Resolution: Won't Fix
Affects Version/s: 7.0.X, 7.1.X, Master
Fix Version/s: None
Component/s: Application Security > LDAP
User login in with the portal user (old password) when user exists in LDAP Server but authentication fails.
Steps to reproduce this behavior:
- Enable LDAP authentication with:
- Enable user import.
- Disable 'required' LDAP authentication.
- Create an user in LDAP and login in portal. (After that, user will be exist in Liferay database and LDAP).
- Change user password in LDAP. (After that, LDAP has a different password than Liferay database).
- Change user password in LDAP again. (Microsoft Active Directory lets use old password for some time if you do not change password cache).
- Log in portal with this user but with old password (Liferay database password).
User will be authenticated with success because, although LDAP password fails, portal will try to authenticate with database.
In this use case, user shouldn't be authenticated because password in LDAP is different.