Installation help

LDAP User remembers old password

 
 
Picture of John Szkudlapski
LDAP User remembers old password
 

Hi

I have just started looking at LDAP authentication to plug into our Windows Active Directory.

I seem to have setup LDAP correctly via Moodle and can login to Moodle with accounts located in Active Directory.

However, If I change a users password in Active Directory, Moodle recognises the "new" password but also remembers the old password to.

I did set the option in LDAP settings; Hide Passwords = Yes.

I am running Moodle 1.9.1 on Red Hat Enterprise Linux with my LDAP running on Windows 2003.

p.s the server is not in our active directory domain but can still perform LDAP lookups.

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: LDAP User remembers old password
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

Moodle doesn't 'cache' or 'remember' LDAP passwords. It always asks the LDAP server. So either there's some caching in your LDAP client libraries (not usual, but possible) or your LDAP servers accept both the old password and the new one (depending on your LDAP configuration and your AD domain setup it might happen that you are querying a domain controller that hasn't still replicated the password change; again not usual but perfectly possible).

Saludos. Iñaki.

 
Average of ratings: -
Picture of John Szkudlapski
Re: LDAP User remembers old password
 

Hi

It must be caching it on the LDAP Client / moodle server then.

I have checked out our domain servers and syncronisation is working perfectly.

to prove it was not our domain, we also use Shibboleth to access some electronic resources via a totally different web server and i tested 5 accounts on the shibboleth server the results were

Moodle
~~~~~
Old & new passowrd recognised

Shibboleth
~~~~~
new passowrd recognised, old one not.

I have setup 2 different moodle servers now, both on linux and they both remember the old password as well as the new password.

The shibboleth server run's on Windows, but the linux servers are also in the active directory domain.

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: LDAP User remembers old password
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

Then I guess the only option you are left with is reading your LDAP client documentation to see if you can turn caching off.

Saludos. Iñaki.

 
Average of ratings: -
Picture of T. Hentschel
Re: LDAP User remembers old password
 

I know that this is an very old discussion, but i habe the same Problem with an WindowsServer 2003 and Moodle (2.3.2).
After a user change the password in the AD accapts moodle the old and the new password. I don't find the reason for this.

In the LDAP Plugin is set that moodle don't save the password.

Have anybody an idea?

Thanks.

 
Average of ratings: -
Picture of Benjamin St.Germain
Re: LDAP User remembers old password
 

I was seeing this behavior with password changes and went through all the Moodle LDAP settings trying to stop the old passwords from still working, but nothing I did seemed to make a difference.  We have 1.9 and 2.3 running on completely different OS versions, so once I saw the same behaviour on both, I started to think it was the LDAP/DC server side that was the issue, since they both point at the same Windows 2003 servers for LDAP. 

After some research on the Windows Servers side, I found some references to this Microsoft kb article:
http://support.microsoft.com/kb/906305/en-us

And just like it describes, after one hour the old password stopped working.  So you'll have to change this registry value to reduce the old password lifetime, or live with them working for an hour after the change.

 
Average of ratings:Useful (1)