Admin can assume any user for support reasons
Thu, 2006-04-13 23:28 — dmmcinto
I have asked SCT over and over for an ability for me as an admin to spoof any iser account... so I can trouble shoot issues without asking the user for their password... or more appropriately... reset their password to something I know.. use their account.. then reset it back to something the end user knows... having locked them out basically for the whole process.
Assuming the user should boot the other user off.
Thoughts on this?
Hack Your Knowledge
Recent blog posts
- Luminis IV GCF Single Sign On with OSX=Failure PC=Working
- Cisco 4710 - Load Balancer
- First CPIP - ERROR
- Luminis Developer Job Available w/ Stable Organization
- Luminus Developer Job
- SSO to SSB mixed content error in IE
- Avoid email sending when add or delete user from group
- Luminis components
- Luminis 4 & Groupwise 7
- Luminis Developer Needed for Position w/ Stable Organization
Developer Links
Poll
What version of Lumins / OS are you running in production?
Luminis 4.x - Linux
21%
Luminis 4.x - Windows
8%
Luminis 4.x - Solaris
31%
Luminis 3.x - Windows
17%
Luminis 3.x - Solaris
19%
Luminis 3.x - Linux (if so - we need to talk) <G>
4%
We gave up on Luminis - I just like this site !
0%
Total votes: 52
- Login or register to post comments
- Older polls
Syndicate
This exists.
This exists.
There is some sort of backup secret store setting that will encrypt everyone's passwords with an admin password so that you can change people's passwords and login to the system with a maintained Secret store. THis is both dangerous and nifty depending on who you talk to :)
Interesting...
I don't know about the backup secret store... maybe it's so dangerous they don't document it? :)
If I recall correctly, there was/is a cptool command to decrypt secret store passwords for a given user. You had to have their password first though.... and it didn't give you the Luminis login password. Just external systems.
I also made an RPE for a Luminis proxy user for support reasons. Not sure what happened to it. You can already do this for the integrated mail servers if you use proxyauth with the iPlanet Messaging Servers.
I hypothesized it might be possible for Luminis as well using proxy permissions at the directory server level, but more than likely the application would get in the way of that. I never had the time to test anyway, so that comment is pure speculation.
best,
Scott
How about this...
I would think that it simply comes down to this: Each Login stores youe user's UID into a Session Variable. Why can't we just change that variable and Poof.. you are them... bypassing the need to know their password.
Most of the apps I write have this capability... spoofing a user for admin/support purposes...
SCT: Is this really that hard? Or is it more of a business security concern?
Follow up
Follow up on my own post... months later.
I was thinking perhaps the issue was around any integrated SSO apps that use the secret store... If I simply spoof the user... do I have access to that store? Or did I need to actually login with the right pass so it can use that to access the stores.
I will play in dev and see.