[Mageia-sysadm] Invalid account

Michael Scherer misc at zarb.org
Thu Apr 28 12:26:01 CEST 2011 

Le jeudi 28 avril 2011 à 10:08 +0200, Romain d'Alverny a écrit :
> On Thu, Apr 28, 2011 at 01:42, Michael Scherer <misc at zarb.org> wrote:
> >> Would you be kind enough to erase my account when you have a little time. I'd
> >> like to get back my account with the same nickname : Petronov.
> >
> > Well, the question is "how can we be sure that the erasure demand is
> > legit". Ie, if the account is in used, we cannot check it ( unless we go
> > on every applications to seek ).
> 
> Well, we need once more a policy about this.
> 
> Could be:
>  - notifying each application of account removal, so that each app
> decide, after its own policy, either to drop the account and
> associated data, either to anonymize it (for better or worse) - that
> was the direction we aimed to at mdv;
>  - not doing anything, provided there's a warning at account creation
> about this - but that's unlikely to be a legal option in France where
> servers are hosted.
> 
> Either way, an account removal/deletion process should include a
> double verification against the email account (sending a removal
> confirmation email with a time-limited action link that in turn,
> authenticates and asks again the user about removing the account).

For the sake of simplicity, I would simply say that account removal
should be exceptional if used. My point was more "how can do I know that
the mail is sent by the real account owner". 

IE, since a mail can be faked without trouble, we need more than "can
you reset my password" to do it :)


> > I guess since the password was never changed, that the account was
> > indeed unused. I can either erase it, or change the email.
> >
> > For the record, here is the ldap query I used on valstar :
> > ldapsearch -L -h localhost -b "dc=mageia,dc=org" -D
> > "uid=misc,ou=People,dc=mageia,dc=org" -Z  -W
> > '(&(objectClass=inetOrgPerson)(!(pwdChangedTime=*)))' cn uid  mail
> >
> > We do have 27 non activated account, I guess we could decide to prune
> > them sooner or later ?
> 
> Is there a way for a non-activated account to fetch back an activation
> link somehow? (in case of forgotten/deleted link)

Nope.

> Without activation, 15 days could be enough, provided we can be sure
> the account has really not been used.

If the password was not changed ( as seen by the ldap request), then it
is likely that no one used it.
 
Now, someone could have not clicked on the link, and used the password
in the url to log on bugzilla/etc, but this is seems highly improbable.
I am not sure that this could even be done, maybe the account is
inactive until someone change the password, I need to look.

-- 
Michael Scherer

More information about the Mageia-sysadm mailing list