Other
429 stars 69 forks source link

Password Self-Reset: using passwordSelfReset as auxiliary class #323

Closed schmidtsva closed 2 months ago

schmidtsva commented 5 months ago

The password self-reset" module (with security questions) requires the addition of the "passwordSelfReset" object class to each user account. In our AD domain (Samba4) the user accounts are automatically created by HR, so adding the extension "passwordSelfReset" is an additional (manual) step, e.g. using the "Multi edit" tool. I think it would be useful to add the "passwordSelfReset" class as an auxiliary class to the "User" object class, so that each user account can use the additional passwordSelfReset attributes.

As a "proof of concept" I made the following additional change to the schema in our test environment:

dn: CN=User,CN=Schema,CN=Configuration,DOMAIN_TOP_DN
changetype: modify
add: auxiliaryClass
auxiliaryClass: passwordSelfReset

For test purposes, I also removed the checks for "passwordSelfReset" in the "getSelfServiceOptions" and "checkSelfServiceOptions" functions, so the security questions and answers could be entered by the users. Perhaps the password self-reset feature can be extended to also accept the schema extension using the auxiliary class.

gruberroland commented 5 months ago

Thanks for the feedback. How do you create your users, is it via LAM? There is an option in profile editor to automatically add the extension for new users. See Tools -> Profile editor -> Users -> default -> Password self reset Password self reset -> Automatically add this extension.

Maybe this already helps.

schmidtsva commented 5 months ago

Thanks for your reply. Creating the user accounts is an automated task of the HR department (I don't know details) when the employees join the company. There are also some special attributes like an employee ID that is filled in. At the moment we mainly use LAM's Password Self-Service. Now we also want to give the users the possibility to reset their passwords themselves.

Using the object class "passwordSelfReset" as an auxiliary class would reduce the administrative effort. And it would also make the Windows AD people happy :-) So this issue is more of a request for enhancement. Would it be possible to add the option to use the auxiliary class as an alterative to the already implemented method?

gruberroland commented 5 months ago

Adding to 8.9 roadmap for checking if both variants can be supported at the same time.

schmidtsva commented 5 months ago

Thank you very much.

gruberroland commented 2 months ago

Sorry, we checked it and decided to not support this variant. The reasons are that this is for Windows only and mainly it is more a workaround. The clean solution would be to add the object class from the beginning. Usually, HR does not directly create accounts but delegates this to IT. You should try to find out how this is done and how to add the object class in the process. If this is not possible you are free to patch the code as you already showed above.

Sorry for the bad news.