Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-28585

LDAP Auth does'nt handle password expiration [W/Fix]

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.4, 2.1.1, 2.3.3, 2.4.1
    • Fix Version/s: 2.5
    • Component/s: Authentication
    • Labels:
    • Environment:
      Any
    • Database:
      Any
    • Testing Instructions:
      Hide

      These testing instructions assume you have an Active Directory domain controller acting as the LDAP server for Moodle. It only works with Active Directory.

      1. Login as admin.
      2. Configure LDAP auth plugin to use 'MS Active Directory' as the 'User type' setting. Also configure 'Expiration' setting to use 'LDAP' value. Finally either specify 'Yes' for the 'Use standard page for changing password' setting or provide a URL for the 'Password-change URL' setting.
      3. Log out.
      4. Before applying the fix, try to log in with one of the existing users in Active Directory that can access Moodle. It should log in without problem.
      5. Log out.
      6. In Active Directory edit that user and configure the account so she has to change the password on first login.
      7. Try to log in with that user in Moodle. The login should be refused, saying that either the user or the password is incorrect.
      8. Now apply the fix.
      9. Try to login with that user again. Now Moodle should tell the user that the password has expired and whether she wants to change it now.
      10. Don't change the password and log out.
      11. Log in as admin and reconfigure the LDAP plugin to either not use 'MS Active Directory' as the user type, or set 'Expiration' to 'no', or set 'Use standard page for changing password' to 'No', or clear the 'Password-change URL'.
      12. Log out.
      13. Try to log in with the same regular user as before. The login should be refused again, saying that either the user or the password is incorrect.
      Show
      These testing instructions assume you have an Active Directory domain controller acting as the LDAP server for Moodle. It only works with Active Directory. Login as admin. Configure LDAP auth plugin to use 'MS Active Directory' as the 'User type' setting. Also configure 'Expiration' setting to use 'LDAP' value. Finally either specify 'Yes' for the 'Use standard page for changing password' setting or provide a URL for the 'Password-change URL' setting. Log out. Before applying the fix, try to log in with one of the existing users in Active Directory that can access Moodle. It should log in without problem. Log out. In Active Directory edit that user and configure the account so she has to change the password on first login. Try to log in with that user in Moodle. The login should be refused, saying that either the user or the password is incorrect. Now apply the fix. Try to login with that user again. Now Moodle should tell the user that the password has expired and whether she wants to change it now. Don't change the password and log out. Log in as admin and reconfigure the LDAP plugin to either not use 'MS Active Directory' as the user type, or set 'Expiration' to 'no', or set 'Use standard page for changing password' to 'No', or clear the 'Password-change URL'. Log out. Try to log in with the same regular user as before. The login should be refused again, saying that either the user or the password is incorrect.
    • Affected Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
    • Fixed Branches:
      MOODLE_25_STABLE
    • Pull Master Branch:
      wip_master_mdl-28585_ldap_auth_doesnt_handle_password_expiration

      Description

      The LDAP Authorisation plugin does a great job of allowing users to log in with their domain credentials and even notifying users of how long they have until their password expires. When the account has actually expired however ldap_bind returns FALSE to say that the credentials are invalid (auth\ldap\auth.php around line 163) and the plugin interprets this as it would an incorrect password being entered..

      I have spotted a useful comment under the ldap_bind function on php.net: http://www.php.net/manual/en/function.ldap-bind.php#103034 . It basically suggests that there is a way to identify not just an expired password but also a first login attempt (which could be very useful for distance learning).

      There are two stages we could target for this improvement. The first step would be to enhance the current code to identify an expired password and to give a different, more user friendly error message. Building on this we could then develop a mechanism which allows users to reset their password when an expired password is detected.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  7 Vote for this issue
                  Watchers:
                  13 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    14/May/13