Hi,
We have a password reset process and we are using ldap login module. When we reset the password for the user, the user can still use old and new password for a while. I change the user's password in ldap and then change the password in CQ as well.
In an event when the password is compromised we would like to see the password being updated immediately for the user and they shouldn't be able to use the old password again.
I change the password in Active directory and then call org.apache.jackrabbit.api.security.user.User.changePassword method. I can see that rep:password property of the user isn't updated.
The cache settings in ldap_login.conf file are:
cache.expiration="21600"
cache.maxsize="50000"
Any help will be appreciated.
Thanks in advance.
Solved! Go to Solution.
Views
Replies
Total Likes
kumarlal123 wrote...
Sham HC wrote...
kumarlal123 wrote...
Sham HC wrote...
Firstly with ldap integration password is never stored or synced with AEM OOB.
No need to call or update jackrabbit changepassword
Using SSO is right fit for such cases
Hi Sham,
Thanks for your reply.
1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login.
2) Well then how the password be updated?
3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.
Anything that you can suggest for this problem would be helpful.
When user login password is validated directly against ldap & hence password not required in aem. Though internally have a cache for other property to avoid calling ldap server every time.
Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.
Yes, we are testing against multiple instances and its fine. I am not saying that it doesn't work. I am saying you can still use your old password as well as the new changed password. Is the old password cached, can i force it to clear.
As informed earlier repeating again In AEM password of ldap never stored or cached. Check with ldap server dirrectly because there are some issue with windows Active directory it will cache old password for an hour (You need to apply patch). Also since you are updating password in AEM check your implementation also.
Views
Replies
Total Likes
Views
Replies
Total Likes
Sham HC wrote...
Firstly with ldap integration password is never stored or synced with AEM OOB.
No need to call or update jackrabbit changepassword
Using SSO is right fit for such cases
Hi Sham,
Thanks for your reply.
1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login.
2) Well then how the password be updated?
3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.
Anything that you can suggest for this problem would be helpful.
Views
Replies
Total Likes
kumarlal123 wrote...
Sham HC wrote...
Firstly with ldap integration password is never stored or synced with AEM OOB.
No need to call or update jackrabbit changepassword
Using SSO is right fit for such cases
Hi Sham,
Thanks for your reply.
1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login.
2) Well then how the password be updated?
3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.
Anything that you can suggest for this problem would be helpful.
When user login password is validated directly against ldap & hence password not required in aem. Though internally have a cache for other property to avoid calling ldap server every time.
Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.
Views
Replies
Total Likes
Sham HC wrote...
kumarlal123 wrote...
Sham HC wrote...
Firstly with ldap integration password is never stored or synced with AEM OOB.
No need to call or update jackrabbit changepassword
Using SSO is right fit for such cases
Hi Sham,
Thanks for your reply.
1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login.
2) Well then how the password be updated?
3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.
Anything that you can suggest for this problem would be helpful.
When user login password is validated directly against ldap & hence password not required in aem. Though internally have a cache for other property to avoid calling ldap server every time.
Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.
Yes, we are testing against multiple instances and its fine. I am not saying that it doesn't work. I am saying you can still use your old password as well as the new changed password. Is the old password cached, can i force it to clear.
Views
Replies
Total Likes
kumarlal123 wrote...
Sham HC wrote...
kumarlal123 wrote...
Sham HC wrote...
Firstly with ldap integration password is never stored or synced with AEM OOB.
No need to call or update jackrabbit changepassword
Using SSO is right fit for such cases
Hi Sham,
Thanks for your reply.
1) We first create use in LDAP and then do getRepository().login(new SimpleCredentials(username, password.toCharArray()), defaultWorkspace); and this creates rep:User with principal name fetched from LDAP and password i think is applied on the rep:User because we do a login.
2) Well then how the password be updated?
3) We do have SSO but it is customized and not OOB. We don't have a layer of authentication above publishers and we do the authentication on the publisher and issue a unique cookie to each user and that cookie is validated by customized SSO for every request.
Anything that you can suggest for this problem would be helpful.
When user login password is validated directly against ldap & hence password not required in aem. Though internally have a cache for other property to avoid calling ldap server every time.
Interesting, first time hearing such implementation. Hope you are testing against multiple publish instances. Coming to original issue It is custom implementation issue & with out code can't suggest anything. Only thing I can assure is OOB change password uses same api & should work.
Yes, we are testing against multiple instances and its fine. I am not saying that it doesn't work. I am saying you can still use your old password as well as the new changed password. Is the old password cached, can i force it to clear.
As informed earlier repeating again In AEM password of ldap never stored or cached. Check with ldap server dirrectly because there are some issue with windows Active directory it will cache old password for an hour (You need to apply patch). Also since you are updating password in AEM check your implementation also.
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies