Alright, I was able to track down a little more information on my
organizations password policy. I'm now wondering if CAS 6.2 supports lppe
configurations. On the old CAS server (3.5), there was an
lppe-configuration.xml file allowing one to set the attributes lppe looked
at to trigger password warnings. Is there an equivalent configuration file
on 6.2?
For reference, here is an example from our 5.3 lppe-configuration.xml file:
<bean id="ldapPasswordPolicyEnforcer"
class="org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer">
<property name="searchBase" value="${ldap.authentication.basedn}"
/>
<property name="contextSource" ref="contextSource" />
<property name="filter" value="${ldap.authentication.filter}" />
<property name="ignorePartialResultException"
value="${ldap.authentication.ignorePartialResultException}" />
<property name="warnAll"
value="${ldap.authentication.lppe.warnAll}" />
<property name="dateFormat"
value="${ldap.authentication.lppe.dateFormat}" />
<property name="dateAttribute"
value="${ldap.authentication.lppe.dateAttribute}" />
<property name="warningDaysAttribute"
value="${ldap.authentication.lppe.warningDaysAttribute}" />
<property name="validDaysAttribute"
value="${ldap.authentication.lppe.validDaysAttribute}" />
<property name="warningDays"
value="${ldap.authentication.lppe.warningDays}" />
<property name="validDays"
value="${ldap.authentication.lppe.validDays}" />
<property name="noWarnAttribute"
value="${ldap.authentication.lppe.noWarnAttribute}" />
<property name="noWarnValues"
value="${ldap.authentication.lppe.noWarnValues}" />
</bean>
On Wednesday, August 5, 2020 at 9:54:18 AM UTC-4 [email protected] wrote:
> Yes, it is defined in OpenLDAP. I would be surprised if this is not
> already setup on your existing directory.
>
>
>
> Guessing as to what CAS is doing…
>
>
>
> First search for user operational attributes pwdChangedTime and
> pwdPolicySubentry. Then a second search on the DN from pwdPolicySubentry.
> That should retrieve attribute pwdMaxAge. Then CAS would determine if the
> account is expiring inside the CAS defined warning days window and pop up
> the interruption screen to notify users as they login.
>
>
>
>
>
> *From:* [email protected] <[email protected]> *On Behalf Of *Jeremiah
> Garmatter
> *Sent:* Wednesday, August 5, 2020 10:30 AM
> *To:* [email protected]
> *Subject:* Re: [cas-user] CAS 6.2 Password Policy
>
>
>
> Robert,
>
>
>
> You are saying that password policy is defined within openldap itself and
> not within CAS?
>
> I'd prefer not to change any ldap configuration if that can be avoided. Is
> there no way to change the attribute checked for password expiration within
> CAS properties?
>
>
>
> -Jeremiah Garmatter, Systems Administrator
>
> -Ohio Northern University, Class of 2020
>
> -Work: 419-772-1074 <(419)%20772-1074> Cell: 419-672-8685
> <(419)%20672-8685>
>
> [email protected]
>
>
>
>
>
> On Tue, Aug 4, 2020 at 12:44 PM King, Robert <[email protected]> wrote:
>
> If you are using OpenLDAP 2.4 for your directory service:
>
>
>
>
> https://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=5&manpath=OpenLDAP+2.4-Release&arch=default&format=html
>
>
>
> *From:* [email protected] <[email protected]> *On Behalf Of *Jeremiah
> Garmatter
> *Sent:* Tuesday, August 4, 2020 10:45 AM
> *To:* CAS Community <[email protected]>
> *Subject:* [cas-user] CAS 6.2 Password Policy
>
>
>
> Hello,
>
>
>
> I am having trouble understanding the password policy documentation for
> CAS 6.2.x. I use openldap as the ldap source. I would like to set up a
> policy that warns users of a password change at 60 days, 30 days, and
> forces a password change at 2 days. This policy was enforced on a server
> running CAS 3.5 and I'm not sure how this system was set up (it was made by
> predecessors).
>
>
> Could somebody explain what this line means?
>
> "LPPE is also able to warn the user when the account is about to expire.
> The expiration policy is determined through pre-configured LDAP attributes
> with default values in place." (found here:
> https://apereo.github.io/cas/6.2.x/installation/Password-Policy-Enforcement.html
> )
>
>
>
> From what I understand there is a predefined LDAP attribute that is
> checked against the warning-days property and if it is under the day-count
> then a warning message appears.
>
> Is this true? Also, what LDAP attribute is it checking against? Can this
> attribute be changed?
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "CAS Community" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/a/apereo.org/d/topic/cas-user/9E2ZujSI5Ec/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca?utm_medium=email&utm_source=footer>
> .
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
>
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0-%2B9DQvoSSQHvCCEpEr2bvwA_qsGji7rrJmgQLzsT77g%40mail.gmail.com
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0-%2B9DQvoSSQHvCCEpEr2bvwA_qsGji7rrJmgQLzsT77g%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/5e9b79cf-2dfc-46e9-a627-48cc1c5e2a99n%40apereo.org.
