I am using Core + Angular version with LDAP enabled. After an AD user click “Forgot password”, we got two issues:
The first issue occurs on user changing password. The link on "password reset" email is actually two url delimited by a comma, likes: https://login.company.com/, http:/login.company.com/account/reset-password?userId=12345&resetCode=044D43ACE0&tenantId=1
When user click this link, it opens the reset page, but immediately redirected to a blank page, which actually is the first url (i.e. https://login.company.com). So the user has no chance to change her password. A workaround is that, copy the 2nd url and paste it on a browser. It opens a password reset page, but it will stay on the reset page. We need manually close the browser and re-open the home page for login. We tried Chrome and Edge and get same behavior.
The 2nd issue occurs after the password changed. After the user changes her old password (e.g. password0) to a new password(e.g. password1), both passwords are valid. I guess the new password does not PUSH to AD. When the user uses password0, she is treated as an AD user, and if she uses password1, she is treated as a local user. Is this a bug or by design?
Thanks,
3 Answer(s)
-
0
I guess the new password does not PUSH to AD.
Correct.
When the user uses password0, she is treated as an AD user, and if she uses password1, she is treated as a local user. Is this a bug or by design?
She is treated as the same local user in both cases, but ABP does
TryLoginFromExternalAuthenticationSourcesfirst. This is by design. -
0
Thank you for clarification!
I couldn't search out TryLoginFromExternalAuthenticationSources in my copies. Is this encapsulated in ABP? Can I see the source code about it?
-
0
Yes, ABP is open source.
https://github.com/aspnetboilerplate/aspnetboilerplate/blob/5e3c7aea7a2b5f0f94133f7c2dca485fb51e28e4/src/Abp.ZeroCore/Authorization/AbpLoginManager.cs#L282-L337
