See farther down.
On 13-07-19 10:28 AM, Trenton D. Adams wrote:
We are using the ppolicy overlay, but I don't see it returning any error
codes. I asked it to return messages using pwdExpireWarning in our
policy, but it doesn't appear to actually work.
Also, surely it doesn't support all of the LPPE features, correct? Cause
from what I've seen, most of those features aren't supported by ppolicy
overlay, and I'd have to write code to do date calculations on the
expiry information. For example, as far as I can tell, Open LDAP would
never be telling me the number of days before expiry, like AD does. Or,
are you saying that the spring-security-ldap is doing this for you?
On 13-07-19 03:17 AM, Pavlos Drandakis wrote:
Hi Trenton,
I 've configured LPPE (CAS 3.5.2) with openLdap successfully but I had
to change a few things:
1) Add ppolicy overlay on openldap (not related to CAS but... it's the
first step :-) )
2) use spring-security-ldap and passwordPolicyAwareContextSource instead
of spring-ldap
3) slightly modify spring-security-ldap
(http://forum.springsource.org/showthread.php?124591-Why-PasswordPolicyAwareContextSource-doesn-t-throw-exception-for-expired-passwords)
4) use the following configuration for contextSource:
<bean id="contextSource"
class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">
<constructor-arg value="${ldap.authentication.server.urls}"/>
<property name="pooled" value="false"/>
<property name="userDn"
value="${ldap.authentication.manager.userdn}"/>
<property name="password"
value="${ldap.authentication.manager.password}"/>
<property name="anonymousReadOnly" value="false"/>
<property name="cacheEnvironmentProperties" value="false" />
<property name="baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.connect.timeout"
value="${ldap.authentication.jndi.connect.timeout}" />
<entry key="com.sun.jndi.ldap.read.timeout"
value="${ldap.authentication.jndi.read.timeout}" />
<entry key="java.naming.security.authentication"
value="${ldap.authentication.jndi.security.level}" />
</map>
</property>
</bean>
5) Update ldapErrorDefinitions to include openLdap's patterns.
6) Use ldap.authentication.lppe.dateAttribute=pwdChangedTime
7) Modify PasswordPolicyEnforcer and LdapPasswordPolicyEnforcer in order
to get number of days to password expiration from the message that
openLdap returns when binding (as user).
Oh, yes, that is what I was looking into myself; so that I could do the
date calculations I spoke of. For some reason I didn't see this point
previously. Would you be willing to share the code and configuration
items? If so, I might be able to get enough time allocated to make this
work in a way that's flexible enough for stock CAS to work with Open
LDAP or AD.
Also, I'm still not clear on how the spring security ldap module falls
into this. Is it just to make sure appropriate exceptions are thrown,
and that's it? And then I assume those are what you're changing for the
ldapErrorDefinitions???
Anyhow, seeing your code, which configurations you changed, and how,
would be greatly useful.
Thanks.
Hope this helps ...
Cheers,
Pavlos
On Thu, Jul 18, 2013 at 8:23 PM, Trenton D. Adams <[email protected]
<mailto:[email protected]>> wrote:
Hi Guys,
You can change this disclaimer on the LPPE page, as OpenLDAP does
not have these features. It does have password expiry features, but
the return of error codes is an Active Directory feature only. Open
LDAP simply returns error code 49 (invalid credentials), when the
account finally does expire. And when the password is about to
expire, and the user is starting to use up their grace logins, it
simply operates normally. In other words, there is no sort of
warning. A person must query to find out if the password is going
to expire, or has expired.
I may, or may not, modify the plugin to support Open LDAP.
Anyhow, this is the disclaimer I'm referring to...
https://wiki.jasig.org/pages/__viewpage.action?pageId=__26149328
<https://wiki.jasig.org/pages/viewpage.action?pageId=26149328>
ActiveDirectory vs. OpenLdap
Though the above table lists standard ldap error codes, LPPE has
only been extensively tested against Active Directory. The
functionality has yet to be tested and validated against an Open
Ldap instance.
--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Navy Penguins at your service!
Athabasca University
(780) 675-6195
:wq!
--
This communication is intended for the use of the recipient to
whom it
is addressed, and may contain confidential, personal, and or
privileged
information. Please contact us immediately if you are not the
intended
recipient of this communication, and do not copy, distribute, or
take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
--
You are currently subscribed to [email protected]
<mailto:[email protected]> as: [email protected]
<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/__display/JSG/cas-dev
<http://www.ja-sig.org/wiki/display/JSG/cas-dev>
--
You are currently subscribed [email protected]
<mailto:[email protected]> as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Navy Penguins at your service!
Athabasca University
(780) 675-6195
:wq!
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
