[Koha-bugs] [Bug 9165] Allow preventing passwords from being stored locally when using LDAP

[bugzilla-daemon at bugs.koha-community.org]

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9165

--- Comment #14 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
Just thought I aught to clarify the relation between the followup here and bugs
12831 and 8148.

Bug 8148 was added for security reasons and it's sole goal was to prevent users
logging in with outdated LDAP passwords (Koha used to fallback on a local copy
of the password should LDAP auth fail for ANY reason, and as such would allow
for outdated passwords to till be used for login)

Bug 12831 was added as bug 8148 had the unintended side effect of disabling all
local only accounts. Unfortunately it's proven difficult to distinguish between
LDAP failures due to incorrect passwords and any other ldap failure for the
ldap configuration where no anonymous search user is specified.

The followup here is designed to help alleviate the above issue by removing old
synced passwrods upon an ldap users first login after the config preference is
changed.  It is by no means an instant fix, but it the best I could come up
with.

Therefore:

Warning, switching this config option to prevent syncing of ldap passwords to
local cache will not instantly take affect. If you wish to imediately benefit
form this added security, my advise would be to manually clear all existing
ldap users passwords from the database.

-- 
You are receiving this mail because:
You are watching all bug changes.