Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-58556

LDAP authentication stuck in forced password change loop

    XMLWordPrintable

Details

    • MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE
    • MOODLE_31_STABLE, MOODLE_32_STABLE
    • MDL-58556-master
    • Hide

      For a user with manual authentication - expire their password

      • Enable password expiry here /admin/settings.php?section=authsettingmanual
      • Let the user change their password so that the time of the recent password change is recorded.
      • Use this SQL to speed up expiration: UPDATE mdl_user_preference SET value = <timestamp in deep past> WHERE name = 'auth_manual_passwordupdatetime' AND userid = <userid>;

      Log out and login again - verify you are prompted to change your password.

      Try and cancel the password change or go direct to any other page in moodle. Verify you are sent back to the password change form and cannot continue until you change your password.

      Install and enable php mod ldap
      Enable the ldap server authentication method.
      Set the ldap host to localhost
      Set the changepasswordurl to http://www.google.com
      Set auth_ldap | expiration to LDAP
      Change a users authentication method to ldap server authentication.

      Hack the ldap auth plugin a bit to make testing easier:
      (all changes in this file: auth/ldap/auth.php)
      1. add "return true;" as the first line in user_login()
      2. add "return ['username' => $username];" as the first line in get_userinfo()

      Verify you can login as this user using any password (hack confirmed!).

      Add "return -5;" as the first line in password_expire()
      Login as that ldap user again.
      Verify you are told your password has expired.
      Verify clicking cancel takes you to the login page again.
      Login as that ldap user again.
      Verify you are told your password has expired.
      Verify manually typing a moodle url will send you back to the login page.

      Login as that ldap user again.
      Verify you are told your password has expired.
      Verify clicking on continue will take you to www.google.com (which will show an error about POST being invalid).

      Login as admin and reset the changepasswordurl to empty
      Set the "Use standard page for changing password" setting to "Yes"

      Logout and login as that ldap user again
      Verify you are told your password has expired.
      Verify clicking on continue will take you to the change password page

      Show
      For a user with manual authentication - expire their password Enable password expiry here /admin/settings.php?section=authsettingmanual Let the user change their password so that the time of the recent password change is recorded. Use this SQL to speed up expiration: UPDATE mdl_user_preference SET value = <timestamp in deep past> WHERE name = 'auth_manual_passwordupdatetime' AND userid = <userid>; Log out and login again - verify you are prompted to change your password. Try and cancel the password change or go direct to any other page in moodle. Verify you are sent back to the password change form and cannot continue until you change your password. Install and enable php mod ldap Enable the ldap server authentication method. Set the ldap host to localhost Set the changepasswordurl to http://www.google.com Set auth_ldap | expiration to LDAP Change a users authentication method to ldap server authentication. Hack the ldap auth plugin a bit to make testing easier: (all changes in this file: auth/ldap/auth.php) 1. add "return true;" as the first line in user_login() 2. add "return ['username' => $username] ;" as the first line in get_userinfo() Verify you can login as this user using any password (hack confirmed!). Add "return -5;" as the first line in password_expire() Login as that ldap user again. Verify you are told your password has expired. Verify clicking cancel takes you to the login page again. Login as that ldap user again. Verify you are told your password has expired. Verify manually typing a moodle url will send you back to the login page. Login as that ldap user again. Verify you are told your password has expired. Verify clicking on continue will take you to www.google.com (which will show an error about POST being invalid). Login as admin and reset the changepasswordurl to empty Set the "Use standard page for changing password" setting to "Yes" Logout and login as that ldap user again Verify you are told your password has expired. Verify clicking on continue will take you to the change password page

    Description

      The code introduced in MDL-53044 has introduced a bug where a user is perpetually redirected to change their password. This appears to be due to the forcepasswordchange flag getting set in login/index.php when an LDAP password is expired.

      index 45845cb..f40ee12 100644 (file)
      --- a/login/index.php
      +++ b/login/index.php
      @@ -233,6 +233,7 @@ if ($frm and isset($frm->username)) {                             // Login WITH
                       echo $OUTPUT->footer();
                       exit;
                   } elseif (intval($days2expire) < 0 ) {
      +                set_user_preference('auth_forcepasswordchange', 1, $USER);
                       echo $OUTPUT->header();
                       echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);
                       echo $OUTPUT->footer();

      If a user updates their expired LDAP password (away from Moodle), there does not appear to be a corresponding unset of the forcepasswordchange flag when the password is no longer expired.

       

      Attachments

        Issue Links

          Activity

            People

              damyon Damyon Wiese
              weixish Eric Bjella
              David Monllaó David Monllaó
              Dan Poltawski Dan Poltawski
              David Mudrák (@mudrd8mz) David Mudrák (@mudrd8mz)
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              4 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                8/May/17