Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Password change LDAP Module , can still use the old password

Avatar

Former Community Member

Hi,

We have a password reset process and we are using ldap login module. When we reset the password for the user, the user can still use old and new password for a while. I change the user's password in ldap and then change the password in CQ as well.

In an event when the password is compromised we would like to see the password being updated immediately for the user and they shouldn't be able to use the old password again. 

I change the password in Active directory and then call org.apache.jackrabbit.api.security.user.User.changePassword method. I can see that rep:password property of the user isn't updated.

The cache settings in ldap_login.conf file are:

        cache.expiration="21600" 
        cache.maxsize="50000"

Any help will be appreciated.

Thanks in advance.

1 Accepted Solution

Avatar

Correct answer by
Level 10

kumarlal123 wrote...

Sham HC wrote...

kumarlal123 wrote...

Sham HC wrote...

  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

 

Hi Sham,

Thanks for your reply.

1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login. 

2) Well then how the password be updated? 

3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.

Anything that you can suggest for this problem would be helpful.

 


When user login password is validated directly against ldap & hence password not required in aem.  Though internally have a cache for other property to avoid calling ldap server every time.

Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.   

 

Yes, we are testing against multiple instances and its fine. I am not saying that it doesn't work. I am saying you can still use your old password as well as the new changed password. Is the old password cached, can i force it to clear.

 

As informed earlier repeating again In AEM password of ldap never stored or cached.   Check with ldap server dirrectly because there are some issue with windows Active directory it will cache old password for an hour (You need to apply patch).  Also since you are updating password in AEM check your implementation also.

View solution in original post

5 Replies

Avatar

Level 10
  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

Avatar

Former Community Member

Sham HC wrote...

  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

 

Hi Sham,

Thanks for your reply.

1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login. 

2) Well then how the password be updated? 

3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.

Anything that you can suggest for this problem would be helpful.

Avatar

Level 10

kumarlal123 wrote...

Sham HC wrote...

  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

 

Hi Sham,

Thanks for your reply.

1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login. 

2) Well then how the password be updated? 

3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.

Anything that you can suggest for this problem would be helpful.

 


When user login password is validated directly against ldap & hence password not required in aem.  Though internally have a cache for other property to avoid calling ldap server every time.

Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.   

Avatar

Former Community Member

Sham HC wrote...

kumarlal123 wrote...

Sham HC wrote...

  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

 

Hi Sham,

Thanks for your reply.

1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login. 

2) Well then how the password be updated? 

3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.

Anything that you can suggest for this problem would be helpful.

 


When user login password is validated directly against ldap & hence password not required in aem.  Though internally have a cache for other property to avoid calling ldap server every time.

Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.   

 

Yes, we are testing against multiple instances and its fine. I am not saying that it doesn't work. I am saying you can still use your old password as well as the new changed password. Is the old password cached, can i force it to clear.

Avatar

Correct answer by
Level 10

kumarlal123 wrote...

Sham HC wrote...

kumarlal123 wrote...

Sham HC wrote...

  • Firstly with ldap integration password is never stored or synced with AEM OOB.
  • No need to call or update jackrabbit changepassword
  • Using SSO is right fit for such cases

 

Hi Sham,

Thanks for your reply.

1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login. 

2) Well then how the password be updated? 

3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.

Anything that you can suggest for this problem would be helpful.

 


When user login password is validated directly against ldap & hence password not required in aem.  Though internally have a cache for other property to avoid calling ldap server every time.

Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.   

 

Yes, we are testing against multiple instances and its fine. I am not saying that it doesn't work. I am saying you can still use your old password as well as the new changed password. Is the old password cached, can i force it to clear.

 

As informed earlier repeating again In AEM password of ldap never stored or cached.   Check with ldap server dirrectly because there are some issue with windows Active directory it will cache old password for an hour (You need to apply patch).  Also since you are updating password in AEM check your implementation also.