IBM Rational ClearQuest accepts LDAP authentication with previous password

Symptom

When you configure ClearQuest to authenticate through LDAP, users could authenticate with a current and previous password for some time. This behavior continues for about an hour. Then the system no longer accepts the old password.

Steps to reproduce

1. Login as User1
   
   
2. Enter an e-mail ID.
   
   
3. Enter the password.
   
   
   
4. Do a CQ LDAP mapping on the e-mail ID.
   
   
5. Connect to ClearQuest with the e-mail ID and Passw0rd1. This works as expected.
   
   
   
6. Change Windows account password to Passw0rd2.
   
   
   
7. Immediately, change again the Windows password to Passw0rd3
   
   
   
8. Run the folowing command from the command line to test that new password is taken into account
   
   
runas /user:domain\User1 calc
with Passw0rd3. The application runs successfully.
   
   
   Run the folowing command from the command line to test that old password is invalid.
   
   
runas /user:domain\User1 calc
with Passw0rd2 .
   
   You see the following error:
   
   
invalid user name or password is incorrect

   
   
   
9. Start ClearQuest* with Passw0rd3 and see that you connect successfully.
   
   
   
10. Note that until now, ClearQuest does not know the previous password (2) and connection succeeds with the new current password (3).
    
    
11. Then start ClearQuest* with Passw0rd2. You connect successfully!