Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
Crowd 2.2.0.m5
Description
Note: I would like to bring this to the attention of the doc team. I was confused for a while and thinking that we had a security bug in our hands. Turns out this is a known issue with AD, and there are ways to mitigate how long the old password remains active for: http://support.microsoft.com/kb/906305
- Add an ActiveDirectory in Crowd with Read-Write permissions. I used ldaps://crowd-ad1.sydney.atlassian.com:636 (make sure to install the certificate as mentioned here: https://extranet.atlassian.com/display/CROWD/LDAP+Servers
- Add the directory to an application and set allow all to authenticate = true.
- Verify that you can authenticate with the AD user by going to the Authentication Test
- Go to the Users tab and select the AD user.
- Change the users password
- Go back to the Authentication Test
Expected: User to only be able to authenticate with the new password
Actual: User can authenticate with the new password as well as the old one.