Hi,

Liferay allows users to authenticate with the old LDAP password even when the LDAP pasword has been changed.

Basically Liferay first authenticates the user againt LDAP, and then authenticates against the User table.

So, if a user tries to log in with the old password,he is able to get in to the system as the User table contains the old LDAP password

How can i get away with this ....

Thanks

hi:
i found these several days ago with surprise. I let admin use internal password in case there are something wrong happened with ldap. the side affect is old password can be used by other users. so i must force all users to use ldap include admin. and it cures the bad behavior. i think liferay should not store password to database if the user use ldap to authenticate. but i think the correction would never happened.
try setup ldap.auth.required=true to portal-ext.properties and you can prevent the bug.