When a user account is created, the sysadmin can select to force the user to link the account with a globus identity and when the user first logs in, they will be forced to do so. Normally, this also wipes out the password and salt from the user account to make this authentication mechanism no longer available.
However, the login page's "reset password" form still works and the user can request a reset. But now, the account's 'reset_password' field will be set in the account, and the globus authentication system will enter an infinite loop when the user next tries to log in.
We should disabled the ability to reset a password once a globus link was made. The controller shoudl send a message to the users saying something like "this account requires globus to authenticate, password reset is unavailable".
There is no security issue associated with this problem, it's simply users can no longer connect.
When a user account is created, the sysadmin can select to force the user to link the account with a globus identity and when the user first logs in, they will be forced to do so. Normally, this also wipes out the password and salt from the user account to make this authentication mechanism no longer available.
However, the login page's "reset password" form still works and the user can request a reset. But now, the account's 'reset_password' field will be set in the account, and the globus authentication system will enter an infinite loop when the user next tries to log in.
We should disabled the ability to reset a password once a globus link was made. The controller shoudl send a message to the users saying something like "this account requires globus to authenticate, password reset is unavailable".
There is no security issue associated with this problem, it's simply users can no longer connect.