|Subject:||LDAP bind allowing old password for 1 hour|
|Posted by:||AlanAlbany (alanAlbany@nospam.nospam)|
|Date:||Thu, 22 May 2008|
We are implementing a Single Sign On (SSO) solution that is using LDAP bind
to an Active Directory authentication domain as its means of authenticating
a user. We have discovered that a SSO user can autheticate with their old
password for one hour after the password has been changed. Other means of
authentication to the authenication domain are not allowing this one hour
grace period. Since adminstratively changing the password is our method of
locking out an account, this one hour grace period is not acceptable. Is
there a way of reducing it similar to the registry change given in KB906305
for a similar issue with NTLM authentication? We have tried making the
registry change in KB906305 by defining
as a DWORD with the value of 1 but the LDAP bind with the old password is
still working for up to one hour (even after a reboot of the domain
controller). (Note we are testing using a domain with a single domain
controller so replication delays between domain controllers can be ruled
out.) The following is a test VBscript that can be used to replicate the
problem once customised to the domain being used for testing.
const MyDomainFull = "ADserver.ad.com"
set MyRootDSE = GetObject("LDAP://" & MyDomainFull & "/RootDSE")
MyRootDN = MyRootDSE.Get("defaultNamingContext")
Set MyConn = CreateObject("ADODB.Connection")
MyConn.Provider = "ADsDSOObject"
MyConn.Properties("User ID") = "CN=MyUser,OU=users,DC=ADserver,DC=ad,DC=com"
MyConn.Properties("Password") = "MyPwd"
MyLDAPStr = _
"<LDAP://" & MyDomainFull & "/ou=users," & MyRootDN & ">;" & _
"(&(objectCategory=person)(objectClass=user)(cn=MyUser))" & _
Set MyRS = MyConn.Execute(MyLDAPStr)
If Not MyRS.EOF Then
wscript.echo "Not end of file"
MyMail = MyRS.Fields("mail")
wscript.echo "- record not found in AD"