You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Rene Moser <ma...@renemoser.net> on 2015/10/26 15:30:47 UTC
Authentication with old LDAP passwords
ACS 4.5.1
Hi
We discovered an issue which can be security relevant and may also exist
in 4.6.
We use LDAP for user authentication, once a user is authenticated, it
seems this password will be cached on cloudstack management.
If the password has been changed on LDAP, the old password(s) still
works for authentication unless you restart the management server.
We didn't find a global setting related to this. Is this wanted?
Otherwise I would create a bug report.
Yours
René
Re: Authentication with old LDAP passwords
Posted by Rene Moser <ma...@renemoser.net>.
Filing a bug report
On 10/27/2015 09:19 AM, Rene Moser wrote:
> Hi
>
> On 10/27/2015 06:55 AM, Rajani Karuturi wrote:
>> ACS doesnt cache passwords. Everytime, the authentication requests goes to
>> the LDAP server.
>
> This is what I expected, but our test results showing the opposite.
>
> While the old password didn't work ldap anymore, it did work on
> CloudStack. Even older passwords worked, which you changed in the past,
> as long you once successfully authenticated with it. A user was able to
> use 3 different outdated passwords to authenticate to cloudstack!
>
> After "service cloudstack-management restart", the outdated passwords
> did not work anymore.
>
> I am pretty sure that the password must be a cached (wanted or not) in
> cloudstack.
>
Re: Authentication with old LDAP passwords
Posted by Rene Moser <ma...@renemoser.net>.
Hi
On 10/27/2015 06:55 AM, Rajani Karuturi wrote:
> ACS doesnt cache passwords. Everytime, the authentication requests goes to
> the LDAP server.
This is what I expected, but our test results showing the opposite.
While the old password didn't work ldap anymore, it did work on
CloudStack. Even older passwords worked, which you changed in the past,
as long you once successfully authenticated with it. A user was able to
use 3 different outdated passwords to authenticate to cloudstack!
After "service cloudstack-management restart", the outdated passwords
did not work anymore.
I am pretty sure that the password must be a cached (wanted or not) in
cloudstack.
Re: Authentication with old LDAP passwords
Posted by Rajani Karuturi <ra...@apache.org>.
ACS doesnt cache passwords. Everytime, the authentication requests goes to
the LDAP server.
In case of Microsoft AD, this is a AD feature. It allows authentication for
certain period of time. Default lifetime period for an old password is 60
minutes.
more details at https://support.microsoft.com/en-us/kb/906305
~Rajani
On Mon, Oct 26, 2015 at 8:00 PM, Rene Moser <ma...@renemoser.net> wrote:
> ACS 4.5.1
>
> Hi
>
> We discovered an issue which can be security relevant and may also exist
> in 4.6.
>
> We use LDAP for user authentication, once a user is authenticated, it
> seems this password will be cached on cloudstack management.
>
> If the password has been changed on LDAP, the old password(s) still
> works for authentication unless you restart the management server.
>
> We didn't find a global setting related to this. Is this wanted?
>
> Otherwise I would create a bug report.
>
> Yours
> René
>
>
>
>
Re: Authentication with old LDAP passwords
Posted by Rene Moser <ma...@renemoser.net>.
Hi
On 10/27/2015 05:08 AM, Suresh Sadhu wrote:
> HI,
>
> Are you using AD or open LDAP.
OpenLDAP
RE: Authentication with old LDAP passwords
Posted by Suresh Sadhu <Su...@citrix.com>.
HI,
Are you using AD or open LDAP. In windows even you changed the password for the ldap user , old password still work for few seconds. its known issue. But if its(old password) working after few mins(eg: 1 hour) then please raise a bug.
Can you try your scenario on private window ( press cntl+shift+p in firefox browser)of your browser without restarting the MS.
Regards
Sadhu
-----Original Message-----
From: Rene Moser [mailto:mail@renemoser.net]
Sent: Monday, October 26, 2015 8:01 PM
To: users@cloudstack.apache.org
Subject: Authentication with old LDAP passwords
ACS 4.5.1
Hi
We discovered an issue which can be security relevant and may also exist in 4.6.
We use LDAP for user authentication, once a user is authenticated, it seems this password will be cached on cloudstack management.
If the password has been changed on LDAP, the old password(s) still works for authentication unless you restart the management server.
We didn't find a global setting related to this. Is this wanted?
Otherwise I would create a bug report.
Yours
René