Hi Harsha, Agree. This use case is normally valid when the password recovery option is disabled.
Thanks, Kasun. On Mon, Jun 20, 2016 at 12:04 PM, Harsha Thirimanna <[email protected]> wrote: > Hi Kasun, > User has a password recovery option to do that. No need to do that by > admin. Please make me correct if I am wrong. > On Jun 20, 2016 11:41 AM, "Kasun Bandara" <[email protected]> wrote: > >> Hi Harsha, >> >> On Mon, Jun 20, 2016 at 11:27 AM, Harsha Thirimanna <[email protected]> >> wrote: >> >>> Hi Isura, >>> >>> I have one concern , please read the inline comments. >>> >>> On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne <[email protected]> >>> wrote: >>> >>>> HI all, >>>> >>>> I am working on $subject for WSO2 Identity Sever 5.3.0 release. >>>> Following are the currently identified improvements, >>>> >>>> >>>> - Password History - >>>> >>>> Last 'n' number of passwords need to be maintained in user's history. >>>> When user updates his password we don't allow him to choose one of these >>>> 'n' passwords again. >>>> >>>> >>>> - Periodic Password Reset - >>>> >>>> Force the user to periodically (configurable period) reset his >>>> password. When doing this we need to leverage the password history feature >>>> as well. >>>> >>>> >>>> >>>> CREATE TABLE IF NOT EXISTS idn_password_history_data >>>> ( >>>> user_name *VARCHAR*(255) NOT NULL, >>>> user_domain *VARCHAR*(255) NOT NULL, >>>> tenant_id *INTEGER* DEFAULT -1, >>>> hash *VARCHAR*(255) NOT NULL, >>>> time_created *TIMESTAMP* NOT NULL DEFAULT >>>> CURRENT_TIMESTAMP, >>>> PRIMARY KEY (user_name,user_domain,tenant_id, >>>> hash), >>>> ) >>>> >>>> >>>> All the passwords which are supposed to store in this table are old >>>> passwords (expired). >>>> >>>> - I think we don't need to use the same password hashing algorithm >>>> (with or without salted value) which is defined user-mgt.xml for password >>>> history validation. >>>> - admin users can change other user's passwords without giving their >>>> old passwords. In that case, how can we find the old password hash value to >>>> store for password history validation? >>>> >>>> *Do we allow to change user password by the admin user ? Is that >>> correct practice ?* >>> >> >> I think this is a valid use case when user forgets the password, which >> gives the admin to first reset the password with some random value. >> Subsequently user can alter the password, after the first login. >> >> >>> >>> >>>> >>>> Your comments and suggestions are highly appreciated. >>>> >>>> Thanks >>>> Isura. >>>> >>>> >>>> Isura Dilhara Karunaratne >>>> Senior Software Engineer >>>> >>>> Mob +94 772 254 810 >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Kasun Bandara >> *Software Engineer* >> Mobile : +94 (0) 718 338 360 >> <%2B94%20%280%29%20773%20451194> >> [email protected] <[email protected]> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Kasun Bandara *Software Engineer* Mobile : +94 (0) 718 338 360 <%2B94%20%280%29%20773%20451194> [email protected] <[email protected]>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
