Password change LDAP Module , can still use the old password | Community
Skip to main content
A
Anonymous
October 16, 2015
Solved

Password change LDAP Module , can still use the old password

  • October 16, 2015
  • 5 replies
  • 1604 views

Hi,

We have a password reset process and we are using ldap login module. When we reset the password for the user, the user can still use old and new password for a while. I change the user's password in ldap and then change the password in CQ as well.

In an event when the password is compromised we would like to see the password being updated immediately for the user and they shouldn't be able to use the old password again. 

I change the password in Active directory and then call org.apache.jackrabbit.api.security.user.User.changePassword method. I can see that rep:password property of the user isn't updated.

The cache settings in ldap_login.conf file are:

        cache.expiration="21600" 
        cache.maxsize="50000"

Any help will be appreciated.

Thanks in advance.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Sham_HC

kumarlal123 wrote...

Sham HC wrote...

kumarlal123 wrote...

Sham HC wrote...

  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

 

Hi Sham,

Thanks for your reply.

1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login. 

2) Well then how the password be updated? 

3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.

Anything that you can suggest for this problem would be helpful.

 


When user login password is validated directly against ldap & hence password not required in aem.  Though internally have a cache for other property to avoid calling ldap server every time.

Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.   

 

Yes, we are testing against multiple instances and its fine. I am not saying that it doesn't work. I am saying you can still use your old password as well as the new changed password. Is the old password cached, can i force it to clear.

 

As informed earlier repeating again In AEM password of ldap never stored or cached.   Check with ldap server dirrectly because there are some issue with windows Active directory it will cache old password for an hour (You need to apply patch).  Also since you are updating password in AEM check your implementation also.

5 replies

Sham_HC
Sham_HC
Level 10
October 16, 2015
  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases
A
Anonymous
October 16, 2015

Sham HC wrote...

  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

 

Hi Sham,

Thanks for your reply.

1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login. 

2) Well then how the password be updated? 

3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.

Anything that you can suggest for this problem would be helpful.

Sham_HC
Sham_HC
Level 10
October 16, 2015

kumarlal123 wrote...

Sham HC wrote...

  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

 

Hi Sham,

Thanks for your reply.

1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login. 

2) Well then how the password be updated? 

3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.

Anything that you can suggest for this problem would be helpful.

 


When user login password is validated directly against ldap & hence password not required in aem.  Though internally have a cache for other property to avoid calling ldap server every time.

Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.   

A
Anonymous
October 16, 2015

Sham HC wrote...

kumarlal123 wrote...

Sham HC wrote...

  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

 

Hi Sham,

Thanks for your reply.

1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login. 

2) Well then how the password be updated? 

3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.

Anything that you can suggest for this problem would be helpful.

 


When user login password is validated directly against ldap & hence password not required in aem.  Though internally have a cache for other property to avoid calling ldap server every time.

Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.   

 

Yes, we are testing against multiple instances and its fine. I am not saying that it doesn't work. I am saying you can still use your old password as well as the new changed password. Is the old password cached, can i force it to clear.

Sham_HC
Sham_HCAccepted solution
Level 10
October 16, 2015

kumarlal123 wrote...

Sham HC wrote...

kumarlal123 wrote...

Sham HC wrote...

  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

 

Hi Sham,

Thanks for your reply.

1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login. 

2) Well then how the password be updated? 

3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.

Anything that you can suggest for this problem would be helpful.

 


When user login password is validated directly against ldap & hence password not required in aem.  Though internally have a cache for other property to avoid calling ldap server every time.

Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.   

 

Yes, we are testing against multiple instances and its fine. I am not saying that it doesn't work. I am saying you can still use your old password as well as the new changed password. Is the old password cached, can i force it to clear.

 

As informed earlier repeating again In AEM password of ldap never stored or cached.   Check with ldap server dirrectly because there are some issue with windows Active directory it will cache old password for an hour (You need to apply patch).  Also since you are updating password in AEM check your implementation also.

Terms & ConditionsAccessibility statement

Loading footer...