Ldap initial Password


we got authentication working with openldap in Knime.
The ldap server locks a user when trying to connect too often with the wrong credentials.
It’s a manual task to provide the user with a new initial password, via an encrypted mail.

A webapp (as Workflow or .jsp WebApp in Tomcat) could be created as a self service.
The following steps were executed:

  1. A list of e-mail addresses of every ldap-user is provided.
  2. The user selects an e-mail address.
  3. A proceed Button is clicked ,consequently a random Number is sent to this e-mail address.
  4. The user has access to this e-mail and enters the random number in a field
  5. User proceeds by clicking the ‘generate initial Password’ Button , and can proceed if the right random number was entered.
  6. the webapp generates a new ldap-password ; tests if the login was successfull and in this case displays the passwort on the screen.

Can this be done in a workflow? , if not can a .jsp - application be installed on the Knime Tomcat Server ?
I have done simple .jsp WebApps (for the paginated display of table contend) in the past ; so this is not a too difficult task for me.

Greetings B.Kochs

Hi @b_kochs,
Generally, you can install additional web apps into the Tomcat that comes with KNIME. I would advise you to consult with your LDAP team (unless that is you ;-)) about this topic, though. Providing such functionality must be thoroughly tested and audited to not leave any security holes. The random number you send to the user, for example, must be truly random and fairly large to be unguessable. Maybe it is better to create a random string of sufficient length and then generate a link that contains that string. That way the user does not have to deal with transferring the number at all.
Doing this in a workflow might be possible, but not without some scripting. We do not have any LDAP connectors for workflows, for example. You would also need to make this workflow publicly accessible without login, which you can do by creating an access token for it. I would not advise to go that way, though. A properly implemented jsp app is probably the better way.
Kind regards,
Alexander Fillbrunn

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.