Security hole? After LDAP password was changed, login with old password still possible!?

We're using the LDAP authentication with YouTrack 5.0.6 Build7561. That is, upon first login, user get's replicated to youtrack's internal database. (I'd like that to be automated, but that's a different story.)

However, when the user later on changes his password in LDAP, while he can now login to youtrack with the new password, login with the old password is still possible! It seems to be stored in youtrack's internal datbase along with the other account settings...

In short, I have now two auth methods with different passwords:
  • against ldap
  • against internal user database

I do want my LDAP to the the one and only master. What did I do wrong? Is this a huge bug or do I just don't get it?

Please sign in to leave a comment.