I'll address all issues once we decide on the solution.

On 06/13/2012 01:24 AM, Endi Sukma Dewata wrote:
On 6/8/2012 10:52 AM, Petr Vobornik wrote:
and now the patch...
On 06/08/2012 05:51 PM, Petr Vobornik wrote:
For those of you who are only interest in user perspective I prepared a
set of screenshots to demonstrate workflow of password reset:

Patch depends on mkosek #274.

Web UI was missing a way how to reset expired password for normal user.
Recent server patch added API for such task. This patch is adding reset
password form to unautorized dialog.

If user tries to login using form-based authentication and his password
is expired login form transforms to reset password form. The username
and current password is populated by values from previous login attempt.
User than have to enter new password and its verification. Then he can
hit enter button on keyboard or click on reset button on dialog to
perform the password reset. Error is displayed if some part of password
reset fails. If it is successful new login with values entered for
password reset is performed. It should login the user. In password reset
form user can click on back button or hit escape on keyboard to go back
to login form.


It works with mkosek 274-2. Some comments:

1. If you click 'form-based authentication the dialog title still shows
'Kerberos ticket no longer valid' which is not relevant for form-based
authentication. It might be better to use 'Login' as the title for all
pages in this dialog.


2. Instead of having to go to a separate page for form-based
authentication, would it be better to change the first page in the login
dialog to show the login form? Something like this:


Your session has expired. Please re-login.

To login with username and password:

Username: [edewata ]
Password: [******** ]


To login with Kerberos, please make sure you
have valid tickets (obtainable via kinit) and
[configured] the browser correctly.

[Login with Kerberos]

The two login mechanisms can be shown at the same time like above or in
collapsible sections. If the user enters a password and it's expired,
the dialog will change into:

I like the idea but I'm not sure about the layout. Having one button inside the dialog seems strange a also it will probably look weird. Collapsible sections are worse because you have to click on them so it slow things down. Current implementation has 'forms-based authentication' link selected so user can in most cases hit enter and immediately write username, password and complete login procedure only by using keyboard.

Also 'Login with Kerberos' is misleading. User login elsewhere (kinit). So current button: 'retry' is more appropriate.


Your password has expired. Please enter a new

Username: edewata
New Password: [******** ]
Verify Password: [******** ]

[Reset Password and Login] [Cancel]

In this page the username is shown for info only, it's not editable. The
old password is not shown again, but kept in memory. I use Cancel
instead of Back to indicate that we are starting over. The Cancel button
will bring you back to the first page.

Little change, but can be probably more straightforward - will do.

2a. The dialog uses headers in title (the one from #1) and a headers inside (login, reset password). From your examples I'm not sure if you would like to:
a) remove the inside headers
b) change them to 'login' everywhere
c) keep them unchanged

3. I noticed that the password is kept in memory too long by the login
dialog so if you go back and forth between the pages the fields are
already populated. This might be a security risk. I think the username &
password should be cleaned up when you click Back/Cancel.


4. Is there a plan to provide password reset via email?

I don't think so. I'm not sure if it is even useful for Freeipa. One of main purposes for Freeipa is SSO and I guess company mail would be kerberized too. So if you forget the password, you can't login, reset and even access mail. I guess using external mail is not the way to go. Maybe it is useful if company uses additional authentication mechanism like pin + token or other.

Petr Vobornik

Freeipa-devel mailing list

Reply via email to