06 November 2009, 3:44

Hey Folks,

I faced the following issue during some tests lately: We have a mahara system that authenticated users WITHOUT a password (through a portal, instead).

This work fine, but as I quit my membership from a few institution, I suddenly was forced to change my password! Well, by doing so I was unable to login again and had to clear the password fild in the database manually. If that will happen to users, they will be locked out of mahara.

How can I completely deactivate this password-change force?

Thanks a lot,

Simon

08 November 2009, 17:35

When you say "without a password", do you actually mean "with a password but the portal does the login in the background" ? Or something else?

The password change can be triggered for many reasons, and they will depend on things like how you have your authinstances set up. Do you think you could explain a little more about how you have the authentication working? 

09 November 2009, 4:04

We have a portal where users get authenticated. Within this portal, the user has the choice of several applications - mahara being one of them.

So we recoded the source code of mahara so that mahara only checks the username, not the password (because we know that the user's coming from the portal itself which is a secure way to prove the authentication of the user).

We authenticate all users with LDAP.

09 November 2009, 20:10

Hm - you might want to modify the code some more then to prevent the password change feature from kicking in. Though I thought that only happened for users who were using the 'internal' authentication method, rather than LDAP.

Basically, look through the code for 'passwordchange', which is the name of the field on the user object that is set to true if the user needs their password reset. That should point you to places in the code that could be changed to prevent this from happening.