Fedora directory users - Nov 2008 - PassSync : Windows Active Directory remember my last 2 passwords

hello,

I discovered a strange behavior with Active Directory LDAP protocol !

My config :
- an Active Directory on MS Windows Server 2003 SP2 + PassSync service
- a Fedora Directory Server 1.1.3 + Replication Agreement for Windows 
synchronization

Bidirectional synchronization of accounts is running, it is OKAY.

When an administrator reset an user password with Administration Server 
Console,
this user can connects him to Windows LDAP with the new password choosed 
by administrator (the sync of password is OK),
But this user can also uses the previous password (big surprise) !
=> both are accepted by Windows LDAP : the last and the previous 
password !!!

How that can be possible ???!
And how to stop this strange behavior ?


User connexions are made with ldapsearch command :
/usr/lib/mozldap/ldapsearch -h adfds -P /etc/dirsrv/slapd-fds3/ -m 
/etc/dirsrv/slapd-fds3/ -D "cn=Gontran 
Bonheur,cn=Users,dc=example,dc=fr" -b "cn=Users,dc=example,dc=fr"
-w -
"(cn=Gontran Bonheur)" dn
This request accepts the new and the previous passwords !!!!!!

If I force "Send and Receive Updates Now" in the Console, the behavior
does not change.

If my user uses Windows login banner, this behavior doesn''t appear.


Regards.
-- 
* Hugo Étiévant
***

Not so strange. It is a Windows Feature well know (sigh)

On Fri, Nov 7, 2008 at 2:25 PM, Hugo Etievant <hugo.etievant@inrp.fr>
wrote:
> hello,
>
> I discovered a strange behavior with Active Directory LDAP protocol !
>
> My config :
> - an Active Directory on MS Windows Server 2003 SP2 + PassSync service
> - a Fedora Directory Server 1.1.3 + Replication Agreement for Windows
> synchronization
>
> Bidirectional synchronization of accounts is running, it is OKAY.
>
> When an administrator reset an user password with Administration Server
> Console,
> this user can connects him to Windows LDAP with the new password choosed by
> administrator (the sync of password is OK),
> But this user can also uses the previous password (big surprise) !
> => both are accepted by Windows LDAP : the last and the previous
password
> !!!
>
> How that can be possible ???!
> And how to stop this strange behavior ?
>
>
> User connexions are made with ldapsearch command :
> /usr/lib/mozldap/ldapsearch -h adfds -P /etc/dirsrv/slapd-fds3/ -m
> /etc/dirsrv/slapd-fds3/ -D "cn=Gontran
Bonheur,cn=Users,dc=example,dc=fr" -b
> "cn=Users,dc=example,dc=fr" -w - "(cn=Gontran Bonheur)"
dn
> This request accepts the new and the previous passwords !!!!!!
>
> If I force "Send and Receive Updates Now" in the Console, the
behavior does
> not change.
>
> If my user uses Windows login banner, this behavior doesn''t
appear.
>
>
> Regards.
> --
> * Hugo Étiévant
> ***
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

>
> Not so strange. It is a Windows Feature well know (sigh)
>
> On Fri, Nov 7, 2008 at 2:25 PM, Hugo Etievant
<hugo.etievant@inrp.fr>wrote:
>
>> hello,
>>
>> I discovered a strange behavior with Active Directory LDAP protocol !
>>
>> My config :
>> - an Active Directory on MS Windows Server 2003 SP2 + PassSync service
>> - a Fedora Directory Server 1.1.3 + Replication Agreement for Windows
>> synchronization
>>
>> Bidirectional synchronization of accounts is running, it is OKAY.
>>
>> When an administrator reset an user password with Administration Server
>> Console,
>> this user can connects him to Windows LDAP with the new password
choosed
>> by administrator (the sync of password is OK),
>> But this user can also uses the previous password (big surprise) !
>> => both are accepted by Windows LDAP : the last and the previous
password
>> !!!
>>
>> How that can be possible ???!
>> And how to stop this strange behavior ?
>>
>>
>> User connexions are made with ldapsearch command :
>> /usr/lib/mozldap/ldapsearch -h adfds -P /etc/dirsrv/slapd-fds3/ -m
>> /etc/dirsrv/slapd-fds3/ -D "cn=Gontran
Bonheur,cn=Users,dc=example,dc=fr" -b
>> "cn=Users,dc=example,dc=fr" -w - "(cn=Gontran
Bonheur)" dn
>> This request accepts the new and the previous passwords !!!!!!
>>
>> If I force "Send and Receive Updates Now" in the Console, the
behavior
>> does not change.
>>
>> If my user uses Windows login banner, this behavior doesn''t
appear.
>>
>>
>> Regards.
>> --
>> * Hugo Étiévant
>> ***
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
>

It is not a bug, it is a feature !

thanks

devzero2000 a écrit :
> Not so strange. It is a Windows Feature well know (sigh)
>
> On Fri, Nov 7, 2008 at 2:25 PM, Hugo Etievant <hugo.etievant@inrp.fr 
> <mailto:hugo.etievant@inrp.fr>> wrote:
>
>     hello,
>
>     I discovered a strange behavior with Active Directory LDAP protocol !
>
>     My config :
>     - an Active Directory on MS Windows Server 2003 SP2 + PassSync service
>     - a Fedora Directory Server 1.1.3 + Replication Agreement for
>     Windows synchronization
>
>     Bidirectional synchronization of accounts is running, it is OKAY.
>
>     When an administrator reset an user password with Administration
>     Server Console,
>     this user can connects him to Windows LDAP with the new password
>     choosed by administrator (the sync of password is OK),
>     But this user can also uses the previous password (big surprise) !
>     => both are accepted by Windows LDAP : the last and the previous
>     password !!!
>
>     How that can be possible ???!
>     And how to stop this strange behavior ?
>
>
>     User connexions are made with ldapsearch command :
>     /usr/lib/mozldap/ldapsearch -h adfds -P /etc/dirsrv/slapd-fds3/ -m
>     /etc/dirsrv/slapd-fds3/ -D "cn=Gontran
>     Bonheur,cn=Users,dc=example,dc=fr" -b
"cn=Users,dc=example,dc=fr"
>     -w - "(cn=Gontran Bonheur)" dn
>     This request accepts the new and the previous passwords !!!!!!
>
>     If I force "Send and Receive Updates Now" in the Console, the
>     behavior does not change.
>
>     If my user uses Windows login banner, this behavior doesn''t
appear.
>
--
* Hugo Étiévant *