Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.In the authentication sub module, should we not replicate these two options that ldapauth has:
- Do not store users' passwords during sessions
- Sync LDAP password with the Drupal password
Obviously they are not desireable from a security point of view, but its unclear that the functionality is needed.
I can see the first one for cases where there is not a service/machine account being used and the ldap data, provisioning, etc are running as the user who logs in.
The second option just seems like a bad idea all around.
Comments
Comment #1
retsamedoc commentedAgreed on the 2nd issue. It seems that SOP for external authentication modules is to leave the pass field as NULL in the database.
Perhaps the first option could be encrypted and then stored in a server-side session variable, hidden from the user?