I am a user who has administrative privileges within my RT installation.
That is usually enough but now an situation has come up that I need to
alter an RT password for a user and it has turned out that I need to do
that but can’t - at least not easily.
Here is a discussion I found on the topic:
So it looks like I need to either create/activate user “root” and create a
password for that user (not sure exactly how to do that) or I need to
change my own password - why should I?
At any rate, any insight into what the logic is behind things being this
way would be very helpful. Same for practical advice on how to set things
up in such a way that admin users can modify other users’ passwords by
default though the web GUI.
The discussion thread you’ve linked to concerns LDAP, and doesn’t seem
relevant to your case.
If you have the correct privileges (which you seem to), the Modify screen
for another user will have three password boxes: the top one for you to
confirm your password, and the bottom two to actually change the user’s
password. I assume that the requirement to enter your own password at this
stage is for added security, i.e. to prevent someone else using your
logged-in account to gain access to other people’s accounts.
Does this resolve things?On 16 January 2015 at 14:27, Boris Epstein borepstein@gmail.com wrote:
Hello all,
I am a user who has administrative privileges within my RT installation.
That is usually enough but now an situation has come up that I need to
alter an RT password for a user and it has turned out that I need to do
that but can’t - at least not easily.
So it looks like I need to either create/activate user “root” and create a
password for that user (not sure exactly how to do that) or I need to
change my own password - why should I?
At any rate, any insight into what the logic is behind things being this
way would be very helpful. Same for practical advice on how to set things
up in such a way that admin users can modify other users’ passwords by
default though the web GUI.
We actually do import passwords from LDAP for users that are in LDAP. But
is it possible to also have users who are not in LDAP - and be able to
change their passwords? I am sorry, I must be missing something but I still
don’t quite see the logic of the arrangement in place.
Cheers,
Boris.On Thu, Jan 15, 2015 at 11:34 PM, Alex Peters alex@peters.net wrote:
The discussion thread you’ve linked to concerns LDAP, and doesn’t seem
relevant to your case.
If you have the correct privileges (which you seem to), the Modify screen
for another user will have three password boxes: the top one for you to
confirm your password, and the bottom two to actually change the user’s
password. I assume that the requirement to enter your own password at this
stage is for added security, i.e. to prevent someone else using your
logged-in account to gain access to other people’s accounts.
I am a user who has administrative privileges within my RT installation.
That is usually enough but now an situation has come up that I need to
alter an RT password for a user and it has turned out that I need to do
that but can’t - at least not easily.
So it looks like I need to either create/activate user “root” and create
a password for that user (not sure exactly how to do that) or I need to
change my own password - why should I?
At any rate, any insight into what the logic is behind things being this
way would be very helpful. Same for practical advice on how to set things
up in such a way that admin users can modify other users’ passwords by
default though the web GUI.
and then logging in as root. As soon as I did I saw the tabs for password
entry and was able to set a password for the user in question.
I guess the question still remains, what is the rational behind me being
unable to do so just as a user with admin privileges.
Thanks.
Boris.On Fri, Jan 16, 2015 at 9:34 AM, Boris Epstein borepstein@gmail.com wrote:
Hi Alex,
Thanks for the reply.
We actually do import passwords from LDAP for users that are in LDAP. But
is it possible to also have users who are not in LDAP - and be able to
change their passwords? I am sorry, I must be missing something but I still
don’t quite see the logic of the arrangement in place.
Cheers,
Boris.
On Thu, Jan 15, 2015 at 11:34 PM, Alex Peters alex@peters.net wrote:
The discussion thread you’ve linked to concerns LDAP, and doesn’t seem
relevant to your case.
If you have the correct privileges (which you seem to), the Modify screen
for another user will have three password boxes: the top one for you to
confirm your password, and the bottom two to actually change the user’s
password. I assume that the requirement to enter your own password at this
stage is for added security, i.e. to prevent someone else using your
logged-in account to gain access to other people’s accounts.
I am a user who has administrative privileges within my RT installation.
That is usually enough but now an situation has come up that I need to
alter an RT password for a user and it has turned out that I need to do
that but can’t - at least not easily.
So it looks like I need to either create/activate user “root” and create
a password for that user (not sure exactly how to do that) or I need to
change my own password - why should I?
At any rate, any insight into what the logic is behind things being this
way would be very helpful. Same for practical advice on how to set things
up in such a way that admin users can modify other users’ passwords by
default though the web GUI.
When you say in your original message that you seem to be required to
change your own password in order to change someone else’s, can you please
describe what is being shown to you in RT’s interface at that point?
I’m still expecting that you’re being shown three password entry boxes on
users’ Modify pages when you’re logged in. One should be asking for your
password, and the other two should be asking for that user’s new password.
What’s being shown to you if that’s incorrect?On Sat, 17 Jan 2015 6:56 am Boris Epstein borepstein@gmail.com wrote:
Alex,
I finally resolved the issue by setting up the password for use root using
this command:
We actually do import passwords from LDAP for users that are in LDAP. But
is it possible to also have users who are not in LDAP - and be able to
change their passwords? I am sorry, I must be missing something but I still
don’t quite see the logic of the arrangement in place.
Cheers,
Boris.
On Thu, Jan 15, 2015 at 11:34 PM, Alex Peters alex@peters.net wrote:
The discussion thread you’ve linked to concerns LDAP, and doesn’t seem
relevant to your case.
If you have the correct privileges (which you seem to), the Modify
screen for another user will have three password boxes: the top one for you
to confirm your password, and the bottom two to actually change the user’s
password. I assume that the requirement to enter your own password at this
stage is for added security, i.e. to prevent someone else using your
logged-in account to gain access to other people’s accounts.
I am a user who has administrative privileges within my RT
installation. That is usually enough but now an situation has come up that
I need to alter an RT password for a user and it has turned out that I need
to do that but can’t - at least not easily.
So it looks like I need to either create/activate user “root” and
create a password for that user (not sure exactly how to do that) or I need
to change my own password - why should I?
At any rate, any insight into what the logic is behind things being
this way would be very helpful. Same for practical advice on how to set
things up in such a way that admin users can modify other users’ passwords
by default though the web GUI.
I guess the question still remains, what is the rational behind me being unable
to do so just as a user with admin privileges.
RT requires an admin password to change another password so that
nobody can trick you into clicking on a link that would change (say
root’s) password. This was further mitigated by CSRF protections, but
still seems like a reasonable security precaution.
RT does not know your password when you use RT-Authen-ExternalAuth,
thus it cannot require you to enter it.
RT-Authen-ExternalAuth could be extended to make that additional query
and support it, however, that’s nontrivial development and not
currently planned. If it’s something you require, patches are
welcome, or I’m happy to put you in touch with sales.