Not sure if this belongs here at LDAP Integration or as a bug report for Drupal Access Control, I will post on the Drupal forum as well.
With a fresh new installation of Drupal 5.2 running on an Ubuntu LAMP Server, I downloaded the first and most important module, LDAP Integration. I then proceeded to enable and configure it. I logged in with my Active Directory credentials and all was well. I then logged out and logged back in to the first administrative user account (I named 'admin'), and went the check to see if roles were mapped. They were, bravo! So, then off to the ldapgroups.conf.php file to enable the filter to reduce the amount of groups to those necessary. They I logged out and logged in as 'admin' to check to see if the filter was working. Filter works, another bravo! I then assigned a role I belong to administrative rights on the Drupal site and logged out as admin. Now, I logged in and out as the admin user a number of times during this process, and one time, I realized I had typed the password I use for my user name, not the admin user name, but I was taken to the admininstrative pages as the user 'admin'. I then logged out to double check, and sure enough, the wrong password was giving me admin's access and rights. I then attempted ANY keystrokes, and I was given access. So, anyone who knows the user name for the site can enter it in the user name field and anything in the password field and be given full control of the Drupal CMS. All other Active Directory users must use the correct password for their account, Drupal still locks people out who don't enter the correct password. But for the most important user, full access is granted to any random keystrokes as the password.
Suggestions??
Thanks

Comments

kpm’s picture

I just discovered that the Administer > Site Configuration > LDAP Integration > System Wide Options page is missing a few settings sections. 'Authentication mode' is there, which I have set to 'LDAP directory only', but 'Security options', 'Anonymous UI options', and 'LDAP UI options' are missing (or at least are not showing up with the default Garland theme).
I think I will download the LDAP Integration module again and reinstall...

kpm’s picture

I uninstalled LDAP Integration and then logged in as admin with the proper password, logged out, and then back in with an wrong password, and this time I was not permitted entry to the site. I then downloaded the LDAP Integration module again, installed, and all seems to be working fine now. So it will remain a mystery for now, but the admin password authentication was definetly broken somehow. Something to keep an eye on... And I will definetly miss-type passwords for applications now as part of the original install tests!

scafmac’s picture

Priority: Critical » Minor
Status: Active » Postponed (maintainer needs more info)

Cannot replicate... should close if no one else confirms

scafmac’s picture

Status: Postponed (maintainer needs more info) » Closed (fixed)