I've tested the LPPE code against AD, Sun/Oracle Directory Sever and 389/RedHat Directory Server. I think it will also work with OpenDS, but I haven't tried it. The password warning functionality should work with any LDAP directory that adds a 'last password change' or 'password expiration date' attribute since all it does is search for that value and compare it to the current time. The feature that's really DS-specific is the ability to expose different error messages (Account Locked, Password Expired, etc) based on the extended error codes sent by the LDAP server. OpenLDAP (and maybe others) doesn't send these codes at all, so there's no way to differentiate between a locked account and an incorrect password. Each DS server is different, so overall the configuration for LPPE is pretty fragile.
I haven't seen the ldaptive library before. That looks interesting. -Eric On Thu, Mar 29, 2012 at 2:09 PM, Marvin S. Addison <[email protected] > wrote: > When binding successfully to a ppolicy enabled ldap server, a warning >> message about timeBeforeExpiration or graceAuthNsRemaining might also be >> included in server's response. >> > > We're aware of ppolicy and it's on our radar in terms of the evolution of > the LDAP password policy enforcement (LPPE) effort that's been going on for > a while now and will see the light of day in the 3.5 release. At present > it only supports Active Directory, but it could be adapted for other > password expiration mechanisms (with refactoring) with some effort. > > > Is there a way to propagate this message (from >> authenticateUsernamePasswordIn**ternal in BindLdapAuthenticationHandler) >> so >> that it will be available later (i.e for showing a relevant view)? >> > > Not at present. I'll just throw a curve ball out there and see where it > lands: > > http://www.ldaptive.org/docs/**guide/authentication/**accountstate<http://www.ldaptive.org/docs/guide/authentication/accountstate> > > You could build a custom AuthenticationHandler around that and throw > custom exceptions on states of interest as a way of communicating with the > higher level components, which is how LPPE works. > > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/**display/JSG/cas-dev<http://www.ja-sig.org/wiki/display/JSG/cas-dev> > -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
