Currently, using ldap_integration from HEAD and the ADpassword patch, we can change an Active DIrectory (AD) user's password. However, the way it's accomplished, using an LDAP REPLACE operation, the password change is equivalent to an administrator changing a password on a user's behalf. When done this way, AD ignores the domain password policies such as : minimum password age, password history and password complexity.

While I'm sure this is fine for some use cases, I have one where this doesn't work. I'm building a Drupal application that allows AD domain users to change their own password and I need it to apply the same policies to passwords as if the user were changing his password on a Windows workstation. In terms of password complexity, I could indeed simply program the same policy in Drupal as in AD. However, I can't do that for password age and password history.

According to my research, in order for AD to enforce password policy when changing a password through LDAP (ssl-encrypted, of course), I need to send a transaction that combines DELETE and ADD operations on the "unicodePwd" attribute.

Here is a patch that modifies ldap_integration's password changing mechanism to satisfy this requirement :

  • It adds a "Current password" field on the user's edit profile page.
  • This new field is not displayed is the current user has "administer users" permission, allowing administrators to bypass password policies.
  • Because php's ldap module does not support multiple operations in one transaction [1] [2], it uses the "/usr/bin/ldapmodify" [3] shell command.
  • It requires the LDAP server to be specified as an URI, ie: ldaps://dc01.example.com

This is a crappy patch for sure, and it shouldn't, by any means, be included in ldap_integration, at least in that shape, not the least because it calls an external shell command to do its stuff..!

However, I'm sharing it anyway because I think others might have the same requirement as I do, and don't want to shell out money for proprietary web application that does what Drupal can very well do.

As always, feel free to improve (or make less crappy)!

[1] http://www.cs.bham.ac.uk/~smp/resources/ad-passwds/
[2] http://marc.info/?l=php-internals&m=109363327313899
[3] http://packages.debian.org/squeeze/ldap-utils

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

lavamind’s picture

FileSize
4.12 KB

Removed a non-HEAD patch from this patch and made some tiny improvements.

lavamind’s picture

Adjusted diff headers so Drush Make can apply the patch. Otherwise the same as #1.

johnbarclay’s picture

Version: master » 6.x-1.x-dev
kenorb’s picture

Status: Needs work » Closed (outdated)

Closed because Drupal 6 is no longer supported. If the issue verifiably applies to later versions, please reopen with details and update the version.