I’m testing the Openfire 3.6.4 with LDAP (AD) configuration. After changing my domain password (used also for accessing the Openfire admin console) I can use both old and new password (with the same login) to access the admin console (e.g. Admin/pass1 works as well as Admin/pass2). It looks like some caching problem of old password. I can’t restart the server now to see if it updates, however, it would be a bit impractical to restart the server after each (at least admin) password change.