Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-3339

moodle changes ldap password to clear text

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 1.8
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      All
    • Database:
      MySQL
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_18_STABLE

      Description

      When using LDAP authentication, and allowing users to change their ldap password from moodle by setting the option Use standard Change Password Page to Yes, I find that moodle changes the password into clear text. Even if the old ldap password was md5 encrypted.

      When the ldap password is changed through moodle, the new password ought to be stored in the same format (encryption) as the old one.

        Gliffy Diagrams

          Activity

          Hide
          dougiamas Martin Dougiamas added a comment -

          From Martin Dougiamas (martin at moodle.com) Thursday, 26 May 2005, 11:09 PM:

          Changes it where ... in the Moodle user table?

          From Lars Jensen (jensen at physics.unr.edu) Friday, 27 May 2005, 01:19 AM:

          Hi Martin,

          Currently I'm in the testing phase of my (Open)ldap setup, and I noticed that when a user with an md5 encrypted password changed his/her password through moodle, the password, as stored in ldap, becomed clear, and readable by the ldap admin. So to answer your question, after being changed the password is stored as clear text on the ldap server.

          Show
          dougiamas Martin Dougiamas added a comment - From Martin Dougiamas (martin at moodle.com) Thursday, 26 May 2005, 11:09 PM: Changes it where ... in the Moodle user table? From Lars Jensen (jensen at physics.unr.edu) Friday, 27 May 2005, 01:19 AM: Hi Martin, Currently I'm in the testing phase of my (Open)ldap setup, and I noticed that when a user with an md5 encrypted password changed his/her password through moodle, the password, as stored in ldap, becomed clear, and readable by the ldap admin. So to answer your question, after being changed the password is stored as clear text on the ldap server.
          Hide
          skodak Petr Skoda added a comment -

          fixed in cvs, md5 and sha passwords are now supported,
          thanks for the report!

          Show
          skodak Petr Skoda added a comment - fixed in cvs, md5 and sha passwords are now supported, thanks for the report!
          Hide
          martinlanghoff Martín Langhoff added a comment -

          Hi Petr - thanks for looking into this. The patch is double base64-encoding the hash.

          md5() and sha1() functions in PHP return the base64 encoded string you need. With the double-encoded hash subsequent logins via LDAP itself won't work.

          Show
          martinlanghoff Martín Langhoff added a comment - Hi Petr - thanks for looking into this. The patch is double base64-encoding the hash. md5() and sha1() functions in PHP return the base64 encoded string you need. With the double-encoded hash subsequent logins via LDAP itself won't work.
          Hide
          skodak Petr Skoda added a comment -
          Show
          skodak Petr Skoda added a comment - It works for me, see http://www.openldap.org/faq/data/cache/347.html

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                31/Mar/07