search

cschiewek / devise_ldap_authenticatable

Devise Module for LDAP
MIT License
594 stars 359 forks source link

Check for valid, but expired credentials #232

Closed jacob-ewald closed 7 years ago

jacob-ewald commented 7 years ago

AD provides the ability to set a user account as having expired credentials with the property of pwdLastSet. If this is set to 0, for example, the user will be forced to change their password the next time they login. In order to detect this with Devise, there needed to be a way of inspecting the error message that was returned from AD when the user was attempting authentication.

Previously, just a yes/no was returned, but that was not granular enough for the "force change on next login" flow. If a user had this flag set, they would simply receive a "you're not authenticated" message, even though their credentials were correct. With this PR, a user can be authenticated and, subsequently, checked for stale credentials.

There is an additional commit that I included to clean up some deprecation warnings and formatting.

stevenyxu commented 7 years ago

Accepted with thanks for the deprecation warnings too. The perfect PR.