<PRE> <PRE> <PRE>
Hi all, The thread below (please read bottom-up) tracks a recent jadmin discussion on a problem a number of us have encountered: when user auto-registration is turned off, the jabberd server seems to cache old passwords after users change them. The thread ran out of gas, with a few unanswered questions. 1) How / why does the password caching work?. I haven't found anything on change-of-password in the protocol / JEP / design docs I've looked through. 2.) Where's the right place for me to submit a bug / feature request -- against jabberd 1.4.2 (if maintenance work continues there) or 2.0, or someplace else? Thanks, Tim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ralph Siemsen Sent: Thursday, December 05, 2002 2:19 AM To: [EMAIL PROTECTED] Subject: Re: [jadmin] not allowing auto registration - no password change Tim Klem wrote: > After step 3, if I then insert a step 3.5 and immediately revert to the old > password, it succeeds. Following this, the new-password login in step 4 > fails, and I'm back to step 2 -- I can only log in with the old password > until the cache expires (???), and can't make it to step 4. So it seems like > the step 3 "priming the pump" gets clobbered somehow. Yes, confirmed here as well. > Does anyone know how the caching works? I've stared at the code and read all the docs I cou ld find but haven't been able to figure out why it behaves this way. -R -----Origi nal Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Klem Sent: Wednesday, December 04, 2002 12:16 AM To: [EMAIL PROTECTED] Subject: RE: [jadmin] not allowing auto registration - no password change Ralph Siemsen wrote: > So the sequence appears to be: > 1) Change your password > 2) You can continue to login with you old password > 3) Try logging in with n ew password (or random gabage) - will fail > 4) Log in with new password - now the password change is complete. Thanks Ralph, that helps. If I follow your 4 steps, I have the same experience. One additional data point to add: After step 3, if I then insert a step 3.5 and immediately revert to the old password, it succeeds. Following this, the new-password login in step 4 fails, and I'm back to step 2 -- I can only log in with the old password until the cache expires (???), and can't make it to step 4. So it seems like the step 3 "priming the pump" gets clobbered somehow. Does anyone know how the caching works? Thanks, Tim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ralph Siemsen Sent: Tuesday, December 03, 2002 10:21 PM To: [EMAIL PROTECTED] Subject: Re: [jadmin] not allowing auto registration - no password change Tim Klem wrote: > My setup does have some peculiarities, though: > - The server seems to take a while to begin using the new password, so a > user who changes password, > logs out, and logs right back in still must use the old one. By "a while" > I mean many minutes. > If I restart jabberd, the new one must be used. Dunno what's being cached > where. ??? I noticed this problem as well with a variety of clients (Exodus, Gabber, JIM, ...). After some investigation I found a few more interesting facts, though I haven't got a good solution: * When 0k authentication is used, password changes take effect immediately and work exactly as you would expect. * When 0k is removed from the available authentication methods on the server, all clients exhibit the password-change-delay problem. Moreover, the delay seems to be more of a cache issue. It appears that the old password remains valid until an unsuccessful login attempt is made (be it with the new password, or a totally incorrect on). At that time, the server appears to start using the new password. Subsequently, the new password works and the old one stops working. So the sequence appears to be: 1) Change your password 2) You can continue to login with you old password 3) Try logging in with new password (or random gabage) - will fail 4) Log in with new password - now the password change is complete. -Ralph -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dushyanth Harinath Sent: Tuesday, December 03, 2002 11: 41 AM To: [EMAIL PROTECTED] Subject: Re: [jadmin] not allowing auto registration - no password change Hi , * <[EMAIL PROTECTED]> wrote from a remote bunker : > My setup does have some peculiarities, though: > - The server seems to take a while to begin using the new password, so a > user who changes password, > logs out, and logs right back in still must use the old one. By "a while" > I mean many minutes. > If I restart jabberd, the new one must be used. Dunno what's being cached > where. ??? This happens with me too. I have only mod_auth_plain enabled, mod_register & register notify turned off, timeout set to 0 in xdb and using jcac to create accounts. > - Using Exodus 0.7.0.4, the password change gets made; however, it always > gives an error > message "Error changing password". Same here. happens with tkabber-0.98beta too. > Not exactly ideal! =) Yeah. cheers dushyanth -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Klem Sent: Tuesday, December 03, 2002 10:46 AM To: [EMAIL PROTECTED] Subject: RE: [jadmin] not allowing auto registration - no password change Hi Alan, In my setup, auto-register is off, but users can change passwords. In jabber.xml, I've left the jabber:iq:register module in, and just commented out the register option. I'm storing the passwords in a MySQL database, and I see the passwords updated there immediately after the client issues the command. (I've also hacked my xdb_sql.xml to ensure that no a ccounts can get created via jabberd.) My setup does have some peculiarities, though: - The server seems to take a while to begin using the new password, so a user who changes password, logs out, and logs right back in still must use the old one. By "a while" I mean many minutes. If I restart jabberd, the new one must be used. Dunno what's being cac hed where. ??? - Using Exodus 0.7.0.4, the password change gets made; however, it always gives an error message "Error changing password". - Using Psi 0.8.7, the change also gets made; the error here reads "There was an error when trying to set the password. Not found." Not exactly ideal! =) Tim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Peter Saint-Andre Sent: Tuesday, December 03, 2002 7:02 AM To: [EMAIL PROTECTED] Subject: Re: [jadmin] not allowing auto registration - no password change Nope, they can't because you've commented out the code that handles the jababer:iq:register namespace. Hmm, hadn't thought of that before... Peter -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.php On Wed, 20 Nov 2002, Alan B wrote: > I asked this before but it seems to have gotten lost in the shuffle of other > issues I was addressing so I will try again... > > If you shut off auto registration and manually create users is there anyway > a user can change their password? It appears they can not. > > Thanks, > Alan _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev </PRE> _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber .org/listinfo/jdev </PRE> _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev </PRE> _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
