Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Minor
-
Resolution: Not a bug
-
Affects Version/s: 1.8.2
-
Fix Version/s: None
-
Component/s: Authentication
-
Labels:None
-
Database:MySQL
-
Affected Branches:MOODLE_18_STABLE
Description
Background info
----------------------
We authenticate against an IMAP server and run Moodle on a Fedora UNIX box with a MySQL database
What happened
----------------------
A student had their password reset to "changeme" (despite me telling our IT people not to reset to this password). Because the password "changeme" is effectively blacklisted in moodle, the student was repeated redirected to the change password page every time they logged in. Once this problem was diagnosed the student was asked to change their UNIX/IMAP password to something new. The student did this and we verified that the IMAP server was now authenticating against the new password. However, when the student logged into moodle, they were STILL being redirected to the change password page.
After a bit of digging in the mdl_user_preferences table of the database, I found that the user had an key-value entry with the following data:
name: auth_forcepasswordchange
value: 1
Manually changing the value from 1 to 0 corrects the problem.
Surely moodle should be automatically clearing this value or decrementing it once the password is change to something other than "changeme". For this reason, I suspect this to be a bug.
The problem here is that the flag is not used exclusively for changeme password, if we did this change we could not force new passwords anymore.
Solution for this type of problems is very simple, go to user edit page as admin and clear the Force password change checkbox.