LPPE Update 2011.08.30 I've been polishing the LPPE code on the feature branch with the intent to make the integration touch points as small as possible.
So far I've been able to remove the forked LdapCasImpl (thanks for the tip, Marvin) which also knocked out LdapCas interface and the forked applicationContext.xml to configure it. So three files gone and still working! :) I started down the path of merging LdapPwdAuthNViaFormAction with the core AuthenticationViaForm action, but LPAVFA has a dep on cas-server-support-ldap and AVF is in cas-server-core...so no dice. It would be nice to figure out how to pull this off as it would also knock out changes needed in cas-servlet.xml. Next on my hit list is the forked BindAuthenticationHandler. I'm hoping to get to a place where this feature can be turned on/off with minimal configuration and compatible with a 3.5 release. At this point to try this at home you would: a) check out and build CAS-3.4.10-LPPE-SNAPSHOT and install in a local mvn repo (mvn clean package install) https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/ b) create a maven overlay with these dependencies using CAS-3.4.10-LPPE-SNAPSHOT as the cas version <!-- CAS LDAP support --> <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-ldap</artifactId> <version>${cas.version}</version> <scope>runtime</scope> </dependency> <!-- CAS LDAP Password Policy support --> <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-ldap-ppolicy</artifactId> <version>${cas.version}</version> <scope>runtime</scope> </dependency> c) add the following changes to the maven overlay: login-webflow.xml copy from LPPE into maven overlay and uncomment/comment out <desicion-state id="warn"> so you have the one with the PasswordWarningCheck. message_en.properties copy from LPPE into maven overlay and add you our change password URL and messages. deployConfigContext.xml use <bean class="org.jasig.cas.adaptors.ldappwd.BindLdapAuthenticationHandler" > for your AuthN Handler add the following configuration: <bean id="firstErrorProcessor" class="org.jasig.cas.adaptors.ldappwd.util.ExpiredPasswordErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.AccountLockedErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.MustChangePasswordErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.BadHoursErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.BadWorkstationErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.AccountDisabledErrorProcessor" /> </property> </bean> </property> </bean> </property> </bean> </property> </bean> </property> </bean> <bean id="PasswordWarningCheckAction" class="org.jasig.cas.web.flow.PasswordWarningCheckAction"> <property name="passwordWarningCheck" ref="passwordWarningCheck" /> </bean> <bean id="passwordWarningCheck" class="org.jasig.cas.adaptors.ldappwd.LdapPasswordWarningCheck"> <property name="searchBase" value="${ldap.searchBase}" /> <property name="contextSource" ref="contextSource" /> <property name="filter" value="sAMAccountName=%u" /> <!-- fix because of how AD returns results --> <property name="ignorePartialResultException" value="yes" /> <!-- Warn all users of expiration date regardless of warningDays value --> <property name="warnAll" value="true" /> <!-- Date format for value from dateAttribute see http://java.sun.com/j2se/1.4.2/docs/api/java/text/SimpleDateFormat.html --> <property name="dateFormat" value="ActiveDirectory" /> <!-- Calculate expiration time based on the last password change time --> <property name="warningCheckType" value="change" /> <!-- LDAP attribute that stores the last password change time --> <property name="dateAttribute" value="pwdlastset" /> <!-- LDAP attribute that stores the user's personal setting for the number of days to warn before expiration --> <property name="warningDaysAttribute" value="maxPwdAge" /> <!-- LDAP attribute that stores the custom setting for the number of days a password is valid --> <property name="validDaysAttribute" value="passwordwarningdays" /> <!-- These values are used if warningDaysAttribute or validDaysAttribute are not found --> <property name="warningDays" value="30" /> <property name="validDays" value="180" /> <!-- Use expiration time/date from LDAP server --> <!-- <property name="warningCheckType" value="expire" /> --> <!-- <property name="dateAttribute" value="passwordexpirationtime" /> --> <!-- <property name="warningDaysAttribute" value="passwordwarningdays" /> --> <!-- Typical ActiveDirectory Config options <property name="contextSource" ref="pwdCheckContextSource" /> <property name="searchBase" value="ou=Accounts,DC=example,DC=edu" /> <property name="filter" value="samaccountname=%u" /> <property name="warnAll" value="false" /> <property name="dateFormat" value="ActiveDirectory" /> <property name="warningCheckType" value="change" /> <property name="dateAttribute" value="pwdlastset" /> <property name="validDaysAttribute" value="maxPwdAge" /> <property name="warningDaysAttribute" value="passwordwarningdays" /> --> </bean> That's it! mvn clean package and deploy cas.war and you should be good to go. I still haven't been able to exercise all the error conditions. I'm hoping to get to that before the end of the week. Best, Bill On Fri, Aug 26, 2011 at 5:12 PM, William G. Thompson, Jr. <[email protected]> wrote: > LPPE Update > > I've completed the merge of LPPE into the feature branch on > https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/ such > that I can build and install CAS 3.4.10-LPPE-SNAPSHOT in my local mvn > repo. This allows me to build a cas server with the feature via > simple local maven overlay. To get it to work you need to pull in the > configuration files in the resources directory of > https://source.jasig.org/sandbox/cas-password-policy/branches/cas-server-support-ldap-pwd-expiration-3.4.x/ > > I have it working Active Directory and could induce the PasswordWarning > screen. > > I still need to spend some more time with the code and exercising > features. I'd like to arrive at a maintainable approach for this > feature for CAS3 in the near term. Would love some collaboration, > thoughts, comments on how best to improve on this and help identifying > any blockers for inclusion in CAS 3.5. > > This work is being driven by requirements at Lamar University. > > Best, > Bill > > > On Thu, Aug 25, 2011 at 9:11 PM, William G. Thompson, Jr. > <[email protected]> wrote: >> Folks, >> >> I've started a feature branch off of 3.4.10 to investigate >> incorporating LPPE into the baseline here: >> https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/ >> >> The lppe module (cas-server-support-ldap-ppolicy) is mostly additions, >> and it looks like they can be easily bypassed via a comment switch in >> login-flow.xml. However, the module does carry forks of CASImpl, >> BindAuthNHandler, and AuthenticationViaFormAction to plug in the ldap >> error handling code. These will have to reconciled somehow. >> >> For now, I'm just using the forked code to get it to work plus a maven >> overlay with the enabling configuration in: >> * login-webflow.xml >> * deployerConfigContext.xml >> * applicationContext.xml >> * cas-servlet.xml >> >> It's building and login/logout is working. Hopefully tomorrow I can >> get ppolicy behavior working. >> >> Bill >> >> >> On Wed, Aug 24, 2011 at 5:27 PM, William G. Thompson, Jr. >> <[email protected]> wrote: >>> LPPE status update... >>> >>> 3.4.8 patch applied and tagged: >>> https://source.jasig.org/sandbox/cas-password-policy/tags/cas-server-support-ldap-pwd-expiration-3.4.8/ >>> >>> CAS 3.4.10 changes pulled into LPPE and tagged: >>> https://source.jasig.org/sandbox/cas-password-policy/tags/cas-server-support-ldap-pwd-expiration-3.4.10/ >>> >>> https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enforcement >>> updated with the current status. >>> >>> I have *not* run this code and have no idea if it is functional yet. >>> I plan to do that next. >>> >>> Generally it looks this module is mostly additions with very few >>> modifications. At first glance it seems like it could be incorporated >>> into the core with modest evolution. Check out the merge notes >>> here: >>> https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enformcement+3.4.10+Upgrade+Notes >>> >>> Perhaps LPPE is a reasonable candidate for CAS 3.5. >>> >>> Also looks like it might be possible to split this out into a module >>> (jars), plus a maven overlay. Would appreciate feedback from folks on >>> how they are incorporating this code today. >>> >>> Best, >>> Bill >>> >>> >>> >>> On Tue, Aug 23, 2011 at 10:24 AM, William G. Thompson, Jr. >>> <[email protected]> wrote: >>>> Folks, >>>> >>>> I'm working on a new CAS deployment based on 3.4.10. We have a >>>> requirement to implement LDAP Password Policy Enforcement. >>>> https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enforcement >>>> >>>> The wiki page describes the state of the module. SVN is here: >>>> https://source.jasig.org/sandbox/cas-password-policy/ and the latest >>>> tag is for CAS 3.4.7. There's also a patch file on the wiki for 3.4.8 >>>> that's not in SVN. >>>> >>>> I started a branch to track CAS 3.4.x here: >>>> https://source.jasig.org/sandbox/cas-password-policy/branches/cas-server-support-ldap-pwd-expiration-3.4.x/ >>>> >>>> I intend to apply the 3.4.8 patch, cut a tag, and then bring the 3.4.x >>>> branch up to 3.4.10, and cut another tag. I'd like to get to a >>>> sustainable process and possibly figure out how to get this into the >>>> core at some point if that makes sense. >>>> >>>> Appreciate any feedback, help, etc. >>>> >>>> Best, >>>> Bill >>>> >>> >> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
