diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2011-April/003408.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2011-April/003408.html | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2011-April/003408.html b/zarb-ml/mageia-sysadm/2011-April/003408.html new file mode 100644 index 000000000..8adbaea54 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-April/003408.html @@ -0,0 +1,120 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] Invalid account + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Invalid%20account&In-Reply-To=%3C1303986361.16679.228.camel%40akroma.ephaone.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="003407.html"> + <LINK REL="Next" HREF="003409.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] Invalid account</H1> + <B>Michael Scherer</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Invalid%20account&In-Reply-To=%3C1303986361.16679.228.camel%40akroma.ephaone.org%3E" + TITLE="[Mageia-sysadm] Invalid account">misc at zarb.org + </A><BR> + <I>Thu Apr 28 12:26:01 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="003407.html">[Mageia-sysadm] Invalid account +</A></li> + <LI>Next message: <A HREF="003409.html">[Mageia-sysadm] Fwd: packaging account for who comes from mandriva +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#3408">[ date ]</a> + <a href="thread.html#3408">[ thread ]</a> + <a href="subject.html#3408">[ subject ]</a> + <a href="author.html#3408">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Le jeudi 28 avril 2011 à 10:08 +0200, Romain d'Alverny a écrit : +><i> On Thu, Apr 28, 2011 at 01:42, Michael Scherer <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">misc at zarb.org</A>> wrote: +</I>><i> >> Would you be kind enough to erase my account when you have a little time. I'd +</I>><i> >> like to get back my account with the same nickname : Petronov. +</I>><i> > +</I>><i> > Well, the question is "how can we be sure that the erasure demand is +</I>><i> > legit". Ie, if the account is in used, we cannot check it ( unless we go +</I>><i> > on every applications to seek ). +</I>><i> +</I>><i> Well, we need once more a policy about this. +</I>><i> +</I>><i> Could be: +</I>><i> - notifying each application of account removal, so that each app +</I>><i> decide, after its own policy, either to drop the account and +</I>><i> associated data, either to anonymize it (for better or worse) - that +</I>><i> was the direction we aimed to at mdv; +</I>><i> - not doing anything, provided there's a warning at account creation +</I>><i> about this - but that's unlikely to be a legal option in France where +</I>><i> servers are hosted. +</I>><i> +</I>><i> Either way, an account removal/deletion process should include a +</I>><i> double verification against the email account (sending a removal +</I>><i> confirmation email with a time-limited action link that in turn, +</I>><i> authenticates and asks again the user about removing the account). +</I> +For the sake of simplicity, I would simply say that account removal +should be exceptional if used. My point was more "how can do I know that +the mail is sent by the real account owner". + +IE, since a mail can be faked without trouble, we need more than "can +you reset my password" to do it :) + + +><i> > I guess since the password was never changed, that the account was +</I>><i> > indeed unused. I can either erase it, or change the email. +</I>><i> > +</I>><i> > For the record, here is the ldap query I used on valstar : +</I>><i> > ldapsearch -L -h localhost -b "dc=mageia,dc=org" -D +</I>><i> > "uid=misc,ou=People,dc=mageia,dc=org" -Z -W +</I>><i> > '(&(objectClass=inetOrgPerson)(!(pwdChangedTime=*)))' cn uid mail +</I>><i> > +</I>><i> > We do have 27 non activated account, I guess we could decide to prune +</I>><i> > them sooner or later ? +</I>><i> +</I>><i> Is there a way for a non-activated account to fetch back an activation +</I>><i> link somehow? (in case of forgotten/deleted link) +</I> +Nope. + +><i> Without activation, 15 days could be enough, provided we can be sure +</I>><i> the account has really not been used. +</I> +If the password was not changed ( as seen by the ldap request), then it +is likely that no one used it. + +Now, someone could have not clicked on the link, and used the password +in the url to log on bugzilla/etc, but this is seems highly improbable. +I am not sure that this could even be done, maybe the account is +inactive until someone change the password, I need to look. + +-- +Michael Scherer + +</PRE> + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="003407.html">[Mageia-sysadm] Invalid account +</A></li> + <LI>Next message: <A HREF="003409.html">[Mageia-sysadm] Fwd: packaging account for who comes from mandriva +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#3408">[ date ]</a> + <a href="thread.html#3408">[ thread ]</a> + <a href="subject.html#3408">[ subject ]</a> + <a href="author.html#3408">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |