Hi All,
I’ve done some additional digging and it seems like the easiest solution would
be to use a Groovy script for the authentication policy.
https://apereo.github.io/cas/6.3.x/installation/Configuring-Authentication-Components.html#authentication-policy
I may be missing something but I don’t see to be able to get CAS to execute the
a Groovy script.
I’ve tried setting the following property in my CAS config:
cas.authn.policy.groovy[0].script=file:/etc/cas/config/account.groovy
I modified the example so that it would output a message to the log and then
return NULL – just wanted to see it get invoked.
import java.util.*
import org.apereo.cas.authentication.exceptions.*
import javax.security.auth.login.*
def Exception run(final Object... args) {
def principal = args[0]
def logger = args[1]
logger.error(“***** Groovy Account Policy”)
return null;
}
The code doesn’t seem to get hit at all – no messages output in the log and the
default account policies are applied.
Any suggestions or guidance would be greatly appreciated.
I tried a Groovy password policy script and while it executed, it didn’t stop
the authentication chain from processing the second LDAP after authentication
fails on the first.
Thanks,
Tom
From: 'Tom O'Neill' via CAS Community <cas-user@apereo.org>
Sent: Friday, January 1, 2021 3:51 PM
To: cas-user@apereo.org
Subject: [EXT] [cas-user] Authentication Policy with Multiple Directories
CAUTION: This email originated from outside of SIG. Exercise caution when
opening attachments or clicking links, especially from unknown senders.
[EXT-STAMP-ADDED]
Hi All,
I am working on a CAS 6.3 deployment where we need to configure multiple
directories for authentication using LDAP.
I have both LDAP sources configured and working with LPPE enabled but I need to
change the authentication behavior slightly.
If the user is found in the first directory and authentication fails, I need
the authentication process to stop.
The second directory should not be queried if the first has a user record with
a different password than what the user entered.
If no record is found for the user in the first directory, the authentication
process should continue on through the chain.
I thought I’d be able to use an existing Authentication Policy but I don’t see
any that match my goal.
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#authentication-policy
I don’t want it to allow ‘any’ and I don’t want to specify one or the other as
required.
LLPE doesn’t process the exception since there is no entry in the errorMap
object for ‘LOGON_FAILURE’.
After processing the first result CAS moves on to check the next ‘GENERIC’
directory:
2021-01-01 19:21:32,215 DEBUG
[org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] -
<Handling LDAP account state error [LOGON_FAILURE]>
2021-01-01 19:21:32,215 DEBUG
[org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] - <No
LDAP error mapping defined for [LOGON_FAILURE]>
2021-01-01 19:21:32,215 DEBUG
[org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] -
<Handling account state warning [null]>
2021-01-01 19:21:32,215 DEBUG
[org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] -
<Account state warning not defined>
2021-01-01 19:21:32,216 INFO
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[AD]
exception details: [Invalid credentials].>
2021-01-01 19:21:32,216 DEBUG
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
- <Examining credential [UsernamePasswordCredential(username=testaccount,
source=null, customFields={})] eligibility for authentication handler [GENERIC]>
With so many configurable options, it seems like there should be a way to
accomplish this without writing code.
Right now I’m looking at modifying the DefaultAccountStateHandler to include a
mapping in errorMap for ‘LOGIN_FAILURE’.
I’m not 100% sure that will work the way I need it to but it seems like a
fairly straightforward option and modification.
Thanks!!
Tom
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR02MB665506502F74EA8261B96008CBD50%40MN2PR02MB6655.namprd02.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR02MB665506502F74EA8261B96008CBD50%40MN2PR02MB6655.namprd02.prod.outlook.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR02MB66557E32B215C05438565D62CBD10%40MN2PR02MB6655.namprd02.prod.outlook.com.
