Since Drupal password hashes are just as secure as LDAP, it would be wise to sync the LDAP login into the Drupal users table. This way, other modules can authenticate via the Drupal hash, instead of having to patch to route the request through LDAP.

I have attached a patch that syncs the user password when the user successfully authenticates via LDAP.

CommentFileSizeAuthor
ldap-sync-pass.patch912 bytesjoewang

Comments

miglius’s picture

miglius commented

Well, it was a deliberate decision to set a random drupal password because of the security considerations. If the drupal and ldap passwords are in sync and the user is deleted from ldap he will still be able to login to the drupal with his password, which is not desirable.

joewang’s picture

joewang commented

Could you at least make it an option for them to be in sync (as in a checkbox in the config)? Maybe for security, you can have another button that randomizes all LDAP user passwords.

miglius’s picture

miglius commented
Assigned: Unassigned » miglius
Status: Needs review » Fixed

Implemented as a configuration option for the "Mixed mode".

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.