We've recently noticed that when a user changes his password, the expired password still works for up to an hour after the change.
We're using crowd 3.2.3 with a Microsoft Active Directory ldap user directory. Crowd is behind a reverse proxy. The Directory is using pretty much default settings.
Is there any setting I can change to stop this security hole?