It's been a while since I looked at this, but I believe if you don't have any grace logins remaining then you'll get err=49. If you want users to be able to successfully authenticate with an expired password you'll have to configure some number of grace logins.
--Daniel Fisher On Tue, Apr 21, 2015 at 11:47 AM, Raymond Drew Walker <ray.wal...@nau.edu> wrote: > Misagh, > > The answer to your first question is yes. > > Our authn source is LDAP (UnboundID). > > The login-webflow.xml is stock so there is no transition config to post > (unless I’m misunderstanding your request.) > > From what I can tell from the logs, difference between the two scenarios > is only contained the extended LDAP response information, not any response > codes. > > The logs look something like this: > > Good password & Expired (note: “LDAP: error code 49 - Rejecting a bind > request for user X=X,ou=people,dc=nau,dc=edu because that user's password > is expired") > 2015-04-08 13:34:36,777 DEBUG > [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: > [org.ldaptive.auth.AuthenticationResponse@1168138181::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, > ldapEntry=[dn=X=X,ou=people,dc=nau,dc=edu[]], > accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@602907193::accountWarnings=null, > accountErrors=[PASSWORD_EXPIRED]], result=false, > resultCode=INVALID_CREDENTIALS, > message=javax.naming.AuthenticationException: [LDAP: error code 49 - > Rejecting a bind request for user X=X,ou=people,dc=nau,dc=edu because that > user's password is expired], > controls=[[org.ldaptive.control.PasswordPolicyControl@1215014544::criticality=false, > timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] > 2015-04-08 13:34:36,778 DEBUG > [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying > password policy to > [org.ldaptive.auth.AuthenticationResponse@1168138181::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, > ldapEntry=[dn=naueduregid=X,ou=people,dc=nau,dc=edu[]], > accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@602907193::accountWarnings=null, > accountErrors=[PASSWORD_EXPIRED]], result=false, > resultCode=INVALID_CREDENTIALS, > message=javax.naming.AuthenticationException: [LDAP: error code 49 - > Rejecting a bind request for user X=X,ou=people,dc=nau,dc=edu because that > user's password is expired], > controls=[[org.ldaptive.control.PasswordPolicyControl@1215014544::criticality=false, > timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] > 2015-04-08 13:34:36,778 DEBUG > [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - > Handling PASSWORD_EXPIRED > > Bad password & Expired (note: "LDAP: error code 49 - The password > provided by the user did not match any password(s) stored in the user's > entry”) > 2015-04-14 13:51:06,204 DEBUG > [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: > [org.ldaptive.auth.AuthenticationResponse@1179554844::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, > ldapEntry=[dn=X=X,ou=people,dc=nau,dc=edu[]], > accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@1356717651::accountWarnings=null, > accountErrors=[PASSWORD_EXPIRED]], result=false, > resultCode=INVALID_CREDENTIALS, > message=javax.naming.AuthenticationException: [LDAP: error code 49 - The > password provided by the user did not match any password(s) stored in the > user's entry], > controls=[[org.ldaptive.control.PasswordPolicyControl@448359676::criticality=false, > timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] > 2015-04-14 13:51:06,205 DEBUG > [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying > password policy to > [org.ldaptive.auth.AuthenticationResponse@1179554844::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, > ldapEntry=[dn=X=X,ou=people,dc=nau,dc=edu[]], > accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@1356717651::accountWarnings=null, > accountErrors=[PASSWORD_EXPIRED]], result=false, > resultCode=INVALID_CREDENTIALS, > message=javax.naming.AuthenticationException: [LDAP: error code 49 - The > password provided by the user did not match any password(s) stored in the > user's entry], > controls=[[org.ldaptive.control.PasswordPolicyControl@448359676::criticality=false, > timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] > 2015-04-14 13:51:06,206 DEBUG > [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - > Handling PASSWORD_EXPIRED > > I’m currently looking into our LDAP config options to see if anything > can be tweaked to provide more info to LPPE. > -- > Raymond Walker > Software Systems Engineer StSp. > ITS Northern Arizona University > > From: Misagh Moayyed > Reply-To: "cas-user@lists.jasig.org" > Date: Tuesday, April 21, 2015 at 12:33 AM > To: "cas-user@lists.jasig.org" > Subject: Re: [cas-user] LPPE expired password flow > > So what you are saying is, regardless of the password if the account > has an expired status you are redirected to the expired-password screen? > > This is strange. I don’t think account status can be determined without > first fully authenticating the user. What is your authn source? Could you > share your transitions configuration and the logs? > > - Misagh > > On Apr 20, 2015, at 11:42 PM, Raymond Drew Walker <ray.wal...@nau.edu> > wrote: > > All, > > Noticing interesting default behavior for logins with expired passwords, > that are also using incorrect passwords (neither expired or valid). The > user is still transitioned to the casExpiredPassView.url > > Is this expected behavior for users entering bad passwords? > > I suppose this behavior could allow for users attempting to scrape user > logins for expired users as part of a larger vector of attack (social, etc.) > > Is there a preferred method to correct this behavior as to not reveal > the existence of an account when an incorrect password is used? > > I have not checked this behavior for the password warning or other > “handleAuthenticationFailure” transitions. > -- > Raymond Walker > Software Systems Engineer StSp. > ITS Northern Arizona University > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > mmoay...@unicon.net > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > ray.wal...@nau.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: dfis...@vt.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
