Results 1 to 5 of 5

Thread: Change password in AD still allows login (ZCS 4.0.5 GA 518)

  1. #1
    jameztcc is offline Active Member
    Join Date
    May 2007
    Posts
    26
    Rep Power
    8

    Default Change password in AD still allows login (ZCS 4.0.5 GA 518)

    Hi,

    I setup a domain to use external AD auth. It seemed that whenever I change the password of an AD user (using AD to change and not Zimbra), I can login using the NEW and the PREVIOUS password. Is this a bug and how can I workaround it?

    1.0 Expected behaviour:
    .1 Should only allow the latest changed password to login.

    2.0 Steps to reproduce:
    .1 Create user = tester in AD
    .2 Assign e.g. password = abc123
    .3 Login via Zimbra Web UI as tester, abc123

    .4 Change password ==> cde456 (Do this using AD).
    .5 Login via Zimbra Web UI as tester, abc123 [Able to log in!]
    .6 Login via Zimbra Web UI as tester, cde456 [Able to log in - expected behaviour]

    .7 Change password ==> fgh789 (Do this using AD).
    .8 Login via Zimbra Web UI as tester, abc123 [Cannot log in - expected behaviour]
    .9 Login via Zimbra Web UI as tester, cde456 [Able to log in!]
    .10 Login via Zimbra Web UI as tester, fgh789[Able to log in - expected behaviour]


    3.0 Configurations:
    .1 zcs 4.0.5 GA 518 (x86)
    .2 rhel es 4



    thanks for any reply.
    James

  2. #2
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    phoenix, he's not asking about syncing passwords; he is authenticating to AD "live" via LDAP. His problem is that a bind to AD returns success for an old password.

    Believe it or not, this is actually the intended behavior of Active Directory. See Windows Server 2003 Service Pack 1 modifies NTLM network authentication behavior and NTLM Authentication: Old Password Usable After Password Changed - CA Security Advisor Research Blog - CA

    Microsoft Windows Server 2003 Service Pack 1 (SP1) modifies NTLM network authentication behavior. After you install Windows Server 2003 SP1, domain users can use their old password to access the network for one hour after the password is changed.

  3. #3
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    I think he's trying to say the opposite, that the last 2 passwords are caching somewhere in AD for a short amount of time - have you checked to see if there's an AD setting for this?
    BTW it's time to update zimbra to 4.5.10

  4. #4
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    There we go, what Rich said ^ wait more than an hour and then test.

  5. #5
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Just curious is there a reason that you're still on 4.0.5? Like a platform no longer supported or something? From this thread back in september you asked if you should upgrade to 4.5.7 to fix the large log file issue... logswatch.out and zmlogger.out BIG!
    (which has definitely proven fixed in 4.5.7 > [SOLVED] running a version 4.5.6 or prior? Prevent Large Log File)
    Be sure to make a good backup!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Change Password not working with Active Directory
    By pornsakb in forum Administrators
    Replies: 8
    Last Post: 05-15-2011, 12:41 AM
  2. external LDAP, password change
    By zaf in forum Administrators
    Replies: 7
    Last Post: 04-30-2010, 04:29 AM
  3. Trouble Sending mail - All Messages deferred!
    By SiteDiscovery in forum Administrators
    Replies: 7
    Last Post: 09-03-2009, 04:52 AM
  4. Replies: 41
    Last Post: 10-29-2007, 02:36 PM
  5. ZCS 3.2 Beta Available
    By KevinH in forum Announcements
    Replies: 31
    Last Post: 07-07-2006, 03:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •