Closed (fixed)
Project:
LDAP integration
Version:
5.x-1.2
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
9 May 2007 at 20:34 UTC
Updated:
6 Aug 2011 at 19:00 UTC
I just upgraded to 5.x-1.2 from HEAD (3/8/2007), and it looks like the ldap integration module is still writing the hashed password into the drupal users table when users first log on. I can manually delete the password hash, and on subsequent logins, the password doesn't get stored again. I thought this has been fixed already. Or, did I misconfigure my ldap module? Thanks for any info.
Comments
Comment #1
kreaper commentedjs1
We knocked around this one for a while but I do not believe the fix actually went in. The one patch I recall seeing had additional functionality in it I did not want to mess with at the time. if there is a patch that will address this, I'll take a look and see if I can commit them to 5.x-1.2 and HEAD
Comment #2
js1 commentedMy bad... I think I see what's going on. On lines 949 to 952 of ldapauth.module:
It looks like the password that's stored in Drupal's users table is actually just a random hash, not the actual ldap password. IIRC, the previous bug report, http://drupal.org/node/68644, the patch supplied actually left the password field completely blank in Drupal's users database. So, when I saw the hash, I just got confused. Perhaps in the next release, the password field can remain blank?
Comment #3
kreaper commentedI do not see a reason why it should not be a blank string. Others ?
Comment #4
kreaper commentedchange made in HEAD. needs testing
Comment #5
johnbarclay commentedClosing 5.x issues to clean out issue queue.