Dear Chun-Yao, 1. OpenLDAP offers Password policy implementation - pl see https://tobru.ch/openldap-password-policy-overlay/. You don't need to opt for Apache-DS as you already have openLDAP. 2. The CAS interacts with LDAP server using the standard - ldaptive java library. https://www.ldaptive.org/ 3. The error codes - that are given by the LDAP Server - are translated to the end user messages inside CAS. Pl have a look at messages.properties file inside CAS [you can get this file either by gradlew explodewar command or equivalent or this file is inside tomcat\webapps\cas\WEB-INF\classes path, its advisable that you follow overlay standards and keep this separate like your application.properties file.] and customize the messages as per your requirements [that you want the user to see]. The concerned properties are
authenticationFailure.AccountDisabledException=This account has been disabled. authenticationFailure.AccountLockedException=This account has been locked. authenticationFailure.AccountExpiredException=This account has expired and is forbidden to login at this time. authenticationFailure.CredentialExpiredException=Your password has expired. There are many more - pl see the authentication failure messages section in the messages.properties. Now - when you are giving the messages - all HTML Tags are supported. Example - This account has been locked ....BLA...BLA.....BLA . Visit - <a href="http://www.abc.com";>Identity server self service</a> to take corrective actions. So - please customize the messages as per your requirements and your job should be done. The above will possibly be the easiest method for implementation of your use cases. Best Regards Ritesh Tripathi On Fri, Jan 1, 2021 at 11:46 AM Chun-Yao Wang <chunyao.wang...@gmail.com> wrote: > Dear Ritesh Tripathi: > > I’m very grateful for your speedy reply, this is the best New Year > gift I have got!! > Before I read you post, it never came to my mind that the password > policy can be set in LDAP. > I am using the CAS6.0+OpenLdap on Ubuntu server, I will try your > suggestion and test it. > > Could you allow me to ask some more question? > > 1. Can CAS show a "Account Locked due to too much attempt" message to > user when the user's account was lock? > 2. Can I redirect the user to my specific url when the user password > is expired? > > Thank you so much for your reply! > Best Regards & Best Wishes for New Year 2021! > > Sincerely > Chunyao Wang. > Ritesh Tripathi 在 2020年12月31日 星期四下午11:55:31 [UTC+8] 的信中寫道: > >> Dear Chun-Yao, >> >> Apache DS is LDAP Server. In all LDAP Server - including the >> implementation of LDAP by Microsoft - which is called Active Directory - >> have the feature of Password Policies. [Pl see - >> https://ldapwiki.com/wiki/Password%20Policy] >> >> Apache DS also offers the password policy ;complying to the Draft >> Specifications of Password Policy - >> https://ldapwiki.com/wiki/Draft-behera-ldap-password-policy >> >> These can be easily configured in the Directory Studio Admin - by opening >> the configuration file - going to Password Policies Tab. Pl see the >> screenshot enclosed below [red indicates the parameters in your case to be >> added to the system]. >> >> [image: image.png] >> >> The CAS properties that i used for getting the application up and running >> are given below. [version 6.2.x for CAS]. >> >> #########local LDAP Connection String for authentication using the >> Managers Bind Tested as OK on localhost.################# >> cas.authn.ldap[0].ldapUrl=ldap://localhost:389/ >> cas.authn.ldap[0].bindDn=uid=admin,ou=system >> cas.authn.ldap[0].bindCredential=xxxx >> >> cas.authn.ldap[0].poolPassivator=BIND >> #cas.authn.ldap[0].connectionStrategy=DEFAULT >> >> #cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider >> cas.authn.ldap[0].type=AUTHENTICATED >> #cas.authn.ldap[0].useSsl=false >> cas.authn.ldap[0].useStartTls=false >> cas.authn.ldap[0].baseDn=dc=tbitslocal,dc=com >> cas.authn.ldap[0].subtreeSearch=true >> cas.authn.ldap[0].searchFilter=(&(objectClass=person)(uid={user})) >> >> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,displayName,l,o,postalAddress,mail,mobile,ou >> cas.authn.ldap[0].minPoolSize=3 >> cas.authn.ldap[0].maxPoolSize=10 >> cas.authn.ldap[0].blockWaitTime=PT3S >> #cas.authn.ldap[0].useSsl=false >> cas.authn.ldap[0].useStartTls=false >> cas.authn.ldap[0].responseTimeout=PT5S >> cas.authn.ldap[0].allowMultipleDns=false >> cas.authn.ldap[0].allowMultipleEntries=false >> cas.authn.ldap[0].followReferrals=false >> cas.authn.ldap[0].name=localhostLDAP >> >> #################LDAP Password Policy############################## >> cas.authn.ldap[0].passwordPolicy.type=GENERIC >> cas.authn.ldap[0].passwordPolicy.enabled=true >> >> cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException >> cas.authn.ldap[0].passwordPolicy.loginFailures=5 >> #cas.authn.ldap[0].passwordPolicy.warningAttributeValue= >> #cas.authn.ldap[0].passwordPolicy.warningAttributeName= >> cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=true >> cas.authn.ldap[0].passwordPolicy.warnAll=true >> cas.authn.ldap[0].passwordPolicy.warningDays=1 >> cas.authn.ldap[0].passwordPolicy.accountStateHandlingEnabled=true >> >> >> #############Properties for LDAP Password Management############ >> cas.authn.pm.ldap[0].type=GENERIC >> cas.authn.pm.ldap[0].username-attribute=uid >> cas.authn.pm.ldap[0].ldapUrl=ldap://localhost:389/ >> cas.authn.pm.ldap[0].bindDn=uid=admin,ou=system >> cas.authn.pm.ldap[0].bindCredential=xxxx >> cas.authn.pm.ldap[0].poolPassivator=BIND >> cas.authn.pm.ldap[0].connectionStrategy=RANDOM >> cas.authn.pm.ldap[0].connect-timeout=PT5S >> >> #cas.authn.pm.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider >> #cas.authn.pm.ldap[0].type=AUTHENTICATED >> #cas.authn.pm.ldap[0].useSsl=false >> cas.authn.pm.ldap[0].useStartTls=false >> cas.authn.pm.ldap[0].baseDn=dc=tbitslocal,dc=com >> cas.authn.pm.ldap[0].subtreeSearch=true >> cas.authn.pm.ldap[0].searchFilter=(&(objectClass=person)(uid={user})) >> >> #cas.authn.pm.ldap[0].principalAttributeList=sn,cn:commonName,displayName,l,o,postalAddress,mail,mobile >> cas.authn.pm.ldap[0].minPoolSize=3 >> cas.authn.pm.ldap[0].maxPoolSize=10 >> cas.authn.pm.ldap[0].blockWaitTime=PT3S >> #cas.authn.pm.ldap[0].useSsl=false >> cas.authn.pm.ldap[0].useStartTls=false >> cas.authn.pm.ldap[0].responseTimeout=PT5S >> cas.authn.pm.ldap[0].allowMultipleDns=false >> cas.authn.pm.ldap[0].allowMultipleEntries=false >> cas.authn.pm.ldap[0].followReferrals=false >> cas.authn.pm.ldap[0].name=localhostLDAP_PM_Feature >> >> ####################### >> Some words of advice - to save time >> >> 1. While dealing with LDAP - pl test all your settings using the >> commandline first before using them for configuration in CAS. Execute the >> basic commands etc "ldapsearch" using your settings - first using the >> command line to ensure that your connections and values are working - >> before filling in the CAS properties as applicable in your case. >> 2. Pll don't blindly copy paste cas properties - think and understand >> what you are doing. >> 3. The only constraint that faced was that at the time of :"forget >> username" or "forget password" - there can be only be a single search query >> that can be defined - if you integrate with LDAP as against JDBC, where you >> can define 2 different queries - one for getting usename and another for >> fetching the email address etc. I overcame the above constraint - but >> setting the username = email , for my use case. >> 4. Before implementing a Directory Services as LDAP / ApacheDS - think if >> you already have access to your LDAP or any other directory services >> internally. All Standard Directory Services will offer you Password >> Policies Features, better use them before introducing a new software in >> your organization. >> >> Please feel free to contact me - if you have any further questions. >> >> Best Regards & Best Wishes for New Year 2021! >> >> Ritesh Tripathi >> >> On Thu, Dec 31, 2020 at 8:18 PM Chun-Yao Wang <chunyao...@gmail.com> >> wrote: >> >>> Dear Ritesh Tripathi: >>> >>> I have the same requirement with you. >>> I neet to *"Lock user account for 30min after 3 unsuccessful >>> login attempts"* >>> Could you give me more detail about how to configure ApereoCAS + >>> ApacheDS to achieve the requirements >>> ? >>> Great Thanks!! >>> >>> Ritesh Tripathi 在 2020年11月19日 星期四上午12:45:13 [UTC+8] 的信中寫道: >>> >>>> Updating this thread so that this may be useful to others: >>>> >>>> A. Started Using ApacheDS - https://directory.apache.org/apacheds/ as >>>> LDAP Server on windows machine. >>>> B. Delegated all the password policy constraints to ApacheDS. The >>>> apache DS can be administered via Apache Directory Studio and didn't do any >>>> implementation of custom code for implementing the same thing in JDBC. >>>> C. CAS worked wonderfully with LDAP authentication - including password >>>> update in LDAP at the time of password expiry etc. >>>> >>>> Thank you >>>> >>>> On Monday, 21 September 2020 at 19:57:25 UTC+5:30 ro...@mun.ca wrote: >>>> >>>>> I believe that the JDBC password policy settings are in the database >>>>> authentication settings: >>>>> >>>>> >>>>> >>>>> >>>>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#database-authentication >>>>> >>>>> >>>>> >>>>> Specifically >>>>> >>>>> >>>>> >>>>> # cas.authn.jdbc.query[0].field-expired= >>>>> >>>>> # cas.authn.jdbc.query[0].field-disabled= >>>>> >>>>> >>>>> >>>>> Where both queries determine if an account is expired or disabled. >>>>> >>>>> >>>>> >>>>> I am not certain, but I think you need a separate system, other than >>>>> CAS, to expire and disable accounts in JDBC. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *From:* cas-...@apereo.org <cas-...@apereo.org> *On Behalf Of *Ritesh >>>>> Tripathi >>>>> *Sent:* Sunday, September 20, 2020 12:50 PM >>>>> *To:* CAS Community <cas-...@apereo.org> >>>>> *Subject:* [cas-user] Cas 6.2 - Implmentation of Custom Password >>>>> Policy for JDBC Authentication >>>>> >>>>> >>>>> >>>>> Hello All, >>>>> >>>>> >>>>> >>>>> We have a requirement that *"after 5 unsuccessful login attempts - we >>>>> need to lock the account for a day for the said user."* >>>>> >>>>> >>>>> >>>>> We are having a JDBC Authentication. >>>>> >>>>> >>>>> >>>>> We were just curious if anyone has implemented custom password policy >>>>> using groovy scripts or some other method for requirements as above. >>>>> >>>>> >>>>> >>>>> The CAS documentation - seems to be specific for LDAP and other cases. >>>>> Was not able to get more information on JDBC. >>>>> >>>>> >>>>> >>>>> >>>>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#password-policy-settings >>>>> >>>>> >>>>> >>>>> Will the groovy script method as given in above documentation link >>>>> work for JDBC as well ? Any comments or points to implement the above type >>>>> and similar requirements. >>>>> >>>>> >>>>> >>>>> Best Regards >>>>> >>>>> R >>>>> >>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to cas-user+u...@apereo.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/33d653bb-392c-457e-9d4b-b86785e2b26cn%40apereo.org >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/33d653bb-392c-457e-9d4b-b86785e2b26cn%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGcP-QrR_JnQRfnNM-1Yf1tXyFUDoequOUeYBcA6gtnCwDbPLQ%40mail.gmail.com.
