-
Improvement
-
Resolution: Fixed
-
Critical
-
2.0.4, 2.1.1, 2.3.3, 2.4.1
-
Any
-
Any
-
MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
-
MOODLE_25_STABLE
-
wip_master_mdl-28585_ldap_auth_doesnt_handle_password_expiration
-
The LDAP Authorisation plugin does a great job of allowing users to log in with their domain credentials and even notifying users of how long they have until their password expires. When the account has actually expired however ldap_bind returns FALSE to say that the credentials are invalid (auth\ldap\auth.php around line 163) and the plugin interprets this as it would an incorrect password being entered..
I have spotted a useful comment under the ldap_bind function on php.net: http://www.php.net/manual/en/function.ldap-bind.php#103034 . It basically suggests that there is a way to identify not just an expired password but also a first login attempt (which could be very useful for distance learning).
There are two stages we could target for this improvement. The first step would be to enhance the current code to identify an expired password and to give a different, more user friendly error message. Building on this we could then develop a mechanism which allows users to reset their password when an expired password is detected.