Yes you should be able to set providers with CAS4. What I don’t know for sure is, whether it would help with this particular problem, but seems nonetheless something you may want to set.
The solution is probably something that you need to configure with your ldap source. It is returning the wrong flag, or as Daniel mentioned, you may want to experiment with grace logins. From: Raymond Drew Walker [mailto:ray.wal...@nau.edu] Sent: Thursday, April 23, 2015 1:52 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] LPPE expired password flow I had pretty much the same thing written up… (good to know I’m on the right track!) at least for the affect of the “org.ldaptive.DefaultConnectionFactory” based bean. This did not work. I should mention that I’m running CAS 4.0.0. Is your posted solution expected to work on this version? -- Raymond Walker Software Systems Engineer StSp. ITS Northern Arizona University From: Misagh Moayyed Reply-To: "cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> " Date: Tuesday, April 21, 2015 at 11:06 AM To: "cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> " Subject: RE: [cas-user] LPPE expired password flow I’ll attempt to update our docs, but for the time being, this should work for you: https://github.com/Jasig/cas/blob/master/cas-server-support-ldap/src/test/resources/ldap-context.xml#L42 You’ll also need to make sure the ldaptive-unboundid dependency is available to CAS in your pom. <dependency> <groupId>org.ldaptive</groupId> <artifactId>ldaptive-unboundid</artifactId> <version>${ldaptive.version}</version> <scope>runtime</scope> </dependency> From: Raymond Drew Walker [mailto:ray.wal...@nau.edu] Sent: Tuesday, April 21, 2015 10:53 AM To: cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> Subject: Re: [cas-user] LPPE expired password flow Misagh, I’m still looking into options for the UnboundID response modification. Ldaptive’s documentation is lacking in the area of provider specification, at least for Spring. Rather, it’s only mentioned as a JVM property setting: http://www.ldaptive.org/docs/guide/providers#TOC-UnboundID-Provider If possible, I’d rather opt to configuring this in the deployerConfigContext.xml. Is this possible? If so, how? I’ve tried a few different attempts to make this happen, but have been unsuccessful as of yet. -- Raymond Walker Software Systems Engineer StSp. ITS Northern Arizona University From: Misagh Moayyed Reply-To: "cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> " Date: Tuesday, April 21, 2015 at 9:16 AM To: "cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> " Subject: RE: [cas-user] LPPE expired password flow So it looks like, judging by your logs, that CAS is handling the error correctly. In both cases, the error that is returned from the authentication event is password-expired. This may be an issue with your UnboundID provider. In your DefaultConnectionFactory, are you specifying the provider as UnboundID? That might help better translate the error for CAS. From: Raymond Drew Walker [mailto:ray.wal...@nau.edu] Sent: Tuesday, April 21, 2015 8:47 AM To: cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> Subject: Re: [cas-user] LPPE expired password flow Misagh, The answer to your first question is yes. Our authn source is LDAP (UnboundID). The login-webflow.xml is stock so there is no transition config to post (unless I’m misunderstanding your request.) >From what I can tell from the logs, difference between the two scenarios is only contained the extended LDAP response information, not any response codes. The logs look something like this: Good password & Expired (note: “LDAP: error code 49 - Rejecting a bind request for user X=X,ou=people,dc=nau,dc=edu because that user's password is expired") 2015-04-08 13:34:36,777 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@1168138181::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, ldapEntry=[dn=X=X,ou=people,dc=nau,dc=edu[]], accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@602907193::accountWarnings=null, accountErrors=[PASSWORD_EXPIRED]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - Rejecting a bind request for user X=X,ou=people,dc=nau,dc=edu because that user's password is expired], controls=[[org.ldaptive.control.PasswordPolicyControl@1215014544::criticality=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] 2015-04-08 13:34:36,778 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying password policy to [org.ldaptive.auth.AuthenticationResponse@1168138181::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, ldapEntry=[dn=naueduregid=X,ou=people,dc=nau,dc=edu[]], accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@602907193::accountWarnings=null, accountErrors=[PASSWORD_EXPIRED]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - Rejecting a bind request for user X=X,ou=people,dc=nau,dc=edu because that user's password is expired], controls=[[org.ldaptive.control.PasswordPolicyControl@1215014544::criticality=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] 2015-04-08 13:34:36,778 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - Handling PASSWORD_EXPIRED Bad password & Expired (note: "LDAP: error code 49 - The password provided by the user did not match any password(s) stored in the user's entry”) 2015-04-14 13:51:06,204 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@1179554844::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, ldapEntry=[dn=X=X,ou=people,dc=nau,dc=edu[]], accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@1356717651::accountWarnings=null, accountErrors=[PASSWORD_EXPIRED]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - The password provided by the user did not match any password(s) stored in the user's entry], controls=[[org.ldaptive.control.PasswordPolicyControl@448359676::criticality=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] 2015-04-14 13:51:06,205 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying password policy to [org.ldaptive.auth.AuthenticationResponse@1179554844::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, ldapEntry=[dn=X=X,ou=people,dc=nau,dc=edu[]], accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@1356717651::accountWarnings=null, accountErrors=[PASSWORD_EXPIRED]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - The password provided by the user did not match any password(s) stored in the user's entry], controls=[[org.ldaptive.control.PasswordPolicyControl@448359676::criticality=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] 2015-04-14 13:51:06,206 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - Handling PASSWORD_EXPIRED I’m currently looking into our LDAP config options to see if anything can be tweaked to provide more info to LPPE. -- Raymond Walker Software Systems Engineer StSp. ITS Northern Arizona University From: Misagh Moayyed Reply-To: "cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> " Date: Tuesday, April 21, 2015 at 12:33 AM To: "cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> " Subject: Re: [cas-user] LPPE expired password flow So what you are saying is, regardless of the password if the account has an expired status you are redirected to the expired-password screen? This is strange. I don’t think account status can be determined without first fully authenticating the user. What is your authn source? Could you share your transitions configuration and the logs? - Misagh On Apr 20, 2015, at 11:42 PM, Raymond Drew Walker <ray.wal...@nau.edu <mailto:ray.wal...@nau.edu> > wrote: All, Noticing interesting default behavior for logins with expired passwords, that are also using incorrect passwords (neither expired or valid). The user is still transitioned to the casExpiredPassView.url Is this expected behavior for users entering bad passwords? I suppose this behavior could allow for users attempting to scrape user logins for expired users as part of a larger vector of attack (social, etc.) Is there a preferred method to correct this behavior as to not reveal the existence of an account when an incorrect password is used? I have not checked this behavior for the password warning or other “handleAuthenticationFailure” transitions. -- Raymond Walker Software Systems Engineer StSp. ITS Northern Arizona University -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net <mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: ray.wal...@nau.edu <mailto:ray.wal...@nau.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net <mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: ray.wal...@nau.edu <mailto:ray.wal...@nau.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net <mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: ray.wal...@nau.edu <mailto:ray.wal...@nau.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net <mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user