To provide faster user authentication, the Java LDAP implementation used by the Novell Cloud Manager Server maintains a cached pool of connections. Each connections includes a paired user ID and password. By default, the cache is retained until the Cloud Manager Server is restarted.
A potential security hole can arise if a user’s password is changed in the LDAP source. When this occurs, both the new and old passwords can be used until the connections in the cache are cleared during a server restart.
If this is an issue for your organization, two possible solutions are:
Disable the cache. This slows down authentication but completely eliminates the issue.
Set a timeout value for entries stored in the cache. If a connection is not used within the designated time out period, it is removed from the cache. This is not as secure as disabling the cache because a user could repeatedly authenticate within the time interval to retain the old connection (user/password).
Use the following Java system property:
com.sun.jndi.ldap.connect.pool=false
For example, you could set it at the command line:
# java -Dcom.sun.jndi.ldap.connect.pool=false
Use the following Java system property:
com.sun.jndi.ldap.connect.pool.timeout=milliseconds
For example, you could set the timeout at the command line:
# java -Dcom.sun.jndi.ldap.connect.pool.timeout=1200000
We recommend a timeout value that is greater than the timeout value for the Cloud Manager console (15 minutes). For example, you could set the timeout to 20 minutes (1200000 milliseconds).