Users can log in with old and new password when using LDAP Integration

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Low
    • 3.5
    • Affects Version/s: 3.3.3, 3.4.5
    • Component/s: None
    • Environment:
      • Confluence Standalone 3.3.3, 3.4.5, most likely older and newer versions affected as well
      • Sun Java JDK 6, Update 22 64-Bit
      • Debian Linux 5.0.x 64-Bit
      • Microsoft Active Directory 2003 and 2008

      When integrating Confluence with LDAP Server (e.g. Microsoft Active Directory 2003), and a user changes his password, the user can log in with both the old AD and new AD password.

      Steps to reproduce:

      1. Log in into Confluence with some user which comes from LDAP.
      2. Change the LDAP/AD password.
      3. Log out of Confluence.
      4. Log in into Confluence again with the new AD password.
      5. Log out of Confluence.
      6. Log in into Confluence, this time with old AD password.
      7. Redo steps 3-6 until you are satisfied or the cache expires.

      Observations:

      It seems that the cache does not invalidate the old (account/user?) entry, instead, simply adds a second one. The old entry in the cache should be invalidated, so that only the new password is valid for login.

      Expected behaviour:

      Users should only be able to log in with the new password.

            Assignee:
            Matt Ryall
            Reporter:
            Alexander Seith
            Votes:
            4 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: