Solved: Jabber after LDAP password change

Engnr · ‎12-12-2022

Hi there,

I wonder what Jabber behaviour is after the user changes their password on AD? Will it prompt to logout/login right after that or after some time? Jabber is 12.9 and has fast login enabled.

Thanks

Roger Kallberg · ‎12-15-2022

With Fast Login Jabber uses a token to sign in. I believe it’s an OAuth token. When you sign out from the client this token is removed, that’s why you’ll need to pass the credentials again at next login.

View solution in original post

Adam Pawlowski · ‎12-23-2022

It uses a token for authentication if you have oAuth tokens enabled. That's not invalidated by the UCM nor checked for user credential validity until something triggers it. Fast login can be helpful but also a hindrance depending on the use case.

You do not need SSO for tokens.

Otherwise Jabber will boot up anyway, open, and then sit there and do nothing useful until the customer signs out.

View solution in original post

npetrele · ‎12-14-2022

Jabber shouldn't care about the password change until you logout and have to login again. I just changed the password (local, not LDAP, but that shouldn't matter) for a Jabber user while logged in, and it had no effect.

Engnr · ‎12-14-2022

That’s what I experience as well, however what perplexes me is that how is it possible that even after exit and restarting the jabber app(no sign-out), it is still able to register to cucm, imp and unity as cached by fast sign-in creds are all from the old login. Unless there is some tokens in place that jabber and cucm/imp/unity keep cached, although there’s no SSO configured at all.

Roger Kallberg · ‎12-15-2022

With Fast Login Jabber uses a token to sign in. I believe it’s an OAuth token. When you sign out from the client this token is removed, that’s why you’ll need to pass the credentials again at next login.

Engnr · ‎01-06-2023

makes sense. I believe oauth tokens are enabled not only with SSO, but also when fastlogin is enabled, with regular ldap authentication.

Adam Pawlowski · ‎12-23-2022

It uses a token for authentication if you have oAuth tokens enabled. That's not invalidated by the UCM nor checked for user credential validity until something triggers it. Fast login can be helpful but also a hindrance depending on the use case.

You do not need SSO for tokens.

Otherwise Jabber will boot up anyway, open, and then sit there and do nothing useful until the customer signs out.

npetrele · ‎12-14-2022

It's difficult to know for certain. Jabber does some things no other Jabber client does. For example, if you use the API to remove all contacts from a group, the group should disappear automatically. And it does if you use Cisco Jabber SDK (Javascript). But Jabber for Windows, etc., stores that group somewhere and doesn't let it disappear. I experimented with it at length, examining the database, etc., and never could find out where Jabber is keeping that information.

Engnr · ‎12-14-2022

I think the groups and contacts list are kept on the imp server.

Mohammadreza Hadi · ‎12-30-2022

jabber will refresh his config every 8 hours by default, which you can decrease it to minimum 4 by add some xml parameter option..

also, you can add "InvalidCredntialsLogout" xml parameter to jabber uc services, for faster notify user..

see this page for more info:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/14_1/cjab_b_param-reference-for-jabber141/cjab_b_parameter-reference-guide-jabber-129_chapter_0111.html#id_138426

(Rate by "Helpful" or "Accept") (محمدرضا هادی_ایران) (Email: morez.hadi@gmail.com)

shihab.kp · ‎01-04-2023

if you have configured ldap synchronization, then it will change password of user.

Roger Kallberg · ‎01-04-2023

Not really as the password is actually stored in AD. With AD synchronisation you’d also use LDAP authentication, so there is no actual password stored on the user object in CM for a synchronised user.

shihab.kp · ‎01-04-2023

if someone changed changed password in AD, then after synchronization old will not work right?

Roger Kallberg · ‎01-04-2023

No, the old password doesn’t work directly after changing it in the directory service. The synchronisation is not related to this.