Security

Why am I able to re-use previous password for Splunk LDAP authentication?

remy06
Contributor

Hi,

We have configured to use Splunk LDAP authentication and have been able to login to Splunk using our AD credentials.

I've just changed my password and Splunk shouldn't allow me to login using my old password.

However,I am still able to login using my old password as well as the new password now.

Any idea on this?

1 Solution

the_wolverine
Champion

If you're really using LDAP then this seems its an LDAP issue. Could it be that your new password hasn't replicated to the LDAP server that Splunk authenticates to?

Also doublecheck that your account is really LDAP-enabled. In 4.1, side-by-side auth is available so it could be that your Splunk login is really a Splunk account, not LDAP. Log into UI and check the user list to verify this.

View solution in original post

rtadams89
Contributor

This is actually a "feature" of Active Directory introduced with Server 2003 SP1. The KB article on this change is here: http://support.microsoft.com/kb/906305/en-us

Essentially, what changed is that the old password will still work for 1 hour (configurable, 1 hour by default) after a password change for authentications via NTLM. Also, by default Server 2003 will be set to an authentication method called "Negotiate" which means it will try Kerberos authentication first, and if that fails, revert to NTLM authentication. The reason you could not log in to your workstation with the old password was because your workstation is capable of Kerberos authentication with AD. When the LDAP server attempts to authenticate the user with AD, Kerberos fails and it reverts to NTLM authentication (which due to the change in SP1 will now allow the new password OR old password to work).

There are four things you can do:

1) Disable NTLM authentication completely. This will probably break many things.
2) Set the value of OldPasswordAllowedPeriod to something small (1 minute is the shortest). This may break things if you have a distributed environment.
3) Have users change their password twice in a row (there by making the first "new" password, the "old" password that is cached).
4) Live with users being able to login to Splunk with an old password for up to an hour.

0 Karma

rikuadmin
New Member

AD Domain controllers can remember your old password for an limited time ( perhaps originally needeed due slow replication in sloooowwwww networks. ) Ask your AD-admin to remove this feature from DC:s.

additional about passwd remembering:
Also if you disconnect your laptop(or any pc-workstation) from your primary domain, your latest AD-password will work even you are not connected anymore. If you want to get rid of this feature, you must have LOCAL USER ACCOUNT in LOCAL ADMINS GROUP, which you can use for "NON-domain logins" if you have some problems with domain logins. And if you have remember passwords feature "on" in your browser, you will encounter occasionally problems. AVOID using "remember passwords" in browser environment also ( due security and error-in-logins-with-passwords )

0 Karma

remy06
Contributor

Thanks for the reply.

When I changed my password earlier,I did log on to the domain using the new password,and was unable to do so using the old password already.

Therefore I wanted to test my Splunk login as well and happen to be able to log in using both old and new.I did check and my account is LDAP-enabled.

Anyway,I've just tested and relog into Splunk now and it is accepting my new password now.So I guess its probably what you've mentioned,that the new password hasn't been replicated or so.

0 Karma

the_wolverine
Champion

If you're really using LDAP then this seems its an LDAP issue. Could it be that your new password hasn't replicated to the LDAP server that Splunk authenticates to?

Also doublecheck that your account is really LDAP-enabled. In 4.1, side-by-side auth is available so it could be that your Splunk login is really a Splunk account, not LDAP. Log into UI and check the user list to verify this.

rtadams89
Contributor

It's not related to replication (well, not directly). See my answer below for a more detailed explaination, but you will by default always be able to use the old password for one hour when running in a Server 2003 SP1 or newer environment.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>