Moodle
  1. Moodle
  2. MDL-3339

moodle changes ldap password to clear text

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 1.8
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      All
    • Database:
      MySQL
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_18_STABLE
    • Rank:
      27496

      Description

      When using LDAP authentication, and allowing users to change their ldap password from moodle by setting the option Use standard Change Password Page to Yes, I find that moodle changes the password into clear text. Even if the old ldap password was md5 encrypted.

      When the ldap password is changed through moodle, the new password ought to be stored in the same format (encryption) as the old one.

        Activity

        Hide
        Martin Dougiamas added a comment -

        From Martin Dougiamas (martin at moodle.com) Thursday, 26 May 2005, 11:09 PM:

        Changes it where ... in the Moodle user table?

        From Lars Jensen (jensen at physics.unr.edu) Friday, 27 May 2005, 01:19 AM:

        Hi Martin,

        Currently I'm in the testing phase of my (Open)ldap setup, and I noticed that when a user with an md5 encrypted password changed his/her password through moodle, the password, as stored in ldap, becomed clear, and readable by the ldap admin. So to answer your question, after being changed the password is stored as clear text on the ldap server.

        Show
        Martin Dougiamas added a comment - From Martin Dougiamas (martin at moodle.com) Thursday, 26 May 2005, 11:09 PM: Changes it where ... in the Moodle user table? From Lars Jensen (jensen at physics.unr.edu) Friday, 27 May 2005, 01:19 AM: Hi Martin, Currently I'm in the testing phase of my (Open)ldap setup, and I noticed that when a user with an md5 encrypted password changed his/her password through moodle, the password, as stored in ldap, becomed clear, and readable by the ldap admin. So to answer your question, after being changed the password is stored as clear text on the ldap server.
        Hide
        Petr Škoda added a comment -

        fixed in cvs, md5 and sha passwords are now supported,
        thanks for the report!

        Show
        Petr Škoda added a comment - fixed in cvs, md5 and sha passwords are now supported, thanks for the report!
        Hide
        Martín Langhoff added a comment -

        Hi Petr - thanks for looking into this. The patch is double base64-encoding the hash.

        md5() and sha1() functions in PHP return the base64 encoded string you need. With the double-encoded hash subsequent logins via LDAP itself won't work.

        Show
        Martín Langhoff added a comment - Hi Petr - thanks for looking into this. The patch is double base64-encoding the hash. md5() and sha1() functions in PHP return the base64 encoded string you need. With the double-encoded hash subsequent logins via LDAP itself won't work.
        Hide
        Petr Škoda added a comment -
        Show
        Petr Škoda added a comment - It works for me, see http://www.openldap.org/faq/data/cache/347.html

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: