From Mageia wiki
Jump to: navigation, search

Password reset

Normally, a user can go to https://identity.mageia.org/forgot_password and request a password reset on his/her own. This feature is disabled for some accounts, in which case the user must contact sysadmin to perform a reset.

Request Verification

It's vital to verify the request first to avoid an account takeover by a malicious actor. Use one of the procedures at SOP Change user e-mail#Request_Verification if possible, although all of those assume the user can still log in by some means.

If those aren't possible, e-mail the user with a random word and have him/her reply to sysadmin AT group DOT mageia DOT org. That validates that the user has access to e-mail sent to that address. Check the headers of the received e-mail to see if there is a valid DKIM header (verify it, don't just assume it's OK), which provides a degree of proof the e-mail was actually sent by the authorized user. Mageia servers don't add a header verifying SPF as of this writing, so that can't be checked on that e-mail to sysadmin. If the user e-mails you directly and your mail server checks SPF and adds a header with the result of the check, it's a much weaker validation but still something.

Reset password

The password reset flow at https://identity.mageia.org/forgot_password isn't appropriate for cases where sysadmin action is necessary. TODO: but maybe there's a simpler way than the temporary password method below.

Update password

Choose a new random, temporary password for the user and hash it with the command:

$ slappasswd -h '{SSHA}'

You will be asked to type it in twice. The result is a string like {SSHA}xyzzyxyzzy which is the salted password to be stored in LDAP. Run this command on duvel, replacing USERUID with the user's uid and xyzzyxyzzy with the actual hashed password ($USER is entered literally and will automatically be replaced by your own current user login):

$ ldapmodify -H ldaps://ldap.mageia.org -D "uid=$USER,ou=People,dc=mageia,dc=org" -W <<EOF
dn: uid=USERUID,ou=People,dc=mageia,dc=org
changetype: modify
replace: userPassword
userPassword: {SSHA}xyzzyxyzzy
EOF

E-mail the user (using an account with SMTP over TLS is enabled) with the temporary password and instructions to go to https://identity.mageia.org/ and change it immediately. Check that the user has done so by running:

$ ldapsearch -H ldaps://ldap.mageia.org -b ou=People,dc=mageia,dc=org -D uid=$USER,ou=People,dc=mageia,dc=org -W '(uid=USERID)'

The userPassword:: field is base64-encoded, so decode it with:

$ base64 -d <<< XXXXX

where XXX is the string after userPassword::. Ensure that what is displayed is different from what you sent it to, or else the password has not yet been changed.