Prev
Next
Forums S3 Security

Password Problem - possible LDAP bind issue

Sort:
You are not authorized to post a reply.
Author
Messages
MattD
Veteran Member
Posts: 94
Veteran Member
10/26/2009 1:47 PM

    Hello,

    We are currently on Lawson Security 9 (CheckLS=Y).  When logging into portal our users are able use their current password or previous password.  Our Lawson LDAP is bound to our Corporate LDAP so all passwords come from the Corporate LDAP.  None of our other non-Lawson systems bound to LDAP have this issue so my theory is that it is a problem with our bind settings or setup.  Anyone have any ideas how to correct the problem?

     

    This can be a big security hole since when a user's password is reset it is initally set to a dummy password before the user changes it.  So the dummy password can be used even after the user has changed the password.

     

    Any help would be awesome.  Thanks.

     

    Matt

    John Henley
    Senior Member
    Posts: 3348
    Senior Member
    10/26/2009 2:18 PM
      I have seen that as well. My understanding is that this is actually a side-effect of the Windows "feature" for "cached credentials"; e.g. you can login to your laptop using a domain account even when you are not connected to the network. That is because Windows caches your passwords/credentials and "pretends" to log you in to the AD account.

      BTW, this has nothing to do with CheckLS=Y--it is the Portal authentication using ldapbind to an AD ldap provider.

      Are you running LSF9 on Windows? I think you can control this via the Windows Group Policy Object (GPO) "Interactive Logon: Number of previous logons to cache (in case domain controller is not available)", changing it from 10 to 0 logons.

      I haven't actually tested to see if that is the case or not, so let us know...
      Thanks for using the LawsonGuru.com forums!
      John
      MattD
      Veteran Member
      Posts: 94
      Veteran Member
      10/26/2009 2:45 PM
        Thanks for the info. I knew it didn't have anything to do with (CheckLS=Y) I just always put that to signify we are not on LS9 using LAUA security. I thought it might have something to do with the bind. We are actually on LSF9 on UNIX. We use Tivoli LDAP. Is the caching feature set on the Lawson LDAP or the Corporate LDAP.

        Thanks Again!
        Matt
        You are not authorized to post a reply.