LDAP account set up should not require internal password to be set

Bug #1818901 reported by Kristina Hoeppner on 2019-03-06
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mahara
Status tracked in 19.10
19.04
High
Unassigned
19.10
High
Unassigned

Bug Description

Reported at https://mahara.org/interaction/forum/topic.php?id=7827&offset=0&limit=10#post33568

When an LDAP user tries to log in via Mahara Mobile, they can't as Mahara requires an internal Mahara password to be set even though it will then be ignored as LDAP is used (see error message below).

When LDAP accounts are set up, they should not require an internal Mahara password as it will be ignored since LDAP is going to be used.

Report:

My environment:
 Mahara 18.10
 mobile app 1.4.1

1. Authentication plugin
 The institution has LDAP authentication plugin and Internal auth.

2. Add user from
a user is added by admin from "Adimn menu" -> Users -> Add user

The password can be anythin here, because users use LDAP password on login time.

3. Login
Though the new user can login from Web interface, hi can not login by mobile app. At this time, I found server logs below.

----
AH01071: Got error 'PHP message: [WAR] 38
(snip)
WebserviceException->__construct("passwordchangerequired", "The user needs to reset their password. They must ...", 403) at /path/to/mahara/module/mobileapi/json/token.php:121\nPHP message: \nPHP message: [WAR] 38 (module/mobileapi/json/token.php:118) passwordchangerequired : The user needs to reset their password. They must log in to the site through a web browser to do this.\nPHP message: Call stack (most recent first):\nPHP message: * log_message("passwordchangerequired : (snip)
----

Though the mobile app does not show error messeges, Mahara server seems to be requesting user to change password.

3. change password
By admin, change authentication plugin from LDAP to Internal, and change password once. the password can be anythin. The password has to be change once. Then return authentication plugin from Internal to LDAP.

4. Login from mobile app
We can login from mobile app.

5. Othre solution
Admin can add user by CSV "Adimn menu" -> Users -> "Add user by CSV". At that time, Turn off the option "Force password change" option. Then users do not be required to chage password at first login, so mobile app can login.

Robert Lyon (robertl-9) wrote :

This is also a problem with user created with SAML external auth as well - we shouldn't set the passwordchange flag for these users

Robert Lyon (robertl-9) wrote :

Hmm, the LDAP auth doesn't set the 'passwordchange' flag at all - so I think the LDAP problem stems from the following:

1) User in Mahara had 'internal' auth as primary auth source and LDAP as secondary
2) On upgrade for step at 2018031900 we added new password policy where we set the 'passwordchange' flag for all users that had 'internal' as primary auth

So now users are prompted to change their password

Whereas SAML / XMLRPC do set the 'passwordchange' flag on user creation when they don't need to
- so I fix up for those first

Reviewed: https://reviews.mahara.org/10012
Committed: https://git.mahara.org/mahara/mahara/commit/6fd8ebb5a5741b8c842d8eea6f800eacdb963e27
Submitter: Cecilia Vela Gurovic (<email address hidden>)
Branch: master

commit 6fd8ebb5a5741b8c842d8eea6f800eacdb963e27
Author: Robert Lyon <email address hidden>
Date: Wed May 15 08:46:36 2019 +1200

Bug 1818901: User creation via SAML / XMLRPC not set passwordchange

As we shouldn't prompt user to change it if the SSO in and we have a
process if they switch from external to internal auth

Also update the DB for users on external auth and set their
passwordchange to 0

behatnotneeded

Change-Id: I79676b0502620128f873e7fb2f97644c30798cfe
Signed-off-by: Robert Lyon <email address hidden>

Reviewed: https://reviews.mahara.org/10196
Committed: https://git.mahara.org/mahara/mahara/commit/c8dea746c6e707209f3e17fbfd2315d447961a3e
Submitter: Cecilia Vela Gurovic (<email address hidden>)
Branch: 19.04_STABLE

commit c8dea746c6e707209f3e17fbfd2315d447961a3e
Author: Robert Lyon <email address hidden>
Date: Wed May 15 08:46:36 2019 +1200

Bug 1818901: User creation via SAML / XMLRPC not set passwordchange

As we shouldn't prompt user to change it if the SSO in and we have a
process if they switch from external to internal auth

Also update the DB for users on external auth and set their
passwordchange to 0

behatnotneeded

Change-Id: I79676b0502620128f873e7fb2f97644c30798cfe
Signed-off-by: Robert Lyon <email address hidden>

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers