On 6/8/2012 10:52 AM, Petr Vobornik wrote:
and now the patch...
On 06/08/2012 05:51 PM, Petr Vobornik wrote:
For those of you who are only interest in user perspective I prepared a
set of screenshots to demonstrate workflow of password reset:
http://pvoborni.fedorapeople.org/ux/reset_password_workflow.png

Patch depends on mkosek #274.

Web UI was missing a way how to reset expired password for normal user.
Recent server patch added API for such task. This patch is adding reset
password form to unautorized dialog.

If user tries to login using form-based authentication and his password
is expired login form transforms to reset password form. The username
and current password is populated by values from previous login attempt.
User than have to enter new password and its verification. Then he can
hit enter button on keyboard or click on reset button on dialog to
perform the password reset. Error is displayed if some part of password
reset fails. If it is successful new login with values entered for
password reset is performed. It should login the user. In password reset
form user can click on back button or hit escape on keyboard to go back
to login form.

https://fedorahosted.org/freeipa/ticket/2755

It works with mkosek 274-2. Some comments:

1. If you click 'form-based authentication' the dialog title still shows 'Kerberos ticket no longer valid' which is not relevant for form-based authentication. It might be better to use 'Login' as the title for all pages in this dialog.

2. Instead of having to go to a separate page for form-based authentication, would it be better to change the first page in the login dialog to show the login form? Something like this:

    Login
    -----------------------------------------------------

      Your session has expired. Please re-login.

      To login with username and password:

        Username:        [edewata                  ]
        Password:        [********                 ]

                                             [Login]

      To login with Kerberos, please make sure you
      have valid tickets (obtainable via kinit) and
      [configured] the browser correctly.

                               [Login with Kerberos]

The two login mechanisms can be shown at the same time like above or in collapsible sections. If the user enters a password and it's expired, the dialog will change into:

    Login
    -----------------------------------------------------

      Your password has expired. Please enter a new
      password:

        Username:        edewata
        New Password:    [********                 ]
        Verify Password: [********                 ]

                 [Reset Password and Login] [Cancel]

In this page the username is shown for info only, it's not editable. The old password is not shown again, but kept in memory. I use Cancel instead of Back to indicate that we are starting over. The Cancel button will bring you back to the first page.

3. I noticed that the password is kept in memory too long by the login dialog so if you go back and forth between the pages the fields are already populated. This might be a security risk. I think the username & password should be cleaned up when you click Back/Cancel.

4. Is there a plan to provide password reset via email?

--
Endi S. Dewata

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to