re:[cas-dev] Accommodating ppolicy in LPPE

[Andres]

Ok, here's my two cents about this. Maybe the following is kind of obvious for 
you the experts, but here it is just in case it helps.

LPPEAuthenticationHandler estimates the account status itself, by looking at 
some attributes to calculate the expiration date, etc. BUT in ppolicy there are 
no such attributes in the user's record. From this point of view, 
LPPEAuthenticationHandler is not generic enough to handle this kind of 
mechanism and therefore creating a class that extends from it won't work.

However, there's no need to calculate anything with ppolicy. If the 
authentication is made correctly, the LDAP server will return all the needed 
information without looking at the user's attributes. Then, 
org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler can manage 
this response and set the account status accordingly (it will set the seconds 
before password expiration, number of grace logins remaining or any error state 
like account locked).

Here's the config with which I've seen this:

        <bean id="ldapAuthenticationHandler"
              class="org.jasig.cas.authentication.LdapAuthenticationHandler"
              p:principalIdAttribute="uid"
              c:authenticator-ref="authenticator">
            <property name="principalAttributeMap">
                <map>
                    <entry key="..." value="..." />
                    <entry key="..." value="..." />
                </map>
            </property>
        </bean>

        <bean id="authenticator" class="org.ldaptive.auth.Authenticator"
                c:resolver-ref="dnResolver" c:handler-ref="authHandler">
                <property name="authenticationResponseHandlers">
                        <list>
                                <bean 
class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler" />
                        </list>
                </property>
        </bean>

        <bean id="dnResolver"
              class="org.ldaptive.auth.FormatDnResolver"
              c:format="uid=%s,${ldap.baseDn}" />

        <bean id="authHandler" 
class="org.ldaptive.auth.PooledBindAuthenticationHandler"
                p:connectionFactory-ref="pooledLdapConnectionFactory">
                <property name="authenticationControls">
                        <list>
                                <bean 
class="org.ldaptive.control.PasswordPolicyControl" />
                        </list>
                </property>
        </bean>

The important thing is the use of org.ldaptive.control.PasswordPolicyControl in 
the authentication (otherwise the server won't return the needed account status 
information) and the use of 
org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler in the 
handling of the authentication response.
-- 
You are currently subscribed to cas-dev@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev