ldap module storing password hash
js1 - May 9, 2007 - 20:34
| Project: | LDAP integration |
| Version: | 5.x-1.2 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | kreaper |
| Status: | postponed (maintainer needs more info) |
Jump to:
Description
I just upgraded to 5.x-1.2 from HEAD (3/8/2007), and it looks like the ldap integration module is still writing the hashed password into the drupal users table when users first log on. I can manually delete the password hash, and on subsequent logins, the password doesn't get stored again. I thought this has been fixed already. Or, did I misconfigure my ldap module? Thanks for any info.
#1
js1
We knocked around this one for a while but I do not believe the fix actually went in. The one patch I recall seeing had additional functionality in it I did not want to mess with at the time. if there is a patch that will address this, I'll take a look and see if I can commit them to 5.x-1.2 and HEAD
#2
My bad... I think I see what's going on. On lines 949 to 952 of ldapauth.module:
if (variable_get('ldap_forget_passwords', true)) {// generate a random generic password using drupal api
$pass = user_password(20);
}
It looks like the password that's stored in Drupal's users table is actually just a random hash, not the actual ldap password. IIRC, the previous bug report, http://drupal.org/node/68644, the patch supplied actually left the password field completely blank in Drupal's users database. So, when I saw the hash, I just got confused. Perhaps in the next release, the password field can remain blank?
#3
I do not see a reason why it should not be a blank string. Others ?
#4
change made in HEAD. needs testing