Hi, I should have mentioned earlier that I am using openLDAP to connect to and I can get error codes/warnings if I use spring-security-ldap. I haven't seen the ldaptive library before either, but I 'll take a look now ;-)
Pavlos On Thu, Mar 29, 2012 at 10:24 PM, Eric Pierce <[email protected]> wrote: > I've tested the LPPE code against AD, Sun/Oracle Directory Sever and > 389/RedHat Directory Server. I think it will also work with OpenDS, but I > haven't tried it. The password warning functionality should work with any > LDAP directory that adds a 'last password change' or 'password expiration > date' attribute since all it does is search for that value and compare it > to the current time. The feature that's really DS-specific is the ability > to expose different error messages (Account Locked, Password Expired, etc) > based on the extended error codes sent by the LDAP server. OpenLDAP (and > maybe others) doesn't send these codes at all, so there's no way to > differentiate between a locked account and an incorrect password. Each DS > server is different, so overall the configuration for LPPE is pretty > fragile. > > I haven't seen the ldaptive library before. That looks interesting. > > -Eric > > On Thu, Mar 29, 2012 at 2:09 PM, Marvin S. Addison < > [email protected]> wrote: > >> When binding successfully to a ppolicy enabled ldap server, a warning >>> message about timeBeforeExpiration or graceAuthNsRemaining might also be >>> included in server's response. >>> >> >> We're aware of ppolicy and it's on our radar in terms of the evolution of >> the LDAP password policy enforcement (LPPE) effort that's been going on for >> a while now and will see the light of day in the 3.5 release. At present >> it only supports Active Directory, but it could be adapted for other >> password expiration mechanisms (with refactoring) with some effort. >> >> >> Is there a way to propagate this message (from >>> authenticateUsernamePasswordIn**ternal in >>> BindLdapAuthenticationHandler) so >>> that it will be available later (i.e for showing a relevant view)? >>> >> >> Not at present. I'll just throw a curve ball out there and see where it >> lands: >> >> http://www.ldaptive.org/docs/**guide/authentication/**accountstate<http://www.ldaptive.org/docs/guide/authentication/accountstate> >> >> You could build a custom AuthenticationHandler around that and throw >> custom exceptions on states of interest as a way of communicating with the >> higher level components, which is how LPPE works. >> >> >> M >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/**display/JSG/cas-dev<http://www.ja-sig.org/wiki/display/JSG/cas-dev> >> > > > > -- > Eric Pierce > Identity Management Architect > Information Technology > University of South Florida > (813) 974-8868 -- [email protected] > > -- > You are currently subscribed to [email protected] as: [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
