1 260
szerkesztés
Módosítások
a
→Disallowing password change: small corrections
When a user is first logged in, a Drupal account is automatically created for her. Because Drupal requires a password, a random string is generated for password. Normally the user doesn't need it.
Now suppose that your user is about to leave your institution. If she is malicious enough, she can go to the password change form, reset her password to a known one, and even after she is deleted from the IdP, she still can log in to your precious resource with the (now known) password. (Note that it is only achievable with lazy sessions!).
Therefore, if your requirements are such that only Shibboleth-authenticated users can log in, '''YOU MUST DISABLE PASSWORD CHANGE''' for users.
# Install Drupal [http://drupal.org/project/userprotect User Protect module]
# At Administer -> User management -> User Protect -> Protected roles tab check '''password''' for the ''authenticated user'' role.
# Log in with a normal account, go to "My account" -> Edit. You shouldn't see the possibility for changing password; except for the case when the user has user administrator rights.
=== Administrator / password login ===
