While the LDAP directory contains a great deal of information associated with an individual, it does not hold the password for the NetID. For this task, CIS utilizes Kerberos running on a series of servers. Kerberos has long been a standard for open systems password management, mainly because of its strong encryption algorithms and secure protocols. At CIS, the OpenLDAP server maintains a pass-through technology that allows programs to bind to the directory while maintaining the password in a Kerberos store. From a programming point of view, the application simply binds to the LDAP server using a NetID and password and the directory data can be read or accessed. Behind the scenes, the LDAP server will communicate with Kerberos to verify the password entered is indeed valid for the given NetID.
The Kerberos service is actually comprised of a master server and a number of secondary servers. This configuration allows for scaling the service for capacity reasons while also delivering sufficient redundancy to provide a reliable and consistent system. However, as with all such master/slave configurations, changes to the server may take some time to be fully propagated to all servers. For instance, when a customer changes their password, the master server is updated first and will then schedule an update for each of the secondary or slave servers. Depending on server loads and network activity, this may take several minutes. This is why someone may change their password and then not be able to use it immediately.
Not only do password changes propagate to all the Kerberos servers, they are also sent to other platforms for synchronizing of accounts. The NetID is used by a number of applications and systems including modem dial-up bank, VPN and the Open Access Labs. When the password is changed for a NetID, it is sent to each of these systems for processing. Again, based on server loads and network traffic, the update may not be immediate. If your password change does not appear to have taken effect immediately, just wait a few minutes and try again. The delay is normally short, varying from a few seconds to several minutes.