accesscontroltool icon indicating copy to clipboard operation
accesscontroltool copied to clipboard
verified publisher icon Netcentric

Option to set user password only for new users

Open gruberrolandvaltech opened this issue 7 years ago • 5 comments

Setting the initial password for users is great benefit. But when the user changes the password then it will be overwritten on next deploy. An option to set passwords for new accounts only would be great.

gruberrolandvaltech avatar Jul 19 '18 13:07 gruberrolandvaltech

@gruberrolandvaltech Not sure if it is the best idea to encourage having production passwords (even if it is only the initial passwords) in the yaml files - do you have a separate SCM repo for sensitive production secrets then? (I suppose you don't put those files in regular releases)

ghenzler avatar Jul 26 '18 18:07 ghenzler

AEM allows to enforce a password change when you login the first time with the initial password. So this would allow an easy way to provision instances with users (also depending on run mode).

gruberrolandvaltech avatar Jul 27 '18 05:07 gruberrolandvaltech

But what password would you choose? Would it be the same for all users? Then the first user can guess the username of other users and use his initial password to login with another user. If you set a different password for each user, the initial passwords are still in version control where they don't belong.

I think better would be to have a flag createInitialPassword that would for the case a user does not exist, create a random password, set it to the user's profile and send it to the user's email address. This is then secure regardless if you use [1] or not.

[1] https://jackrabbit.apache.org/oak/docs/security/user/expiry.html

ghenzler avatar Jul 27 '18 18:07 ghenzler

We would use it mainly for our preprod environment. So not an issue about the passwords. The email sending conflicts with our mail server setup. We use a special SMTP server that redirects mails to a test mailbox for non-production servers.

gruberrolandvaltech avatar Jul 30 '18 08:07 gruberrolandvaltech

This approach is outlined also in #439 (https://helpx.adobe.com/experience-manager/6-2/sites/developing/using/reference-materials/javadoc/com/adobe/cq/account/api/AccountManagementService.html). The email sending would be done via https://helpx.adobe.com/experience-manager/6-2/sites/developing/using/reference-materials/javadoc/com/adobe/cq/account/api/AccountManagementService.html#requestPasswordReset(java.lang.String,%20java.lang.String,%20java.lang.String).

kwin avatar Feb 28 '20 16:02 kwin