Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-52387

LDAP support for Fine Grained Password Policies

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      Setup

      This new feature requires an Active directory running with fine grained passwords for at least a group.
      I've found this blog post that explain in detail how to setup Fine grained passwords.
      You might need to test that using groups with different permissions and policies.

      Tests
      1. Login to Moodle as Admin
      2. Go to Plugins -> Authentication -> LDAP
      3. Turn off Grace Logins
      4. Make sure Password Expiration is set to LDAP
      5. Leave warning set to 10
      6. Save changes if any were made
      7. Log out
      8. Try to log back in with the test user
      9. You should be told that the password expired
      10. As admin, turn on Grace Logins and Expiration setted to NO and Save.
      11. Try to log in and make sure you're able to connect to your LDAP server.
      Show
      Setup This new feature requires an Active directory running with fine grained passwords for at least a group. I've found this blog post that explain in detail how to setup Fine grained passwords. You might need to test that using groups with different permissions and policies. Tests Login to Moodle as Admin Go to Plugins -> Authentication -> LDAP Turn off Grace Logins Make sure Password Expiration is set to LDAP Leave warning set to 10 Save changes if any were made Log out Try to log back in with the test user You should be told that the password expired As admin, turn on Grace Logins and Expiration setted to NO and Save. Try to log in and make sure you're able to connect to your LDAP server.
    • Affected Branches:
      MOODLE_27_STABLE, MOODLE_31_STABLE
    • Fixed Branches:
      MOODLE_31_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-52387-master

      Description

      Our school recently switched to FGPP to give our Faculty/Staff different password requirements than our students. Unfortunately Moodle only seems to look at the domain level password expiration information.

      Following this tutorial I created a PSO and attached it to a security group
      http://blogs.technet.com/b/canitpro/archive/2013/05/30/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad.aspx

      I added a test user to this group. When trying to log into a domain desktop, it immediately required that the password be changed. Meaning the PSO was active and working as expected. So moved onto Moodle.

      1) Login to Moodle as Admin
      2) Go to Plugins -> Authentication -> LDAP
      3) Turn off Grace Logins
      4) Make sure Password Expiration is set to LDAP
      5) Leave warning set to 10
      6) Save changes if any were made
      7) Log out
      8) Try to log back in with the test user
      9) Logs in with no issues. Password expiration is not caught.
      10) Log out
      11) Log in with known user whose password has expired according to domain expiration age
      12) Password Expiration notice triggers.

      I'm not a programmer. But I think it's possible to add PSO checking without altering the code too much.

      After grabbing the Domain Maximum Password Age ($maxpwdage). You just have to check to see if the msDS-ResultantPSO attribute is set for the user. If it is it will return the DN of the PSO object, if not it returns null.

      Check this, if the DN was returned, use it to grab the attribute msDS-MaximumPasswordAge. If this returns a valid value, set $maxpwdage to this new value.

      From there no other code needs to change as all other current checks are suitable.

      Here is the code I've added to the auth.php file inside the ldap_get_ad_pwdexpire() function. This is placed directly beneath the section that originally sets $maxpwdage equal to the domain's MaxPwdAge attribute.

      All tests so far have worked as I have anticipated them to. Different FGPP PSOs applied to different users with different time outs have all responded as expected when expiration is coming up and when the password has expired.

              $sr = ldap_read($ldapconn, $user_dn, '(objectClass=*)',
                               array('msDS-ResultantPSO'));
              $entry = ldap_get_entries_moodle($ldapconn, $sr);
              $info = array_change_key_case($entry[0], CASE_LOWER);
              $userpso = $info['msds-resultantpso'][0];
              
              //If a PSO exists, FGPP is being utilized.  Grab the new
              //maxpwdage from the msDS-MaximumPasswordAge attribute of
              //the PSO
       
              if(!empty($userpso)){
                      $sr = ldap_read($ldapconn, $userpso, '(objectClass=*)',
                               array('msDS-MaximumPasswordAge'));
                      $entry = ldap_get_entries_moodle($ldapconn, $sr);
                      $info = array_change_key_case($entry[0], CASE_LOWER);
                      $maxpwdage = $info['msds-maximumpasswordage'][0];
              }
      

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                23/May/16