Topic: Users changning their own passwords

[Phil Kay]

The SME Server User Manual states that users can change their own passwords by visiting the URL "www.yourdomain.xxx/user-password", and this works great from within the LAN.  However, this page is forbidden outside the LAN.

How would I go about making it possible for users to change their passwords outside the network?

I understand that we could make everyone set up a PPTP connection and that would solve the problem, but the web-based idea is the easiest way to go.

Thanks in advance for your help,
Filk

---------------------------------------------------------------------------
12.1.2. Changing User Passwords
Once they have an active account, your users can set their own passwords by accessing the user-password URL. They do this through their web browsers by visiting the URL www.yourdomain.xxx/user-password (where "www.yourdomain.xxx" is the web server name you entered into the server console). The staff at The Pagan Vegan would visit the URL www.tofu-dog.com/user-password.

To make the change, a user would enter his or her account name (the characters before "@"), the old password and the new password (to ensure accuracy, the screen asks for the new password twice). Note that changing the password for a user in the server manager overrides any previous password entered by your user. Therefore, when a user forgets his password, simply reset it in the server manager.

[Dan Brown]

http://www.e-smith.org/docs/howto/remote-mgr-access-howto.html

This will work for the user-password page as well.

[Phil Kay]

Dan,

Thanks for the quick response.  I had looked at that how-to previously, however, where this gets complicated is that we may (I don't want to get too far ahead of myself, yet) have a lot of users with dial-up isp's that would utilize the webmail services (primarily).

Following your how-to, you said to keep the range of "permissible ip's" small to maximize security.  What do you think of the security risks of opening up user-password access to everyone?  I know, cringe, but it may be the only choice we have right now.

We are testing SME v5 as an opportunity to replace an NT server that serviced many users (several hundred), most of which have minimal contact with the local network.

[Dan Brown]

It's not my howto; it was written by Dan York, who actually works for e-smith/Mitel.  I'd like to see the ability to set access separately for the server-manager and user-password pages, but unfortunately that isn't available at the present time.  Basically, the risk is that everybody could hammer away at http authentication to get your admin password, and then hose your server through the manager page.  If you do this, be very sure that you have a secure admin password.

[Phil Kay]

Dan:

Thanks for the response, sorry I got mixed up with the HOWTO.  Right now we're trying the following:

We've copied the cgi script and html from the user-password directory to a new ibay.  We edited the code to reflect these changes.  Only thing we don't know how to do is make this a secure connection.  Any suggestions?

Phil

[Richard Emory]

I think the following show how to set-up a secure site.  I did it but I forgot how I got it done (

http://www.e-smith.org/article.php3&mode=&order=0

http://forums.contribs.org/index.php?topic=11228.msg42266#msg42266