Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65286

LDAP ignoring "User must change password on next login" if "password never expires" is set in Active Directory

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.4.6, 3.5.5, 3.6.3
    • Fix Version/s: None
    • Component/s: Authentication
    • Affected Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE

      Description

      In Active Directory, it is possible for a user to have the "User must change password on next login" flag set, even if the "password never expires" flag is set.  Typically this would be seen if a user forgot their password and an administrator changed it for them, manually setting the "User must change password on next login" flag. 

      Moodle's code, however, short circuits the check for the "User must change password on next login" flag of pwdLastSet === 0 (https://github.com/moodle/moodle/blob/master/auth/ldap/auth.php#L1832) by checking first to see if the "password never expires" flag is set (https://github.com/moodle/moodle/blob/master/auth/ldap/auth.php#L1824).  If it is, the code immediately exits and the user can login with their "temporary password".

      I believe the pwdLastSet === 0 check needs to be moved above any checks for UF_DONT_EXPIRE_PASSWD (https://github.com/moodle/moodle/blob/master/auth/ldap/auth.php#L1810) to make sure this works as expected.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jesse.safran Jesse Safran
              Participants:
              Component watchers:
              Jake Dallimore, Jun Pataleta, Ryan Wyllie
            • Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: