Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65286

LDAP ignoring "User must change password on next login" if "password never expires" is set in Active Directory

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.4.6, 3.5.5, 3.6.3
    • Fix Version/s: None
    • Component/s: Authentication
    • Affected Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE

      Description

      In Active Directory, it is possible for a user to have the "User must change password on next login" flag set, even if the "password never expires" flag is set.  Typically this would be seen if a user forgot their password and an administrator changed it for them, manually setting the "User must change password on next login" flag. 

      Moodle's code, however, short circuits the check for the "User must change password on next login" flag of pwdLastSet === 0 (https://github.com/moodle/moodle/blob/master/auth/ldap/auth.php#L1832) by checking first to see if the "password never expires" flag is set (https://github.com/moodle/moodle/blob/master/auth/ldap/auth.php#L1824).  If it is, the code immediately exits and the user can login with their "temporary password".

      I believe the pwdLastSet === 0 check needs to be moved above any checks for UF_DONT_EXPIRE_PASSWD (https://github.com/moodle/moodle/blob/master/auth/ldap/auth.php#L1810) to make sure this works as expected.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            jesse.safran Jesse Safran
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            Votes:
            4 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: