Thanks Pavlos. I've pretty much decided I should enhance our existing
plugin to do what I need. I'd like to try to avoid modifying CAS in any
way.
On 13-07-22 04:11 AM, Pavlos Drandakis wrote:
Hi,
to summarize the required steps for LPPE <-> openLdap, here is what I
did for CAS:
1) use a slightly modified version of spring-security-ldap
(https://github.com/pdrados/spring-security/commit/cc902f35dff0e61e57aa02d24067d829e955a453)
instead of spring-ldap.
spring-security-ldap provides PasswordPolicyAwareContextSource which
returns ppolicy related error codes and messages. As you can see from
the code though, it was hard coded to return only the "isLocked" error
(I don' t know why...)
2) use the following configuration for contextSource:
<bean id="contextSource"
class="org.springframework.security.ldap.ppolicy.PasswordPolicyAwareContextSource">
<constructor-arg value="${ldap.authentication.server.urls}"/>
<property name="pooled" value="false"/>
<property name="userDn"
value="${ldap.authentication.manager.userdn}"/>
<property name="password"
value="${ldap.authentication.manager.password}"/>
<property name="anonymousReadOnly" value="false"/>
<property name="cacheEnvironmentProperties" value="false" />
<property name="baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.connect.timeout"
value="${ldap.authentication.jndi.connect.timeout}" />
<entry key="com.sun.jndi.ldap.read.timeout"
value="${ldap.authentication.jndi.read.timeout}" />
<entry key="java.naming.security.authentication"
value="${ldap.authentication.jndi.security.level}" />
</map>
</property>
</bean>
3) Update ldapErrorDefinitions to include openLdap's patterns
<property name="ldapErrorDefinitions">
<list>
<bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition"
p:ldapPattern="data 773|password must be changed"
p:type="mustChangePassword" />
<bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition"
p:ldapPattern="data 775|lock"
p:type="accountLocked" />
<bean class="org.jasig.cas.adaptors.ldap.LdapErrorDefinition"
p:ldapPattern="data (701|532)|expired"
p:type="passwordExpired" />
</list>
</property>
4) Use ldap.authentication.lppe.dateAttribute=pwdChangedTime
5) To enable/get password's about to expire time:
In order to get this, you have to bind once more (after successful
authentication) as the user (see also this thread:
https://lists.wisc.edu/read/messages?id=18084778#18084778)
a) change login-webflow to enable LPPE also on the 'success' result
(<transition on="success" to="passwordPolicyCheck" />)
b) Add
getNumberOfDaysToPasswordExpirationDate(UsernamePasswordCredentials
credentials)) method in PasswordPolicyEnforcer interface and implement
the relevant code in LdapPasswordPolicyEnforcer (I can share the code if
you like) and use this instead of
getNumberOfDaysToPasswordExpirationDate(final String userId)
Have in mind though that in the upcoming CAS4 release all this extra
work might be useless because of the adoption of the ldaptive library
(https://wiki.jasig.org/pages/viewpage.action?pageId=55543468). Perhaps
someone of the main developers here could shed some light on this. I
haven't it tested yet, but I will in the next days...
Cheers,
Pavlos
On Sat, Jul 20, 2013 at 1:45 AM, Trenton D. Adams <[email protected]
<mailto:[email protected]>> wrote:
See farther down.
On 13-07-19 10:28 AM, Trenton D. Adams wrote:
We are using the ppolicy overlay, but I don't see it returning
any error
codes. I asked it to return messages using pwdExpireWarning in our
policy, but it doesn't appear to actually work.
Also, surely it doesn't support all of the LPPE features,
correct? Cause
from what I've seen, most of those features aren't supported by
ppolicy
overlay, and I'd have to write code to do date calculations on the
expiry information. For example, as far as I can tell, Open
LDAP would
never be telling me the number of days before expiry, like AD
does. Or,
are you saying that the spring-security-ldap is doing this for you?
On 13-07-19 03:17 AM, Pavlos Drandakis wrote:
Hi Trenton,
I 've configured LPPE (CAS 3.5.2) with openLdap successfully
but I had
to change a few things:
1) Add ppolicy overlay on openldap (not related to CAS
but... it's the
first step :-) )
2) use spring-security-ldap and
passwordPolicyAwareContextSour__ce instead
of spring-ldap
3) slightly modify spring-security-ldap
(http://forum.springsource.__org/showthread.php?124591-Why-__PasswordPolicyAwareContextSour__ce-doesn-t-throw-exception-__for-expired-passwords
<http://forum.springsource.org/showthread.php?124591-Why-PasswordPolicyAwareContextSource-doesn-t-throw-exception-for-expired-passwords>)
4) use the following configuration for contextSource:
<bean id="contextSource"
class="org.springframework.__security.ldap.ppolicy.__PasswordPolicyAwareContextSour__ce">
<constructor-arg
value="${ldap.authentication.__server.urls}"/>
<property name="pooled" value="false"/>
<property name="userDn"
value="${ldap.authentication.__manager.userdn}"/>
<property name="password"
value="${ldap.authentication.__manager.password}"/>
<property name="anonymousReadOnly" value="false"/>
<property name="__cacheEnvironmentProperties"
value="false" />
<property name="__baseEnvironmentProperties">
<map>
<entry key="com.sun.jndi.ldap.__connect.timeout"
value="${ldap.authentication.__jndi.connect.timeout}" />
<entry key="com.sun.jndi.ldap.read.__timeout"
value="${ldap.authentication.__jndi.read.timeout}" />
<entry key="java.naming.security.__authentication"
value="${ldap.authentication.__jndi.security.level}" />
</map>
</property>
</bean>
5) Update ldapErrorDefinitions to include openLdap's patterns.
6) Use ldap.authentication.lppe.__dateAttribute=pwdChangedTime
7) Modify PasswordPolicyEnforcer and
LdapPasswordPolicyEnforcer in order
to get number of days to password expiration from the
message that
openLdap returns when binding (as user).
Oh, yes, that is what I was looking into myself; so that I could do
the date calculations I spoke of. For some reason I didn't see this
point previously. Would you be willing to share the code and
configuration items? If so, I might be able to get enough time
allocated to make this work in a way that's flexible enough for
stock CAS to work with Open LDAP or AD.
Also, I'm still not clear on how the spring security ldap module
falls into this. Is it just to make sure appropriate exceptions are
thrown, and that's it? And then I assume those are what you're
changing for the ldapErrorDefinitions???
Anyhow, seeing your code, which configurations you changed, and how,
would be greatly useful.
Thanks.
Hope this helps ...
Cheers,
Pavlos
On Thu, Jul 18, 2013 at 8:23 PM, Trenton D. Adams
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
wrote:
Hi Guys,
You can change this disclaimer on the LPPE page, as
OpenLDAP does
not have these features. It does have password expiry
features, but
the return of error codes is an Active Directory
feature only. Open
LDAP simply returns error code 49 (invalid
credentials), when the
account finally does expire. And when the password is
about to
expire, and the user is starting to use up their grace
logins, it
simply operates normally. In other words, there is no
sort of
warning. A person must query to find out if the
password is going
to expire, or has expired.
I may, or may not, modify the plugin to support Open LDAP.
Anyhow, this is the disclaimer I'm referring to...
https://wiki.jasig.org/pages/____viewpage.action?pageId=____26149328
<https://wiki.jasig.org/pages/__viewpage.action?pageId=__26149328>
<https://wiki.jasig.org/pages/__viewpage.action?pageId=__26149328
<https://wiki.jasig.org/pages/viewpage.action?pageId=26149328>>
ActiveDirectory vs. OpenLdap
Though the above table lists standard ldap error codes,
LPPE has
only been extensively tested against Active Directory. The
functionality has yet to be tested and validated
against an Open
Ldap instance.
--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Navy Penguins at your service!
Athabasca University
(780) 675-6195
:wq!
--
This communication is intended for the use of the
recipient to
whom it
is addressed, and may contain confidential,
personal, and or
privileged
information. Please contact us immediately if you
are not the
intended
recipient of this communication, and do not copy,
distribute, or
take
action relying on it. Any communications received
in error, or
subsequent reply, should be deleted or destroyed.
---
--
You are currently subscribed to [email protected]
<mailto:[email protected]>
<mailto:[email protected].__org
<mailto:[email protected]>> as: [email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/____display/JSG/cas-dev
<http://www.ja-sig.org/wiki/__display/JSG/cas-dev>
<http://www.ja-sig.org/wiki/__display/JSG/cas-dev
<http://www.ja-sig.org/wiki/display/JSG/cas-dev>>
--
You are currently subscribed [email protected]
<mailto:[email protected]>
<mailto:[email protected].__org
<mailto:[email protected]>> as: [email protected]
<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/__display/JSG/cas-dev
<http://www.ja-sig.org/wiki/display/JSG/cas-dev>
--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Navy Penguins at your service!
Athabasca University
(780) 675-6195
:wq!
--
You are currently subscribed [email protected]
<mailto:[email protected]> as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Navy Penguins at your service!
Athabasca University
(780) 675-6195
:wq!
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
