Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-2770

LDAP users shouldn't be allowed to set password (option)

    Details

    • Type: Bug
    • Status: Volunteer Needed (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 5.3, 6.0
    • Fix Version/s: None
    • Component/s: XMLUI
    • Environment:
    • Attachments:
      0
    • Comments:
      0
    • Documentation Status:
      Needed

      Description

      As of DSpace 5, users autoregistered via LDAP can still set a password in their profile and then continue to log in with either their LDAP password or the password they set which will be picked up by PasswordAuthentication (due to stackable auth, if both plugins are configured).

      It's reasonable to assume that institutions who want to use LDAP for login don't want to allow such users to persist indefinitely and bypass any account lockout/removal/expiration in LDAP. The correct behaviour would be to disable the ability for LDAP users to set a password.

      There could be still an option (in the vein of xmlui.user.editmetadata=false) to keep the current behaviour, but it should default to off.

      This problem may affect other auth plugins like Shibboleth, too.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              helix84 Ivan Masár
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: