Hi All, I’ve done some additional digging and it seems like the easiest solution would be to use a Groovy script for the authentication policy. https://apereo.github.io/cas/6.3.x/installation/Configuring-Authentication-Components.html#authentication-policy
I may be missing something but I don’t see to be able to get CAS to execute the a Groovy script. I’ve tried setting the following property in my CAS config: cas.authn.policy.groovy[0].script=file:/etc/cas/config/account.groovy I modified the example so that it would output a message to the log and then return NULL – just wanted to see it get invoked. import java.util.* import org.apereo.cas.authentication.exceptions.* import javax.security.auth.login.* def Exception run(final Object... args) { def principal = args[0] def logger = args[1] logger.error(“***** Groovy Account Policy”) return null; } The code doesn’t seem to get hit at all – no messages output in the log and the default account policies are applied. Any suggestions or guidance would be greatly appreciated. I tried a Groovy password policy script and while it executed, it didn’t stop the authentication chain from processing the second LDAP after authentication fails on the first. Thanks, Tom From: 'Tom O'Neill' via CAS Community <cas-user@apereo.org> Sent: Friday, January 1, 2021 3:51 PM To: cas-user@apereo.org Subject: [EXT] [cas-user] Authentication Policy with Multiple Directories CAUTION: This email originated from outside of SIG. Exercise caution when opening attachments or clicking links, especially from unknown senders. [EXT-STAMP-ADDED] Hi All, I am working on a CAS 6.3 deployment where we need to configure multiple directories for authentication using LDAP. I have both LDAP sources configured and working with LPPE enabled but I need to change the authentication behavior slightly. If the user is found in the first directory and authentication fails, I need the authentication process to stop. The second directory should not be queried if the first has a user record with a different password than what the user entered. If no record is found for the user in the first directory, the authentication process should continue on through the chain. I thought I’d be able to use an existing Authentication Policy but I don’t see any that match my goal. https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#authentication-policy I don’t want it to allow ‘any’ and I don’t want to specify one or the other as required. LLPE doesn’t process the exception since there is no entry in the errorMap object for ‘LOGON_FAILURE’. After processing the first result CAS moves on to check the next ‘GENERIC’ directory: 2021-01-01 19:21:32,215 DEBUG [org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] - <Handling LDAP account state error [LOGON_FAILURE]> 2021-01-01 19:21:32,215 DEBUG [org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] - <No LDAP error mapping defined for [LOGON_FAILURE]> 2021-01-01 19:21:32,215 DEBUG [org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] - <Handling account state warning [null]> 2021-01-01 19:21:32,215 DEBUG [org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] - <Account state warning not defined> 2021-01-01 19:21:32,216 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[AD] exception details: [Invalid credentials].> 2021-01-01 19:21:32,216 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Examining credential [UsernamePasswordCredential(username=testaccount, source=null, customFields={})] eligibility for authentication handler [GENERIC]> With so many configurable options, it seems like there should be a way to accomplish this without writing code. Right now I’m looking at modifying the DefaultAccountStateHandler to include a mapping in errorMap for ‘LOGIN_FAILURE’. I’m not 100% sure that will work the way I need it to but it seems like a fairly straightforward option and modification. Thanks!! Tom -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR02MB665506502F74EA8261B96008CBD50%40MN2PR02MB6655.namprd02.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR02MB665506502F74EA8261B96008CBD50%40MN2PR02MB6655.namprd02.prod.outlook.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/MN2PR02MB66557E32B215C05438565D62CBD10%40MN2PR02MB6655.namprd02.prod.outlook.com.