|
1/ tested it on my local server+gmail imap
2/ retested, works for me 3/ I saw the same notice when I used imapssl - there was a problem with certificate; when used imapcert option (do not ask me why is it called like this) the cert check is skipped and everything works I am going to close this as I think the problem is on our end – the error seems to be displaying a message from our IMAP server that was not evident before this update. Also, on our end we check the MD5 hash for a match before checking IMAP (it speeds things up and does not make Moodle dependent on the email server being up). That, of course, is not a core issue.
I suspect that I simply forgot the new password for the admin account. Since our development servers don't email, I fixed it and documented the method here: http://docs.moodle.org/en/Talk:Password_policy A suggestion: forcing the admins to change their passwords, rather than simply suggesting a change and reporting password strength, is a mistake in my view. The will simply write down passwords they can't remember (raising a different security issue) or they may lock themselves out. Also, keeping the MD5 hash could be useful as a backup for when the authentication server is down, although I also understand the reasoning for not wanting it in the database. ah, you can simply create a copy of your imap plugin instead of modifying the current one, just change the new method to return false which indicates the md5 hashes shoudl be kept
Yes, I think that is a good solution, Petr. A new plugin called something like cached IMAP.
It would use the md5 hash and only check the IMAP server in case of a non-match. And it would have the new method set to false. So, only two lines need to be changed. It would, of course, have some understandable security tradeoffs like the storage of hashes and not letting the email server revoke access, but it does provide a nice solution for a more robust authentication method (in terms of not failing if the mail server goes down), and lets users have a single password for their institutions email and moodle site. --Gary please submit it into contrib section, others might like it too
 |
|||||||||||||||||||||||||||||||||||||||||||||||||||
Bug
Resolved
Blocker
All users locked out with latest 1.9.7 security update
 |
|
1/ the imap auth plugin does not access password in user table at all
2/ local admin accounts are forced to change passowrd, nothing else should change there
3/ the IMAP notice is something very new for me
Could you give me some more hints what might be going wrong? I can not see any reason for this.