-
Type:
Improvement
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 2.7.9, 3.1
-
Fix Version/s: 3.1
-
Component/s: Authentication
-
Labels:
-
Testing Instructions:
-
Affected Branches:MOODLE_27_STABLE, MOODLE_31_STABLE
-
Fixed Branches:MOODLE_31_STABLE
-
Pull from Repository:
-
Pull Master Branch:
MDL-52387-master -
Pull Master Diff URL:
Our school recently switched to FGPP to give our Faculty/Staff different password requirements than our students. Unfortunately Moodle only seems to look at the domain level password expiration information.
Following this tutorial I created a PSO and attached it to a security group
http://blogs.technet.com/b/canitpro/archive/2013/05/30/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad.aspx
I added a test user to this group. When trying to log into a domain desktop, it immediately required that the password be changed. Meaning the PSO was active and working as expected. So moved onto Moodle.
1) Login to Moodle as Admin
2) Go to Plugins -> Authentication -> LDAP
3) Turn off Grace Logins
4) Make sure Password Expiration is set to LDAP
5) Leave warning set to 10
6) Save changes if any were made
7) Log out
8) Try to log back in with the test user
9) Logs in with no issues. Password expiration is not caught.
10) Log out
11) Log in with known user whose password has expired according to domain expiration age
12) Password Expiration notice triggers.
I'm not a programmer. But I think it's possible to add PSO checking without altering the code too much.
After grabbing the Domain Maximum Password Age ($maxpwdage). You just have to check to see if the msDS-ResultantPSO attribute is set for the user. If it is it will return the DN of the PSO object, if not it returns null.
Check this, if the DN was returned, use it to grab the attribute msDS-MaximumPasswordAge. If this returns a valid value, set $maxpwdage to this new value.
From there no other code needs to change as all other current checks are suitable.
Here is the code I've added to the auth.php file inside the ldap_get_ad_pwdexpire() function. This is placed directly beneath the section that originally sets $maxpwdage equal to the domain's MaxPwdAge attribute.
All tests so far have worked as I have anticipated them to. Different FGPP PSOs applied to different users with different time outs have all responded as expected when expiration is coming up and when the password has expired.
$sr = ldap_read($ldapconn, $user_dn, '(objectClass=*)',
|
array('msDS-ResultantPSO'));
|
$entry = ldap_get_entries_moodle($ldapconn, $sr);
|
$info = array_change_key_case($entry[0], CASE_LOWER);
|
$userpso = $info['msds-resultantpso'][0];
|
|
//If a PSO exists, FGPP is being utilized. Grab the new
|
//maxpwdage from the msDS-MaximumPasswordAge attribute of
|
//the PSO
|
|
|
if(!empty($userpso)){
|
$sr = ldap_read($ldapconn, $userpso, '(objectClass=*)',
|
array('msDS-MaximumPasswordAge'));
|
$entry = ldap_get_entries_moodle($ldapconn, $sr);
|
$info = array_change_key_case($entry[0], CASE_LOWER);
|
$maxpwdage = $info['msds-maximumpasswordage'][0];
|
}
|