Details
-
Bug
-
Resolution: Fixed
-
Low
-
3.3.3, 3.4.5
-
None
-
- Confluence Standalone 3.3.3, 3.4.5, most likely older and newer versions affected as well
- Sun Java JDK 6, Update 22 64-Bit
- Debian Linux 5.0.x 64-Bit
- Microsoft Active Directory 2003 and 2008
Description
When integrating Confluence with LDAP Server (e.g. Microsoft Active Directory 2003), and a user changes his password, the user can log in with both the old AD and new AD password.
Steps to reproduce:
1. Log in into Confluence with some user which comes from LDAP.
2. Change the LDAP/AD password.
3. Log out of Confluence.
4. Log in into Confluence again with the new AD password.
5. Log out of Confluence.
6. Log in into Confluence, this time with old AD password.
7. Redo steps 3-6 until you are satisfied or the cache expires.
Observations:
It seems that the cache does not invalidate the old (account/user?) entry, instead, simply adds a second one. The old entry in the cache should be invalidated, so that only the new password is valid for login.
Expected behaviour:
Users should only be able to log in with the new password.
Attachments
Issue Links
- relates to
-
-
- Closed
-
