Hi Kasun, User has a password recovery option to do that. No need to do that by admin. Please make me correct if I am wrong. On Jun 20, 2016 11:41 AM, "Kasun Bandara" <[email protected]> wrote:
> Hi Harsha, > > On Mon, Jun 20, 2016 at 11:27 AM, Harsha Thirimanna <[email protected]> > wrote: > >> Hi Isura, >> >> I have one concern , please read the inline comments. >> >> On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne <[email protected]> >> wrote: >> >>> HI all, >>> >>> I am working on $subject for WSO2 Identity Sever 5.3.0 release. >>> Following are the currently identified improvements, >>> >>> >>> - Password History - >>> >>> Last 'n' number of passwords need to be maintained in user's history. >>> When user updates his password we don't allow him to choose one of these >>> 'n' passwords again. >>> >>> >>> - Periodic Password Reset - >>> >>> Force the user to periodically (configurable period) reset his password. >>> When doing this we need to leverage the password history feature as well. >>> >>> >>> >>> CREATE TABLE IF NOT EXISTS idn_password_history_data >>> ( >>> user_name *VARCHAR*(255) NOT NULL, >>> user_domain *VARCHAR*(255) NOT NULL, >>> tenant_id *INTEGER* DEFAULT -1, >>> hash *VARCHAR*(255) NOT NULL, >>> time_created *TIMESTAMP* NOT NULL DEFAULT >>> CURRENT_TIMESTAMP, >>> PRIMARY KEY (user_name,user_domain,tenant_id, >>> hash), >>> ) >>> >>> >>> All the passwords which are supposed to store in this table are old >>> passwords (expired). >>> >>> - I think we don't need to use the same password hashing algorithm >>> (with or without salted value) which is defined user-mgt.xml for password >>> history validation. >>> - admin users can change other user's passwords without giving their old >>> passwords. In that case, how can we find the old password hash value to >>> store for password history validation? >>> >>> *Do we allow to change user password by the admin user ? Is that correct >> practice ?* >> > > I think this is a valid use case when user forgets the password, which > gives the admin to first reset the password with some random value. > Subsequently user can alter the password, after the first login. > > >> >> >>> >>> Your comments and suggestions are highly appreciated. >>> >>> Thanks >>> Isura. >>> >>> >>> Isura Dilhara Karunaratne >>> Senior Software Engineer >>> >>> Mob +94 772 254 810 >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Kasun Bandara > *Software Engineer* > Mobile : +94 (0) 718 338 360 > <%2B94%20%280%29%20773%20451194> > [email protected] <[email protected]> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
