Thanks Daniel & Misagh, Just to be certain, I rebuilt with 4.0.3; I was already using Ldaptive 1.0.6.
My authentication response handler is in fact set to the *ActiveDirectoryAuthenticationResponseHandler* in my deployer file. Since I'm using the main AD server to test this out, the Windows admin made a separate group policy with a 1 day expiration on passwords; my "castester" user is the only person in that group and the only user that the policy applies to. Can/does CAS distinguish between group policies, or only apply the policy for the entire OU? My logs come back with accountState=null for the "castester" user. When I log in with my own user account, I also get the accountState=null in the logs, and I am not part of the same group as "castester." Should the AD always come back with an accountState? If so, should I have the Windows admin double check the set up? On Fri, Jul 24, 2015 at 11:34 AM, Misagh Moayyed <mmoay...@unicon.net> wrote: > Not sure the issue is related to the fix in 4.0.3 The log indicates that > no account state is passed back to CAS. Is your configuration using the > ActiveDirectory response handler? That might be relevant in passing back > the account state over to CAS. > > > > Something like this perhaps: > > > > <bean id="authenticator" class="org.ldaptive.auth.Authenticator" > > c:resolver-ref="dnResolver" > > c:handler-ref="authHandler"> > > <property name="authenticationResponseHandlers"> > > <util:list> > > <bean > class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" > /> > > </util:list> > > </property> > > </bean> > > > > *From:* Daniel Fisher [mailto:dfis...@vt.edu] > *Sent:* Friday, July 24, 2015 10:56 AM > *To:* cas-user@lists.jasig.org > *Subject:* Re: [cas-user] CAS 4 & LPPE & Active Directory, > "accountState=null" > > > > On Thu, Jul 23, 2015 at 3:37 PM, Mike Seiler <michaelsei...@fuller.edu> > wrote: > > I'm trying to get LPPE working with the new CAS 4.0 server, but am finding > that the policies don't seem to be enforced, even though I have set the > maximum password age (on the AD side) to 1 day. > > > > > > Are you using the latest version? (4.0.3) The release notes indicate fixes > related LPPE. > > > > --Daniel Fisher > > > > > > -- > > You are currently subscribed to cas-user@lists.jasig.org as: > mmoay...@unicon.net > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > michaelsei...@fuller.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- *Michael Seiler* -------------------------------------------------- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
