1 260
szerkesztés
Módosítások
→Disallowing password change
Drupal CMS requires all users to be in its internal SQL database. If the module detects that no user exists in the database with the received Shibboleth user identifier, it creates a new (Drupal) user.
=== Disallowing password change ===
There is no way for the module to detect if a user has been deleted from Shibboleththe IdP. This simple fact has a number of consequences.
When a user is first logged in, a Drupal account is automatically created for her. Because Drupal requires a password, a random string is generated for password. Normally the user doesn't need to know it.
Now suppose that your user is about to leave your institution. If she is malicious enough, she can go to the password change form, reset her password to a known one, and even after she is deleted from the IdP, she still can log in to your precious resource with the (now known) password. (Note that it is only achievable with lazy sessions!).
Therefore, if your requirements are such that only Shibboleth-authenticated users can log in, '''YOU MUST DISABLE PASSWORD CHANGEyou have to disable changing passwords''' for users.
;Steps for disallowing your users to change their passwords:
# At Administer -> Permissions -> userprotect module: uncheck '''change own password''' for ''authenticated user''
# Log in with a normal account, go to "My account" -> Edit. You shouldn't see the possibility for changing password; except for the case when the user has user administrator rights.
=== Account linking ===
=== Administrator / password login ===
If you are using lazy sessions, you can still login with password. If you disabled the username/password login block, append the following to your normal Drupal URL: <code>/?q=user</code>
