Apache Directory Server: Old password still works after change.


ApacheDS is a free, open source LDAP server.  If you’ve ever heard of Microsoft Active Directory, it serves the same purpose of that, without requiring you to purchase a full blown Windows Server license to gain that capability.

There’s an issue with it though.  If you’ve ever noticed that after you change a password to an account in ApacheDS, that both the new AND the old password continue to work?  There is some problem with ApacheDS, probably a caching issue, in which the old password is still valid for up to around 2 minutes afterwords.

If you’re writing unit tests with tools like NUnit or anything else and your test code creates a new account, changes the password, then validates the password is changed by attempting to login with the old password, you’ll notice that test will fail almost all the time by allowing a login with the old password.  You’ll need to put in a timer after the password has been changed.  I recommend a loop of 90 iterations of 1 second waits.  At the end of each 1 second wait, attempt to login with the old password.  Continue this for up to 120 tries until the old password fails or until the 120th try.  At the 120th try, if it still logs in with the old password, give up and call it failed.  If it fails at or before the 90th attempt, call the test a success.

Knowing that there is a delay will save you hours of research.  Rest assured, the problem is NOT in your own code.

Leave a Reply