Robert, Thank you for the advice, the account I'm using does have privileges to read the policy. When I signed in this morning (the password expires today), I was brought to a screen stating my password expired in 0 day(s) with a password reset link and a continue button. LPPE is finding something, but only on the day the password expires. I'll check out what's happening on LDAPs side when I get some time later.
-Jeremiah Garmatter, Systems Administrator -Ohio Northern University, Class of 2020 -Work: 419-772-1074 Cell: 419-672-8685 [email protected] On Thu, Aug 20, 2020 at 10:48 AM King, Robert <[email protected]> wrote: > Does that account that you are using have the appropriate privileges to > read the LPPE policy? I have no experience with 389 and how it implements > LPPE, but it does help to check on the LDAP server side to see what query > the CAS/LDAPTIVE is making to check the LPPE. > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Jeremiah > Garmatter > *Sent:* Wednesday, August 19, 2020 4:46 PM > *To:* CAS Community <[email protected]> > *Cc:* King, Robert <[email protected]>; Jeremiah Garmatter <[email protected]> > *Subject:* Re: [cas-user] CAS 6.2 Password Policy > > > > Robert, > > > > That link does look like the properties I need, however it appears to be > missing a few entries, such as the dateAttribute and dateFormat, which I > believe are vital to the configuration. I tried this configuration, note my > organziation runs 389 directory: > > cas.authn.ldap[0].passwordPolicy.type=GENERIC > cas.authn.ldap[0].passwordPolicy.enabled=true > cas.authn.ldap[0].passwordPolicy.warn-all=false > cas.authn.ldap[0].passwordPolicy.warning-days=30 > cas.authn.ldap[0].passwordPolicy.warning-attribute-value= > cas.authn.ldap[0].passwordPolicy.warning-attribute-name= > cas.authn.ldap[0].passwordPolicy.display-warning-on-match=true > cas.authn.ldap[0].passwordPolicy.strategy=DEFAULT > > > > I also tried with warn-all=true, and the > account-state-handling-enabled=true which didn't make a difference as far > as I could tell. I am using an account with password set to expire in 1 > day, which our cas 3.5 server correctly recognizes and acts on. After > setting the ldaptive logger to debug, I don't see anything related to the > password policy. Is there another logger that may provide more information > for me? > > > > Perhaps I'll have to create a custom groovy script or some thymeleaf logic > to compare the attributes with current date and time, then direct them to > the service or our password reset application. > > > > On Wednesday, August 19, 2020 at 12:28:39 PM UTC-4 [email protected] wrote: > > > https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#password-policy-settings > > > > *From:* Jeremiah Garmatter <[email protected]> > *Sent:* Wednesday, August 19, 2020 12:27 PM > *To:* CAS Community <[email protected]> > *Cc:* King, Robert <[email protected]> > *Subject:* Re: [cas-user] CAS 6.2 Password Policy > > > > Alright, I was able to track down a little more information on my > organizations password policy. I'm now wondering if CAS 6.2 supports lppe > configurations. On the old CAS server (3.5), there was an > lppe-configuration.xml file allowing one to set the attributes lppe looked > at to trigger password warnings. Is there an equivalent configuration file > on 6.2? > > > > For reference, here is an example from our 5.3 lppe-configuration.xml file: > > <bean id="ldapPasswordPolicyEnforcer" > class="org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer"> > <property name="searchBase" > value="${ldap.authentication.basedn}" /> > <property name="contextSource" ref="contextSource" /> > <property name="filter" value="${ldap.authentication.filter}" /> > <property name="ignorePartialResultException" > value="${ldap.authentication.ignorePartialResultException}" /> > <property name="warnAll" > value="${ldap.authentication.lppe.warnAll}" /> > <property name="dateFormat" > value="${ldap.authentication.lppe.dateFormat}" /> > <property name="dateAttribute" > value="${ldap.authentication.lppe.dateAttribute}" /> > <property name="warningDaysAttribute" > value="${ldap.authentication.lppe.warningDaysAttribute}" /> > <property name="validDaysAttribute" > value="${ldap.authentication.lppe.validDaysAttribute}" /> > <property name="warningDays" > value="${ldap.authentication.lppe.warningDays}" /> > <property name="validDays" > value="${ldap.authentication.lppe.validDays}" /> > <property name="noWarnAttribute" > value="${ldap.authentication.lppe.noWarnAttribute}" /> > <property name="noWarnValues" > value="${ldap.authentication.lppe.noWarnValues}" /> > </bean> > > > > On Wednesday, August 5, 2020 at 9:54:18 AM UTC-4 [email protected] wrote: > > Yes, it is defined in OpenLDAP. I would be surprised if this is not > already setup on your existing directory. > > > > Guessing as to what CAS is doing… > > > > First search for user operational attributes pwdChangedTime and > pwdPolicySubentry. Then a second search on the DN from pwdPolicySubentry. > That should retrieve attribute pwdMaxAge. Then CAS would determine if the > account is expiring inside the CAS defined warning days window and pop up > the interruption screen to notify users as they login. > > > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Jeremiah > Garmatter > *Sent:* Wednesday, August 5, 2020 10:30 AM > *To:* [email protected] > *Subject:* Re: [cas-user] CAS 6.2 Password Policy > > > > Robert, > > > > You are saying that password policy is defined within openldap itself and > not within CAS? > > I'd prefer not to change any ldap configuration if that can be avoided. Is > there no way to change the attribute checked for password expiration within > CAS properties? > > > > -Jeremiah Garmatter, Systems Administrator > > -Ohio Northern University, Class of 2020 > > -Work: 419-772-1074 <(419)%20772-1074> Cell: 419-672-8685 > <(419)%20672-8685> > > [email protected] > > > > > > On Tue, Aug 4, 2020 at 12:44 PM King, Robert <[email protected]> wrote: > > If you are using OpenLDAP 2.4 for your directory service: > > > > > https://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=5&manpath=OpenLDAP+2.4-Release&arch=default&format=html > > > > *From:* [email protected] <[email protected]> *On Behalf Of *Jeremiah > Garmatter > *Sent:* Tuesday, August 4, 2020 10:45 AM > *To:* CAS Community <[email protected]> > *Subject:* [cas-user] CAS 6.2 Password Policy > > > > Hello, > > > > I am having trouble understanding the password policy documentation for > CAS 6.2.x. I use openldap as the ldap source. I would like to set up a > policy that warns users of a password change at 60 days, 30 days, and > forces a password change at 2 days. This policy was enforced on a server > running CAS 3.5 and I'm not sure how this system was set up (it was made by > predecessors). > > > Could somebody explain what this line means? > > "LPPE is also able to warn the user when the account is about to expire. > The expiration policy is determined through pre-configured LDAP attributes > with default values in place." (found here: > https://apereo.github.io/cas/6.2.x/installation/Password-Policy-Enforcement.html > ) > > > > From what I understand there is a predefined LDAP attribute that is > checked against the warning-days property and if it is under the day-count > then a warning message appears. > > Is this true? Also, what LDAP attribute is it checking against? Can this > attribute be changed? > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/9E2ZujSI5Ec/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0-%2B9DQvoSSQHvCCEpEr2bvwA_qsGji7rrJmgQLzsT77g%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0-%2B9DQvoSSQHvCCEpEr2bvwA_qsGji7rrJmgQLzsT77g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/133ba9aa-0d8f-4d60-a994-1a070f4296a7n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/133ba9aa-0d8f-4d60-a994-1a070f4296a7n%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/9E2ZujSI5Ec/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f0f9fd9790e4b69b2c99da407bb315e%40mun.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f0f9fd9790e4b69b2c99da407bb315e%40mun.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB1qdxkEOeCnEJOq2HY%2BvGG7bpO64QTsw4L_mHEscNzy7Q%40mail.gmail.com.
