1 260
szerkesztés
Módosítások
→Using module: autosave
== Using module ==
=== Automatic user creation ===
Drupal CMS requires all users to be in its internal SQL database. If the module detects that no user exists in the database with the received Shibboleth user identifier, it creates a new (Drupal) user. === Disallowing password change ===There is no way for the module to detect if a user has been deleted from Shibboleth. This simple fact has a number of consequences. When a user is first logged in, a Drupal account is automatically created for her. Because Drupal requires a password, a random string is generated for password. Normally the user doesn't need it. Now suppose that your user is about to leave your institution. If she is malicious enough, she can go to the password change form, reset her password to a known one, and even she is deleted from the IdP, she still can log in to your precious resource with the (now known) password. (Note that it is only achievable with lazy sessions!). Therefore, if your requirements are such that only Shibboleth-authenticated users can log in, '''YOU MUST DISABLE PASSWORD CHANGE''' for users. ;Steps for disallowing your users to change their passwords:=== Administrator / password login ===If you are using lazy sessions, you can still login with password, if you append the following to your normal Drupal URL: <code>/?q=user</code>
==== Administering Drupal with strict sessions ====
# Enable Shibboleth protection
# Login with your own user credentials, so that your Drupal user profile is created
