Hi,
to summarize the required steps for LPPE <-> openLdap, here is what I did
for CAS:
1) use a slightly modified version of spring-security-ldap (
https://github.com/pdrados/spring-security/commit/cc902f35dff0e61e57aa02d24067d829e955a453)
instead of spring-ldap.
spring-security-ldap provides PasswordPolicyAwareContextSource which
returns ppolicy related error codes and messages. As you can see from the
code though, it was hard coded to return only the "isLocked" error (I don'
t know why...)
2) use the following configuration for contextSource:
<bean id="contextSource"
class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">
<constructor-arg value="${ldap.authentication.server.urls}"/>
<property name="pooled" value="false"/>
<property name="userDn"
value="${ldap.authentication.manager.userdn}"/>
<property name="password"
value="${ldap.authentication.manager.password}"/>
<property name="anonymousReadOnly" value="false"/>
<property name="cacheEnvironmentProperties" value="false" />
<property name="baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.connect.timeout"
value="${ldap.authentication.jndi.connect.timeout}" />
<entry key="com.sun.jndi.ldap.read.timeout"
value="${ldap.authentication.jndi.read.timeout}" />
<entry key="java.naming.security.authentication"
value="${ldap.authentication.jndi.security.level}" />
</map>
</property>
</bean>
3) Update ldapErrorDefinitions to include openLdap's patterns
<property name="ldapErrorDefinitions">
<list>
<bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition"
p:ldapPattern="data 773|password must be changed"
p:type="mustChangePassword" />
<bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition"
p:ldapPattern="data 775|lock"
p:type="accountLocked" />
<bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition"
p:ldapPattern="data (701|532)|expired"
p:type="passwordExpired" />
</list>
</property>
4) Use ldap.authentication.lppe.dateAttribute=pwdChangedTime
5) To enable/get password's about to expire time:
In order to get this, you have to bind once more (after successful
authentication) as the user (see also this thread:
https://lists.wisc.edu/read/messages?id=18084778#18084778)
a) change login-webflow to enable LPPE also on the 'success' result
(<transition on="success" to="passwordPolicyCheck" />)
b) Add
getNumberOfDaysToPasswordExpirationDate(UsernamePasswordCredentials
credentials)) method in PasswordPolicyEnforcer interface and implement the
relevant code in LdapPasswordPolicyEnforcer (I can share the code if you
like) and use this instead of getNumberOfDaysToPasswordExpirationDate(final
String userId)
Have in mind though that in the upcoming CAS4 release all this extra work
might be useless because of the adoption of the ldaptive library (
https://wiki.jasig.org/pages/viewpage.action?pageId=55543468). Perhaps
someone of the main developers here could shed some light on this. I
haven't it tested yet, but I will in the next days...
Cheers,
Pavlos
On Sat, Jul 20, 2013 at 1:45 AM, Trenton D. Adams <[email protected]>wrote:
> See farther down.
>
>
> On 13-07-19 10:28 AM, Trenton D. Adams wrote:
>
>> We are using the ppolicy overlay, but I don't see it returning any error
>> codes. I asked it to return messages using pwdExpireWarning in our
>> policy, but it doesn't appear to actually work.
>>
>> Also, surely it doesn't support all of the LPPE features, correct? Cause
>> from what I've seen, most of those features aren't supported by ppolicy
>> overlay, and I'd have to write code to do date calculations on the
>> expiry information. For example, as far as I can tell, Open LDAP would
>> never be telling me the number of days before expiry, like AD does. Or,
>> are you saying that the spring-security-ldap is doing this for you?
>>
>> On 13-07-19 03:17 AM, Pavlos Drandakis wrote:
>>
>>> Hi Trenton,
>>>
>>> I 've configured LPPE (CAS 3.5.2) with openLdap successfully but I had
>>> to change a few things:
>>> 1) Add ppolicy overlay on openldap (not related to CAS but... it's the
>>> first step :-) )
>>> 2) use spring-security-ldap and passwordPolicyAwareContextSour**ce
>>> instead
>>> of spring-ldap
>>> 3) slightly modify spring-security-ldap
>>> (http://forum.springsource.**org/showthread.php?124591-Why-**
>>> PasswordPolicyAwareContextSour**ce-doesn-t-throw-exception-**
>>> for-expired-passwords<http://forum.springsource.org/showthread.php?124591-Why-PasswordPolicyAwareContextSource-doesn-t-throw-exception-for-expired-passwords>
>>> )
>>>
>>> 4) use the following configuration for contextSource:
>>> <bean id="contextSource"
>>> class="org.springframework.**security.ldap.ppolicy.**
>>> PasswordPolicyAwareContextSour**ce">
>>>
>>> <constructor-arg value="${ldap.authentication.**server.urls}"/>
>>> <property name="pooled" value="false"/>
>>> <property name="userDn"
>>> value="${ldap.authentication.**manager.userdn}"/>
>>> <property name="password"
>>> value="${ldap.authentication.**manager.password}"/>
>>> <property name="anonymousReadOnly" value="false"/>
>>> <property name="**cacheEnvironmentProperties" value="false" />
>>>
>>> <property name="**baseEnvironmentProperties">
>>> <map>
>>> <entry key="com.sun.jndi.ldap.**connect.timeout"
>>> value="${ldap.authentication.**jndi.connect.timeout}" />
>>> <entry key="com.sun.jndi.ldap.read.**timeout"
>>> value="${ldap.authentication.**jndi.read.timeout}" />
>>> <entry key="java.naming.security.**authentication"
>>> value="${ldap.authentication.**jndi.security.level}" />
>>> </map>
>>> </property>
>>> </bean>
>>>
>>> 5) Update ldapErrorDefinitions to include openLdap's patterns.
>>> 6) Use ldap.authentication.lppe.**dateAttribute=pwdChangedTime
>>> 7) Modify PasswordPolicyEnforcer and LdapPasswordPolicyEnforcer in order
>>> to get number of days to password expiration from the message that
>>> openLdap returns when binding (as user).
>>>
>>
> Oh, yes, that is what I was looking into myself; so that I could do the
> date calculations I spoke of. For some reason I didn't see this point
> previously. Would you be willing to share the code and configuration
> items? If so, I might be able to get enough time allocated to make this
> work in a way that's flexible enough for stock CAS to work with Open LDAP
> or AD.
>
> Also, I'm still not clear on how the spring security ldap module falls
> into this. Is it just to make sure appropriate exceptions are thrown, and
> that's it? And then I assume those are what you're changing for the
> ldapErrorDefinitions???
>
> Anyhow, seeing your code, which configurations you changed, and how, would
> be greatly useful.
>
> Thanks.
>
>
>
>>> Hope this helps ...
>>>
>>> Cheers,
>>> Pavlos
>>>
>>>
>>>
>>> On Thu, Jul 18, 2013 at 8:23 PM, Trenton D. Adams <[email protected]
>>> <mailto:[email protected]>> wrote:
>>>
>>> Hi Guys,
>>>
>>> You can change this disclaimer on the LPPE page, as OpenLDAP does
>>> not have these features. It does have password expiry features, but
>>> the return of error codes is an Active Directory feature only. Open
>>> LDAP simply returns error code 49 (invalid credentials), when the
>>> account finally does expire. And when the password is about to
>>> expire, and the user is starting to use up their grace logins, it
>>> simply operates normally. In other words, there is no sort of
>>> warning. A person must query to find out if the password is going
>>> to expire, or has expired.
>>>
>>> I may, or may not, modify the plugin to support Open LDAP.
>>>
>>> Anyhow, this is the disclaimer I'm referring to...
>>>
>>> https://wiki.jasig.org/pages/_**_viewpage.action?pageId=__**26149328<https://wiki.jasig.org/pages/__viewpage.action?pageId=__26149328>
>>>
>>> <https://wiki.jasig.org/pages/**viewpage.action?pageId=**26149328<https://wiki.jasig.org/pages/viewpage.action?pageId=26149328>
>>> >
>>>
>>> ActiveDirectory vs. OpenLdap
>>>
>>> Though the above table lists standard ldap error codes, LPPE has
>>> only been extensively tested against Active Directory. The
>>> functionality has yet to be tested and validated against an Open
>>> Ldap instance.
>>>
>>> --
>>> Trenton D. Adams
>>> Senior Systems Analyst/Web Software Developer
>>> Navy Penguins at your service!
>>> Athabasca University
>>> (780) 675-6195
>>> :wq!
>>>
>>> --
>>> This communication is intended for the use of the recipient to
>>> whom it
>>> is addressed, and may contain confidential, personal, and or
>>> privileged
>>> information. Please contact us immediately if you are not the
>>> intended
>>> recipient of this communication, and do not copy, distribute, or
>>> take
>>> action relying on it. Any communications received in error, or
>>> subsequent reply, should be deleted or destroyed.
>>> ---
>>>
>>> --
>>> You are currently subscribed to [email protected]
>>> <mailto:[email protected].**org <[email protected]>> as:
>>> [email protected]
>>> <mailto:[email protected]>
>>> To unsubscribe, change settings or access archives, see
>>>
>>> http://www.ja-sig.org/wiki/__**display/JSG/cas-dev<http://www.ja-sig.org/wiki/__display/JSG/cas-dev>
>>>
>>> <http://www.ja-sig.org/wiki/**display/JSG/cas-dev<http://www.ja-sig.org/wiki/display/JSG/cas-dev>
>>> >
>>>
>>>
>>> --
>>> You are currently subscribed [email protected]
>>> <mailto:[email protected].**org <[email protected]>> as:
>>> [email protected]
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/**display/JSG/cas-dev<http://www.ja-sig.org/wiki/display/JSG/cas-dev>
>>>
>>>
>>
>>
>
> --
> Trenton D. Adams
> Senior Systems Analyst/Web Software Developer
> Navy Penguins at your service!
> Athabasca University
> (780) 675-6195
> :wq!
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
