Re: LDAP (Active Directory) password concerns
CloudStack doesnt store LDAP password locally. It queries AD server for every authentication.Both the passwords being usable for sometime is actually AD feature. You can change the time interval for which both are usable in AD. I think the default is 60 min.https://support.microsoft.com/en-us/kb/906305 ~ Rajanihttp://cloudplatform.accelerite.com/ On August 1, 2016 at 11:32 AM, Marty Godsey (ma...@gonsource.com) wrote:Hello, I have a lab CloudStack that is authenticating to an active directory and it works great accept one thing. If I change the password on the AD user, ACS still allows the user to log into the ACS portal with the old AND the new password... Is there a refresh interval for LDAP accounts? Does it store a hash in the ACS database? Did I miss a setting? Regards,Marty Godsey
RE: LDAP (Active Directory) password concerns
No I agree with you. Not being able to log into the machine with the old password and being able to with the new one is all correct behavior. I mentioned this to illustrate that the password had indeed been changed. The accounts I mentioned were to answer your question about their potentially being another LOCAL account for that user which there is not. UPDATE: So after it has "sit" for awhile, I can no longer log in with the old password. I will look at the logs to see if there is a service or something that refreshes something in the background.. Thank you for your help. Regards, Marty Godsey -Original Message- From: ilya [mailto:ilya.mailing.li...@gmail.com] Sent: Monday, August 1, 2016 2:36 AM To: users@cloudstack.apache.org Subject: Re: LDAP (Active Directory) password concerns Marty see response in-line On 7/31/16 11:32 PM, Marty Godsey wrote: > The password has been changed. If I try to log onto a machine in the domain > with the old password it tells me the password is incorrect. correct behavior If I use the new one, it logs me into the machine. also correct behavior There are only three accounts in the ACS instance: admin, bare-metal and testallow. Testallow is the LDAP account. not following where the issue might be > > > Regards, > Marty Godsey > > -Original Message- > From: ilya [mailto:ilya.mailing.li...@gmail.com] > Sent: Monday, August 1, 2016 2:29 AM > To: users@cloudstack.apache.org > Subject: Re: LDAP (Active Directory) password concerns > > Do you happen to have local account as well as ldap account set? > > It usually follows one authentication method (ldap) followed by another > (local). Please confirm the passwords are different. > > I will be testing ldap this week and will let you know if i see this issue. > I've used it in past, I'd be surprised to see this behavoiur, last i recall, > we dont cache - and do a lookup to LDAP each time user tries to > authenticate.. You should see this in the logs.. > > > Regards, > ilya > > On 7/31/16 11:01 PM, Marty Godsey wrote: >> Hello, >> >> I have a lab CloudStack that is authenticating to an active directory and it >> works great accept one thing. If I change the password on the AD user, ACS >> still allows the user to log into the ACS portal with the old AND the new >> password... >> >> Is there a refresh interval for LDAP accounts? Does it store a hash in the >> ACS database? Did I miss a setting? >> >> Regards, >> Marty Godsey >> >>
Re: LDAP (Active Directory) password concerns
Marty see response in-line On 7/31/16 11:32 PM, Marty Godsey wrote: > The password has been changed. If I try to log onto a machine in the domain > with the old password it tells me the password is incorrect. correct behavior If I use the new one, it logs me into the machine. also correct behavior There are only three accounts in the ACS instance: admin, bare-metal and testallow. Testallow is the LDAP account. not following where the issue might be > > > Regards, > Marty Godsey > > -Original Message- > From: ilya [mailto:ilya.mailing.li...@gmail.com] > Sent: Monday, August 1, 2016 2:29 AM > To: users@cloudstack.apache.org > Subject: Re: LDAP (Active Directory) password concerns > > Do you happen to have local account as well as ldap account set? > > It usually follows one authentication method (ldap) followed by another > (local). Please confirm the passwords are different. > > I will be testing ldap this week and will let you know if i see this issue. > I've used it in past, I'd be surprised to see this behavoiur, last i recall, > we dont cache - and do a lookup to LDAP each time user tries to > authenticate.. You should see this in the logs.. > > > Regards, > ilya > > On 7/31/16 11:01 PM, Marty Godsey wrote: >> Hello, >> >> I have a lab CloudStack that is authenticating to an active directory and it >> works great accept one thing. If I change the password on the AD user, ACS >> still allows the user to log into the ACS portal with the old AND the new >> password... >> >> Is there a refresh interval for LDAP accounts? Does it store a hash in the >> ACS database? Did I miss a setting? >> >> Regards, >> Marty Godsey >> >>
RE: LDAP (Active Directory) password concerns
Only reason I am is because I plan on integrating other services in the future and having an LDAP authentication method will allow me to provide these services utilizing the same accounts. Regards, Marty Godsey -Original Message- From: ilya [mailto:ilya.mailing.li...@gmail.com] Sent: Monday, August 1, 2016 2:33 AM To: users@cloudstack.apache.org Subject: Re: LDAP (Active Directory) password concerns I must also mention, i dont use Active Directory.. On 7/31/16 11:29 PM, ilya wrote: > Do you happen to have local account as well as ldap account set? > > It usually follows one authentication method (ldap) followed by > another (local). Please confirm the passwords are different. > > I will be testing ldap this week and will let you know if i see this > issue. I've used it in past, I'd be surprised to see this behavoiur, > last i recall, we dont cache - and do a lookup to LDAP each time user > tries to authenticate.. You should see this in the logs.. > > > Regards, > ilya > > On 7/31/16 11:01 PM, Marty Godsey wrote: >> Hello, >> >> I have a lab CloudStack that is authenticating to an active directory and it >> works great accept one thing. If I change the password on the AD user, ACS >> still allows the user to log into the ACS portal with the old AND the new >> password... >> >> Is there a refresh interval for LDAP accounts? Does it store a hash in the >> ACS database? Did I miss a setting? >> >> Regards, >> Marty Godsey >> >>
Re: LDAP (Active Directory) password concerns
I must also mention, i dont use Active Directory.. On 7/31/16 11:29 PM, ilya wrote: > Do you happen to have local account as well as ldap account set? > > It usually follows one authentication method (ldap) followed by another > (local). Please confirm the passwords are different. > > I will be testing ldap this week and will let you know if i see this > issue. I've used it in past, I'd be surprised to see this behavoiur, > last i recall, we dont cache - and do a lookup to LDAP each time user > tries to authenticate.. You should see this in the logs.. > > > Regards, > ilya > > On 7/31/16 11:01 PM, Marty Godsey wrote: >> Hello, >> >> I have a lab CloudStack that is authenticating to an active directory and it >> works great accept one thing. If I change the password on the AD user, ACS >> still allows the user to log into the ACS portal with the old AND the new >> password... >> >> Is there a refresh interval for LDAP accounts? Does it store a hash in the >> ACS database? Did I miss a setting? >> >> Regards, >> Marty Godsey >> >>
RE: LDAP (Active Directory) password concerns
The password has been changed. If I try to log onto a machine in the domain with the old password it tells me the password is incorrect. If I use the new one, it logs me into the machine. There are only three accounts in the ACS instance: admin, bare-metal and testallow. Testallow is the LDAP account. Regards, Marty Godsey -Original Message- From: ilya [mailto:ilya.mailing.li...@gmail.com] Sent: Monday, August 1, 2016 2:29 AM To: users@cloudstack.apache.org Subject: Re: LDAP (Active Directory) password concerns Do you happen to have local account as well as ldap account set? It usually follows one authentication method (ldap) followed by another (local). Please confirm the passwords are different. I will be testing ldap this week and will let you know if i see this issue. I've used it in past, I'd be surprised to see this behavoiur, last i recall, we dont cache - and do a lookup to LDAP each time user tries to authenticate.. You should see this in the logs.. Regards, ilya On 7/31/16 11:01 PM, Marty Godsey wrote: > Hello, > > I have a lab CloudStack that is authenticating to an active directory and it > works great accept one thing. If I change the password on the AD user, ACS > still allows the user to log into the ACS portal with the old AND the new > password... > > Is there a refresh interval for LDAP accounts? Does it store a hash in the > ACS database? Did I miss a setting? > > Regards, > Marty Godsey > >
Re: LDAP (Active Directory) password concerns
Do you happen to have local account as well as ldap account set? It usually follows one authentication method (ldap) followed by another (local). Please confirm the passwords are different. I will be testing ldap this week and will let you know if i see this issue. I've used it in past, I'd be surprised to see this behavoiur, last i recall, we dont cache - and do a lookup to LDAP each time user tries to authenticate.. You should see this in the logs.. Regards, ilya On 7/31/16 11:01 PM, Marty Godsey wrote: > Hello, > > I have a lab CloudStack that is authenticating to an active directory and it > works great accept one thing. If I change the password on the AD user, ACS > still allows the user to log into the ACS portal with the old AND the new > password... > > Is there a refresh interval for LDAP accounts? Does it store a hash in the > ACS database? Did I miss a setting? > > Regards, > Marty Godsey > >
LDAP (Active Directory) password concerns
Hello, I have a lab CloudStack that is authenticating to an active directory and it works great accept one thing. If I change the password on the AD user, ACS still allows the user to log into the ACS portal with the old AND the new password... Is there a refresh interval for LDAP accounts? Does it store a hash in the ACS database? Did I miss a setting? Regards, Marty Godsey
