問題

When Hipchat Server is connected to an LDAP directory for authentication, authenticated users are not kicked out or forced to authenticate again if they change their LDAP password. 

The user session will stay active until one of the following is true:

• The session cookie expires after 14 days
• The user logs out or is logged out by the admin

環境

• Any release of Hipchat Server or Data Center that uses LDAP or Active Directory for user management.

原因

This behavior is due to the way LDAP authentication works in Hipchat Server and Data Center. 

Once the user inputs the email and LDAP password, the embedded Crowd instance in Hipchat Server / Data Center will send an authentication request along with the supplied credentials to the LDAP directory.  Based on the response, the user will be logged in or an error is returned. The LDAP password is not stored in the Hipchat database and thus, Hipchat doesn't have any way of knowing the password was changed. 

The user password is sent in the request to LDAP straight from the login form, thus a regular check against LDAP every few minutes is not possible. 

回避策

Once the LDAP password is changed, the user can disconnect any active sessions by navigating to  Edit Profile > Chat sessions > Disconnect in the Hipchat Web UI.

The admin can also disconnect session for each user via Group admin > Users > John Smith > Disconnect. 

The new password will be in effect the next time the user attempts to log in.