I know that @ShMaunder has moved on, but I'm hoping someone else might have a solution for this one.
I use the "Password null" feature to force authentication against LDAP on every login. This works great on initial user creation. The password field in the J! users table is null, so authentication gets punted to LDAP.
The problem being that if the user ever changes their password in J!, even if the LDAP password plugin is enabled, the new password then gets written out to J!'s user table, and from that point on, the user is then authenticating against J!, not LDAP. Which means that if their account is removed in LDAP, they can still log in to J!.
The client I'm implementing this for has a (very) rigid requirement that if the account is suspended in LDAP, they should no longer be able to login to J!. I'm working round it atm by blocking access to the J! profile so users can't (easily) change their password, but I'd prefer a more robust solution.
I've forked this repo and am looking at a couple of programmatic solutions, nulling the J! password in the LDAP code. But I'm hoping I've just missed some obvious solution.
I know that @ShMaunder has moved on, but I'm hoping someone else might have a solution for this one.
I use the "Password null" feature to force authentication against LDAP on every login. This works great on initial user creation. The password field in the J! users table is null, so authentication gets punted to LDAP.
The problem being that if the user ever changes their password in J!, even if the LDAP password plugin is enabled, the new password then gets written out to J!'s user table, and from that point on, the user is then authenticating against J!, not LDAP. Which means that if their account is removed in LDAP, they can still log in to J!.
The client I'm implementing this for has a (very) rigid requirement that if the account is suspended in LDAP, they should no longer be able to login to J!. I'm working round it atm by blocking access to the J! profile so users can't (easily) change their password, but I'd prefer a more robust solution.
I've forked this repo and am looking at a couple of programmatic solutions, nulling the J! password in the LDAP code. But I'm hoping I've just missed some obvious solution.