Setting up the Password Plug-in with Form Injection

Last Modified: 07-March-2014

This document covers the installation and setup of the password plug-in (plg_ldap_password) and form injection plug-in (plg_ldap_injection) that can be found in version 2. It is assumed pkg_ldap_plugins has been installed by following the installation in Configuring LDAP Settings.

Jump to:
  1. Password Options
  2. Configuring the Password Plug-in and LDAP Host
  3. Configuring the Injection Plug-in

Password Options

They're several components that require configuration to allow password authentication and/or changing which also include parameters in the LDAP host configuration. However depending on the requirements of the site in question, not all of these components may need setting up.

The following table shows the options available and the components that require configuration:

Option Component Requirements

Form Authentication Only

Authenticate the user with LDAP before saving a form such as the profile form.

Setup the Injection Plug-in for password injection only.

Password Changing Only

Allow user password changes to be pushed to LDAP without prior authentication in the form.

Setup the Password Plug-in and password parameters in the LDAP host configuration.

Password Changing with Authentication

Allow user password changes to be pushed to LDAP with authentication injected in the form.

All the above.

Back to Top

Configuring the Password Plug-in and LDAP Host

This section demonstrates the usage for the password plug-in and LDAP Host configuration.

  1. Open the 'LDAP - Password' configuration through the Plug-in Manager.
  2. The following table shows the usage and examples of each parameter in the password plug-in:

    Key Description / Examples / Usage
    Authenticate User

    Forces user authentication with current password before changing the user's LDAP password. When this is set to Yes, password resets through the Joomla user manager will currently fail. This means the 'Current Password' field must be present and populated to change a user's password. Note: the inject password found in the injection plug-in can still force password authentication on specific forms.

  3. Set the plug-in to the Enabled state and click Save.

  4. Open the LDAP host configuration and correctly set the 'Password Attribute', 'Password Hash' and 'Password Prefix' fields. Refer to the Getting Started with Version 2 documentation for help with populating these fields.

Back to Top

Configuring the Injection Plug-in

This section demonstrates the usage for the injection plug-in.

  1. Open the 'LDAP - Injection' configuration through the Plug-in Manager.
  2. The following table shows the usage and examples of the password specific parameters in the injection plug-in:

    Key Description / Examples / Usage
    Inject Password

    Injects the 'Current Password' field into forms to authenticate with LDAP before saving. This can be useful with password change or profile forms to authenticate with LDAP before changes are saved.

    Set this to Yes if the site requires either the Form 'Authentication Only' or 'Password Changing with Authentication' options.

    Detect Edit Forms

    Attempts to only display the 'Current Password' field on forms in the edit layout. It is recommended to have this set to Yes when using the inbuilt Joomla forms.

    Password Forms

    List the names of the forms separated by semi-colons where the 'Current Password' field should be injected.

    Example: specifying com_users.profile will inject the 'Current Password' field into the inbuilt frontend profile form.

  3. Set the plug-in to the Enabled state and click Save.