.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "RT::Extension::ResetPassword 3pm" .TH RT::Extension::ResetPassword 3pm "2023-02-25" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" RT::Extension::ResetPassword \- add "forgot your password?" link to RT instance .SH "DESCRIPTION" .IX Header "DESCRIPTION" This extension for \s-1RT\s0 adds a new \*(L"Forgot your password?\*(R" link to the front of your \s-1RT\s0 instance. Any user can request that \s-1RT\s0 send them a password reset token by email. \s-1RT\s0 will send the user a one-time \s-1URL\s0 which he or she can use to reset her password. .PP It also adds a new option to the user admin page in \s-1RT\s0 for the \s-1RT\s0 admin to send a password reset email for new users or users who have forgotten their passwords. See below for options to enable this admin feature only and disable self-service features. .SH "RT VERSION" .IX Header "RT VERSION" Works with \s-1RT 4.0, 4.2, 4.4, 5.0\s0 .SH "INSTALLATION" .IX Header "INSTALLATION" .ie n .IP """perl Makefile.PL""" 4 .el .IP "\f(CWperl Makefile.PL\fR" 4 .IX Item "perl Makefile.PL" .PD 0 .ie n .IP """make""" 4 .el .IP "\f(CWmake\fR" 4 .IX Item "make" .ie n .IP """make install""" 4 .el .IP "\f(CWmake install\fR" 4 .IX Item "make install" .PD May need root permissions .IP "Install Patches" 4 .IX Item "Install Patches" This is to enable searches for users with a password set. .Sp For \s-1RT 5\s0 prior to 5.0.2, apply this: .Sp .Vb 1 \& patch \-p1 \-d /opt/rt5 < patches/user\-admin\-callbacks.patch .Ve .Sp For \s-1RT 4.4.4,\s0 apply this: .Sp .Vb 1 \& patch \-p1 \-d /opt/rt4 < patches/4.4.4\-user\-admin\-callbacks.patch .Ve .Sp For \s-1RT 4\s0 prior to 4.4.4, apply this: .Sp .Vb 1 \& patch \-p1 \-d /opt/rt4 < patches/4\-user\-admin\-callbacks.patch .Ve .Sp See below for details. .ie n .IP """make initdb""" 4 .el .IP "\f(CWmake initdb\fR" 4 .IX Item "make initdb" Only run this the first time you install this module. .Sp If you run this twice, you may end up with duplicate data in your database. .Sp If you are upgrading this module, check for upgrading instructions in case changes need to be made to your database. .IP "Edit your \fI/opt/rt4/etc/RT_SiteConfig.pm\fR" 4 .IX Item "Edit your /opt/rt4/etc/RT_SiteConfig.pm" If you are using \s-1RT 4.2\s0 or greater, add this line: .Sp .Vb 1 \& Plugin(\*(AqRT::Extension::ResetPassword\*(Aq); .Ve .Sp For \s-1RT 4.0,\s0 add this line: .Sp .Vb 1 \& Set(@Plugins, qw(RT::Extension::ResetPassword)); .Ve .Sp or add \f(CW\*(C`RT::Extension::ResetPassword\*(C'\fR to your existing \f(CW@Plugins\fR line. .IP "Clear your mason cache" 4 .IX Item "Clear your mason cache" .Vb 1 \& rm \-rf /opt/rt4/var/mason_data/obj .Ve .IP "Restart your webserver" 4 .IX Item "Restart your webserver" .SH "UPGRADING" .IX Header "UPGRADING" If you are upgrading from version 0.05, you will need to run \f(CW\*(C`make initdb\*(C'\fR as documented in \s-1INSTALLATION\s0 to install the Template used by this Extension. .PP To run on \s-1RT 4.0\s0 or 4.2, replace this line in the template: .PP .Vb 1 \& { RT::Interface::Web::RequestENV(\*(AqREMOTE_ADDR\*(Aq) } .Ve .PP with this: .PP .Vb 1 \& { $ENV{\*(AqREMOTE_ADDR\*(Aq} } .Ve .SH "CONFIGURATION" .IX Header "CONFIGURATION" This extension resets passwords managed by \s-1RT.\s0 It cannot reset passwords for RTs that use any configured external auth such as \&\s-1SAML,\s0 OAuth, \s-1LDAP,\s0 or Active Directory as \s-1RT\s0 does not have password reset connections in those external systems. .PP The contents of the email sent to users can be found in the global PasswordReset template (do not confuse this with the core PasswordChange template). .PP If you want to prevent unauthorized visitors from determining what user accounts exist and whether they are disabled, set HidePasswordResetErrors to 1 in your \s-1RT\s0 configuration; then any password reset request will appear to the requestor to have resulted in an email being sent, thus not revealing the reasons for any failure. All failures will still be logged with an appropriate diagnostic message. .PP For an \s-1RT\s0 open to the internet the most secure configuration is to use the default configuration ( This means setting no config options from below ). The default configuration only allows for existing users with an existing password to reset their password. .PP If the rights schema for the \s-1RT\s0 is tight then it could be desirable to allow users who have a user record in \s-1RT\s0 ( They have emailed \s-1RT\s0 before ) but no password to create a password for themselves by setting \f(CW$AllowUsersWithoutPassword\fR to 1. This can allow for any user to access the \s-1RT\s0 self service pages. This can be dangerous if the \s-1RT\s0 rights are not set-up correctly as users could see data they should not be able to. .PP The \f(CW$CreateNewUserAndSetPassword\fR and \f(CW$CreateNewUserAsPrivileged\fR config options should only be used when access to the \s-1RT\s0 web \s-1UI\s0 is limited. This usually means access to the web \s-1UI\s0 is restricted so that only users on the company network can access the \s-1UI\s0 and create new user records. .ie n .IP "$AllowUsersWithoutPassword" 4 .el .IP "\f(CW$AllowUsersWithoutPassword\fR" 4 .IX Item "$AllowUsersWithoutPassword" Setting this config option to true will allow existing users who do not have a password set to send themselves a reset password email and set a password. .Sp Setting this to false (0) requires a user to already have a password to use the reset feature. This is useful for managing access and not automatically allowing new accounts to get a password. .Sp This extension adds a \*(L"Password Status\*(R" at the bottom of the Access control section on the user admin page which shows whether the user currently has a password set. The \*(L"Delete password\*(R" option allows you to clear passwords if a user should no longer have access. .Sp For \s-1RT 4.4\s0 and 5, this extension also adds a checkbox to the user admin page that allows you to filter users, displaying only those who have a password set. If you disable the \f(CW$AllowUsersWithoutPassword\fR option, this checkbox allows you to see all users who have an existing password and would therefore be able to reset their password. .ie n .IP "$CreateNewUserAsPrivileged" 4 .el .IP "\f(CW$CreateNewUserAsPrivileged\fR" 4 .IX Item "$CreateNewUserAsPrivileged" Set this config value to true if users creating a new account should default to privileged users. .Sp \&\fB\s-1WARNING\s0\fR Setting this to true can be dangerous as it allows anyone to create a new privileged user. Usually privileged users are given rights to edit and see information not desired to be public. .ie n .IP "$CreateNewUserAndSetPassword" 4 .el .IP "\f(CW$CreateNewUserAndSetPassword\fR" 4 .IX Item "$CreateNewUserAndSetPassword" This configuration option determines if a nonexistent user can create a new user record. .Sp \&\fB\s-1WARNING\s0\fR See the note about the danger of setting this to true and setting \f(CW$CreateNewUserAsPrivileged\fR to true as well. .ie n .IP "$DisableResetPasswordOnLogin" 4 .el .IP "\f(CW$DisableResetPasswordOnLogin\fR" 4 .IX Item "$DisableResetPasswordOnLogin" Set this config value to true if you do not want the \*(L"forgot password\*(R" option to display on the login page. .Sp This is useful if you want only the password reset email option on the \s-1RT\s0 user admin page, but no self-service options. .ie n .IP "$PasswordChangeLinkExpirySeconds" 4 .el .IP "\f(CW$PasswordChangeLinkExpirySeconds\fR" 4 .IX Item "$PasswordChangeLinkExpirySeconds" Set this config value to the time in seconds before a password-change link expires. The default value is 4*60*60, meaning that password-change links expire after four hours by default. .ie n .IP "$ResetPasswordFromAddress" 4 .el .IP "\f(CW$ResetPasswordFromAddress\fR" 4 .IX Item "$ResetPasswordFromAddress" By default, the From address in the password reset email is the default \&\f(CW$CorrespondAddress\fR from \s-1RT.\s0 You can use this option to set a different From address for the reset email. .SH "AUTHOR" .IX Header "AUTHOR" Best Practical Solutions, \s-1LLC\s0 .SH "BUGS" .IX Header "BUGS" All bugs should be reported via email to .PP .Vb 1 \& L .Ve .PP or via the web at .PP .Vb 1 \& L. .Ve .SH "LICENSE AND COPYRIGHT" .IX Header "LICENSE AND COPYRIGHT" This software is Copyright (c) 2012\-2020 by Best Practical Solutions, \s-1LLC\s0 .PP This is free software, licensed under: .PP .Vb 1 \& The GNU General Public License, Version 2, June 1991 .Ve