Hi Trenton,
I 've configured LPPE (CAS 3.5.2) with openLdap successfully but I had to
change a few things:
1) Add ppolicy overlay on openldap (not related to CAS but... it's the
first step :-) )
2) use spring-security-ldap and passwordPolicyAwareContextSource instead of
spring-ldap
3) slightly modify spring-security-ldap (
http://forum.springsource.org/showthread.php?124591-Why-PasswordPolicyAwareContextSource-doesn-t-throw-exception-for-expired-passwords
)
4) use the following configuration for contextSource:
<bean id="contextSource"
class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">
<constructor-arg value="${ldap.authentication.server.urls}"/>
<property name="pooled" value="false"/>
<property name="userDn"
value="${ldap.authentication.manager.userdn}"/>
<property name="password"
value="${ldap.authentication.manager.password}"/>
<property name="anonymousReadOnly" value="false"/>
<property name="cacheEnvironmentProperties" value="false" />
<property name="baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.connect.timeout"
value="${ldap.authentication.jndi.connect.timeout}" />
<entry key="com.sun.jndi.ldap.read.timeout"
value="${ldap.authentication.jndi.read.timeout}" />
<entry key="java.naming.security.authentication"
value="${ldap.authentication.jndi.security.level}" />
</map>
</property>
</bean>
5) Update ldapErrorDefinitions to include openLdap's patterns.
6) Use ldap.authentication.lppe.dateAttribute=pwdChangedTime
7) Modify PasswordPolicyEnforcer and LdapPasswordPolicyEnforcer in order to
get number of days to password expiration from the message that openLdap
returns when binding (as user).
Hope this helps ...
Cheers,
Pavlos
On Thu, Jul 18, 2013 at 8:23 PM, Trenton D. Adams <[email protected]>wrote:
> Hi Guys,
>
> You can change this disclaimer on the LPPE page, as OpenLDAP does not have
> these features. It does have password expiry features, but the return of
> error codes is an Active Directory feature only. Open LDAP simply returns
> error code 49 (invalid credentials), when the account finally does expire.
> And when the password is about to expire, and the user is starting to use
> up their grace logins, it simply operates normally. In other words, there
> is no sort of warning. A person must query to find out if the password is
> going to expire, or has expired.
>
> I may, or may not, modify the plugin to support Open LDAP.
>
> Anyhow, this is the disclaimer I'm referring to...
> https://wiki.jasig.org/pages/**viewpage.action?pageId=**26149328<https://wiki.jasig.org/pages/viewpage.action?pageId=26149328>
>
> ActiveDirectory vs. OpenLdap
>
> Though the above table lists standard ldap error codes, LPPE has only been
> extensively tested against Active Directory. The functionality has yet to
> be tested and validated against an Open Ldap instance.
>
> --
> Trenton D. Adams
> Senior Systems Analyst/Web Software Developer
> Navy Penguins at your service!
> Athabasca University
> (780) 675-6195
> :wq!
>
> --
> This communication is intended for the use of the recipient to whom it
> is addressed, and may contain confidential, personal, and or privileged
> information. Please contact us immediately if you are not the intended
> recipient of this communication, and do not copy, distribute, or take
> action relying on it. Any communications received in error, or
> subsequent reply, should be deleted or destroyed.
> ---
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/**display/JSG/cas-dev<http://www.ja-sig.org/wiki/display/JSG/cas-dev>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
