Project

General

Profile

Actions
Copy link

Feature #18934

closed

Support LDAP Password Changing

Added by Chris Bush almost 10 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
LDAP
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Duplicate

Description

It would be swell if Redmine supported changing LDAP/AD passwords from the UI, especially in the case of passwords that have expired where the user has no way to change it otherwise. I've done some preliminary modifications of account_controller.rb and user.rb to detect when a user's password must be changed, which I can attach as a patch if it's helpful.

Related issues

Has duplicate Redmine - Defect #19165: LDAP managment with REDMINE - Password expiredClosed

Actions
Is duplicate of Redmine - Patch #5690: Change LDAP passwordNew2010-06-15

Actions
Actions
Copy link
 #1

Updated by Toshi MARUYAMA almost 10 years ago

  • Category changed from Accounts / authentication to LDAP
Actions
Copy link
 #2

Updated by Jean-Philippe Lang over 9 years ago

  • Has duplicate Defect #19165: LDAP managment with REDMINE - Password expired added
Actions
Copy link
 #3

Updated by Sébastien ZAJAC over 9 years ago

Hello

Could you attach the patched file?

Actions
Copy link
 #4

Updated by Toshi MARUYAMA over 9 years ago

  • Priority changed from High to Normal
Actions
Copy link
 #5

Updated by Chris Bush over 9 years ago

Unfortunately my fix worked for detecting an expired password, but I couldn't get the actual change working in a secure manner. The issue lies in the fact that the LDAP implementation won't allow a bind for an expired account, and so you can't bind the user to change their password. The authentication flag that gets returned for an expired password appears to be the same as what you get for an authentication failure, which means you can't authenticate the user to change their password. It would be a security issue to just blindly change the password using the LDAP admin username/password. I can still attach the patch file if you want, but I think the issue lies in net-ldap.

Actions
Copy link
 #6

Updated by Olivier Houdas over 9 years ago

One of our users came across this issue (could not login to Redmine, because his password had expired after his morning login to the network), so I looked at this issue.

It would still be interesting to inform the user properly that his/her password has expired. He can then simply change it on his computer.

However, LDAP programmers advise to use the pwdLastReset and pwdMaxAge attributes (domain level) to calculate whether a password has expired or not.
Unfortunately, it seems that there is no official naming rule, and that it would be pwdMaxAge with Oracle products, and maxPwdAge with Microsoft's Active directory.

Would your patch work for all LDAP providers? Maybe it would still be interesting to use it if so.

Actions
Copy link
 #7

Updated by Fernando Hartmann about 9 years ago

+1
Related to #5690 ?

Actions
Copy link
 #8

Updated by Toshi MARUYAMA almost 9 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Fernando Hartmann wrote:

+1
Related to #5690 ?

Thank you for your pointing out.

Actions
Copy link
 #9

Updated by Toshi MARUYAMA almost 9 years ago

  • Is duplicate of Patch #5690: Change LDAP password added
Actions
Copy link

Also available in: Atom PDF