LDAP caching passwords???

LDAP caching passwords???

by Scott Karren -
Number of replies: 10

Hello all,

I am currently using Moodle 2.4.4+ (Build: 20130614) on a WIMP platform of Windows Server 2008 R2 Datacenter, IIS 7.5, MySQL 5.5.24, PHP 5.5.7 with Microsoft AD serving as our LDAP platform.

Everything has appeared to be working perfectly with regards to our LDAP authentication until recently.  I am getting reports from users with the following scenario;

User logs into Moodle and has authenticated successfully sometime in the past 42 days(Timeframe of password change requests).  Users password expires, user changes password and is able to login into other systems successfully (i.e Windows).  User tries to login to Moodle using new password(Timeframe has been greater than 5 days meaning users have rebooted or logged off several times before trying Moodle with new PW), is unsuccessful, gets the message they have exceeded their allotted login attempts, LDAP(Active Directory)shows that the account is not locked. I can see the DC they get the bad pw count from is the one we set for Moodle.

I am at a loss as I have been unable to replicate this but I am starting to see it more and more.  Is it possible that LDAP is caching the old password somewhere?  Any suggestions on how to resolve this would be most appreciated.  Thanks.

Scott

Average of ratings: -
In reply to Scott Karren

Re: LDAP caching passwords???

by Scott Karren -

Bump.  Anyone have any thoughts on this?  We are using MS AD 2003.

Scott

Average of ratings: -
In reply to Scott Karren

Re: LDAP caching passwords???

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

I have had issues with the password expiration process in AD before but after the password is changed, I would think that you should be able to log in.  My problem was that password would expire and they had no way to change as Moodle would not prompt for a password change.   Have you checked your password expiration settings in Moodle LDAP settings?  Does it check the AD?  Can you replicate and if so, does the old password still work?  Is LDAP the default authentication plugin?  

Average of ratings: -
In reply to Emma Richardson

Re: LDAP caching passwords???

by Scott Karren -

Emma and Iñaki,

Thanks for the response.  LDAP is the only authentication method that my users have available to them. I have password expiration set to check LDAP. 

Here is a funny thing, my users use IE9 primarily, though most have Firefox installed as well. Testing this on IE 9, I logged in as my test user, then logged out and changed that users password. I then tried logging into Moodle with the users old password and it worked, then I logged out and tried it with the users new password and it worked too.

I waited about ten minutes and tried logging in with the users old password and it did not work.  Logging in with the users new password works just fine.

Scott

 

Average of ratings: -
In reply to Scott Karren

Re: LDAP caching passwords???

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

I had this issue too - found out it is actually a setting in LDAP that allows the old password to be accepted for a certain time.  I have been meaning to go in and change it but haven't yet!

As for trying to log what is going on - you might try the LDAP tool that is linked to on the Docs page.  It might give you some extra options.  My guess is that is it related to the fact that the password is expiring because I know I have had issues with that before.  I suggest testing by setting a password to expire and then seeing what happens afterwards.

Average of ratings: -
In reply to Emma Richardson

Re: LDAP caching passwords???

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Emma,

are you referring to this? http://support.microsoft.com/kb/906305

Saludos.
Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP caching passwords???

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers

Yes, I believe so.  I hadn't actually gone in and looked as yet but found the issue when setting up LDAP on a Joomla/Moodle setup.  It is always strange that when you are checking to see if password change is working, both will work for a while!

Average of ratings: -
In reply to Scott Karren

Re: LDAP caching passwords???

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Hi Scott,

I know for sure standard Moodle doesn't cache LDAP passwords (even if you set 'Hide passwords' to 'No', it always uses the password provided in the HTTP request, and not the copy from the database if there's even one).

So this could be the browser itself (password auto-completion; NTLM SSO credential caching if you are using, etc.) or the underlying LDAP client libraries (this is more less probable on Windows clients, as I don't think those clients run nscd daemons or equivalent services).

If I had to bet, I'd put my money on the browser. But Emma Richardson's questions are good ones too.

Saludos.
Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP caching passwords???

by Scott Karren -

Iñaki,

Here's a question for you.  If a user uses the wrong password several times, does that bad password count get forwarded to MS AD?  I am looking at our forest and my test user account and I am not seeing any of the failed Moodle login attempts in the users LDAP profile.  If I type the wrong password trying to login to Windows I immediately see a bad password count show up in LDAP.

One other question, is there a way that I can add some logging to the LDAP module to capture login attempts and see if I can pin down with a little more accuracy what might be happening here.  Something that could be sent to a file or emailed to me without the user seeing what is happening.  This has been so random for my users and for me that I have not been able to replicate it so far.

Scott

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP caching passwords???

by Scott Karren -

Tested this issue some more with one of our IT guys.  As my test user I log into Moodle with an existing username successfully.  Logout and in AD change the password, Login to Moodle with old password successfully, logout and clear cache and close browser, open browser, login with new password successfully, logout, login with old password successfully, disable account in AD, login with either password is unsuccessful, reactivate account, login with either password is successful.

We tried this with multiple browsers with the same results.  Somewhere either in AD or in the LDAP auth module the old and new passwords are being cached enabling the user to login with both passwords.  We also noticed that with failed logins the bad password count was not being passed to AD. 

One thing that caught my eye was that sessions are being stored on the webserver disk and are not being removed after a user logs out.  Could this potentially cause problems with authentication through LDAP, is it also possible that the caching engine I am using (WinCache) could be storing this information?

Scott

Average of ratings: -
In reply to Scott Karren

Re: LDAP caching passwords??? - Resolved!

by Scott Karren -

I got this figured out and fixed.  It turns out that PHP was not cleaning up session files, so when a user logged in it would pick up an existing session file and would lock the user out.  I reconfigured the session handling as well as some of the Wincache settings and no more lockouts.

Thanks for your help and suggestions.

Scott

Average of ratings: -