[MDL-58556] LDAP authentication stuck in forced password change loop - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.1.5, 3.2.2, 3.3
Fix Version/s: 3.1.6, 3.2.3
Component/s: Authentication
Labels:
- ci
- regression
- release_notes
- triaged

Affected Branches:
MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE
Fixed Branches:
MOODLE_31_STABLE, MOODLE_32_STABLE
Pull from Repository:
git://github.com/damyon/moodle.git
Pull Master Branch:
~~MDL-58556~~-master
Pull Master Diff URL:
https://github.com/damyon/moodle/compare/6d14355ce8...MDL-58556-master
Testing Instructions:
Hide

For a user with manual authentication - expire their password

Enable password expiry here /admin/settings.php?section=authsettingmanual

Let the user change their password so that the time of the recent password change is recorded.

Use this SQL to speed up expiration: UPDATE mdl_user_preference SET value = <timestamp in deep past> WHERE name = 'auth_manual_passwordupdatetime' AND userid = <userid>;

Log out and login again - verify you are prompted to change your password.

Try and cancel the password change or go direct to any other page in moodle. Verify you are sent back to the password change form and cannot continue until you change your password.

Install and enable php mod ldap
Enable the ldap server authentication method.
Set the ldap host to localhost
Set the changepasswordurl to http://www.google.com
Set auth_ldap | expiration to LDAP
Change a users authentication method to ldap server authentication.

Hack the ldap auth plugin a bit to make testing easier:
(all changes in this file: auth/ldap/auth.php)
1. add "return true;" as the first line in user_login()
2. add "return ['username' => $username];" as the first line in get_userinfo()

Verify you can login as this user using any password (hack confirmed!).

Add "return -5;" as the first line in password_expire()
Login as that ldap user again.
Verify you are told your password has expired.
Verify clicking cancel takes you to the login page again.
Login as that ldap user again.
Verify you are told your password has expired.
Verify manually typing a moodle url will send you back to the login page.

Login as that ldap user again.
Verify you are told your password has expired.
Verify clicking on continue will take you to www.google.com (which will show an error about POST being invalid).

Login as admin and reset the changepasswordurl to empty
Set the "Use standard page for changing password" setting to "Yes"

Logout and login as that ldap user again
Verify you are told your password has expired.
Verify clicking on continue will take you to the change password page
Show
For a user with manual authentication - expire their password Enable password expiry here /admin/settings.php?section=authsettingmanual Let the user change their password so that the time of the recent password change is recorded. Use this SQL to speed up expiration: UPDATE mdl_user_preference SET value = <timestamp in deep past> WHERE name = 'auth_manual_passwordupdatetime' AND userid = <userid>; Log out and login again - verify you are prompted to change your password. Try and cancel the password change or go direct to any other page in moodle. Verify you are sent back to the password change form and cannot continue until you change your password. Install and enable php mod ldap Enable the ldap server authentication method. Set the ldap host to localhost Set the changepasswordurl to http://www.google.com Set auth_ldap | expiration to LDAP Change a users authentication method to ldap server authentication. Hack the ldap auth plugin a bit to make testing easier: (all changes in this file: auth/ldap/auth.php) 1. add "return true;" as the first line in user_login() 2. add "return ['username' => $username] ;" as the first line in get_userinfo() Verify you can login as this user using any password (hack confirmed!). Add "return -5;" as the first line in password_expire() Login as that ldap user again. Verify you are told your password has expired. Verify clicking cancel takes you to the login page again. Login as that ldap user again. Verify you are told your password has expired. Verify manually typing a moodle url will send you back to the login page. Login as that ldap user again. Verify you are told your password has expired. Verify clicking on continue will take you to www.google.com (which will show an error about POST being invalid). Login as admin and reset the changepasswordurl to empty Set the "Use standard page for changing password" setting to "Yes" Logout and login as that ldap user again Verify you are told your password has expired. Verify clicking on continue will take you to the change password page

Description

The code introduced in ~~MDL-53044~~ has introduced a bug where a user is perpetually redirected to change their password. This appears to be due to the forcepasswordchange flag getting set in login/index.php when an LDAP password is expired.

index 45845cb..f40ee12 100644 (file)

--- a/login/index.php

+++ b/login/index.php

@@ -233,6 +233,7 @@ if ($frm and isset($frm->username)) {                             // Login WITH

                 echo $OUTPUT->footer();

                 exit;

             } elseif (intval($days2expire) < 0 ) {

+                set_user_preference('auth_forcepasswordchange', 1, $USER);

                 echo $OUTPUT->header();

                 echo $OUTPUT->confirm(get_string('auth_passwordisexpired', 'auth'), $passwordchangeurl, $urltogo);

                 echo $OUTPUT->footer();

If a user updates their expired LDAP password (away from Moodle), there does not appear to be a corresponding unset of the forcepasswordchange flag when the password is no longer expired.

Attachments

Issue Links

is a regression caused by

MDL-53044 Manual account auth users able to log in with expired password

Closed

Activity

People

Assignee:: Damyon Wiese

Reporter:: Eric Bjella

Peer reviewer:: David Monllaó

Integrator:: Dan Poltawski

Tester:: David Mudrák (@mudrd8mz)

Participants:: Barbara Lawrence, Bob Martens, CiBoT, Damyon Wiese, Dan Poltawski, David Monllaó, David Mudrák (@mudrd8mz), David Penner, Eric Bjella, John Okely, Mark Nelson

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 4 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 11/Apr/17 8:45 AM

Updated:: 08/Jun/21 9:51 PM

Resolved:: 27/Apr/17 1:19 AM

Fix Release Date:: 8/May/17