Great :-). I think I'll be able to build & test most cases tomorrow.
Since I've not put my customized CAS 3.4.8 into production in our organization, I'll take some time to test your 3.4.10 update and almost all cases against our Active Directory (the most difficult case to reproduce is a nearly expired or just expired account, so if anyone know how to force pwdLastSet, please tell me !).
Rgds. Le 31/08/2011 02:54, William G. Thompson, Jr. a écrit :
LPPE Update 2011.08.30 I've been polishing the LPPE code on the feature branch with the intent to make the integration touch points as small as possible. So far I've been able to remove the forked LdapCasImpl (thanks for the tip, Marvin) which also knocked out LdapCas interface and the forked applicationContext.xml to configure it. So three files gone and still working! :) I started down the path of merging LdapPwdAuthNViaFormAction with the core AuthenticationViaForm action, but LPAVFA has a dep on cas-server-support-ldap and AVF is in cas-server-core...so no dice. It would be nice to figure out how to pull this off as it would also knock out changes needed in cas-servlet.xml. Next on my hit list is the forked BindAuthenticationHandler. I'm hoping to get to a place where this feature can be turned on/off with minimal configuration and compatible with a 3.5 release. At this point to try this at home you would: a) check out and build CAS-3.4.10-LPPE-SNAPSHOT and install in a local mvn repo (mvn clean package install) https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/ b) create a maven overlay with these dependencies using CAS-3.4.10-LPPE-SNAPSHOT as the cas version <!-- CAS LDAP support --> <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-ldap</artifactId> <version>${cas.version}</version> <scope>runtime</scope> </dependency> <!-- CAS LDAP Password Policy support --> <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-ldap-ppolicy</artifactId> <version>${cas.version}</version> <scope>runtime</scope> </dependency> c) add the following changes to the maven overlay: login-webflow.xml copy from LPPE into maven overlay and uncomment/comment out <desicion-state id="warn"> so you have the one with the PasswordWarningCheck. message_en.properties copy from LPPE into maven overlay and add you our change password URL and messages. deployConfigContext.xml use<bean class="org.jasig.cas.adaptors.ldappwd.BindLdapAuthenticationHandler"for your AuthN Handleradd the following configuration: <bean id="firstErrorProcessor" class="org.jasig.cas.adaptors.ldappwd.util.ExpiredPasswordErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.AccountLockedErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.MustChangePasswordErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.BadHoursErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.BadWorkstationErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.AccountDisabledErrorProcessor" /> </property> </bean> </property> </bean> </property> </bean> </property> </bean> </property> </bean> <bean id="PasswordWarningCheckAction" class="org.jasig.cas.web.flow.PasswordWarningCheckAction"> <property name="passwordWarningCheck" ref="passwordWarningCheck" /> </bean> <bean id="passwordWarningCheck" class="org.jasig.cas.adaptors.ldappwd.LdapPasswordWarningCheck"> <property name="searchBase" value="${ldap.searchBase}" /> <property name="contextSource" ref="contextSource" /> <property name="filter" value="sAMAccountName=%u" /> <!-- fix because of how AD returns results --> <property name="ignorePartialResultException" value="yes" /> <!-- Warn all users of expiration date regardless of warningDays value --> <property name="warnAll" value="true" /> <!-- Date format for value from dateAttribute see http://java.sun.com/j2se/1.4.2/docs/api/java/text/SimpleDateFormat.html --> <property name="dateFormat" value="ActiveDirectory" /> <!-- Calculate expiration time based on the last password change time --> <property name="warningCheckType" value="change" /> <!-- LDAP attribute that stores the last password change time --> <property name="dateAttribute" value="pwdlastset" /> <!-- LDAP attribute that stores the user's personal setting for the number of days to warn before expiration --> <property name="warningDaysAttribute" value="maxPwdAge" /> <!-- LDAP attribute that stores the custom setting for the number of days a password is valid --> <property name="validDaysAttribute" value="passwordwarningdays" /> <!-- These values are used if warningDaysAttribute or validDaysAttribute are not found --> <property name="warningDays" value="30" /> <property name="validDays" value="180" /> <!-- Use expiration time/date from LDAP server --> <!--<property name="warningCheckType" value="expire" /> --> <!--<property name="dateAttribute" value="passwordexpirationtime" /> --> <!--<property name="warningDaysAttribute" value="passwordwarningdays" /> --> <!-- Typical ActiveDirectory Config options <property name="contextSource" ref="pwdCheckContextSource" /> <property name="searchBase" value="ou=Accounts,DC=example,DC=edu" /> <property name="filter" value="samaccountname=%u" /> <property name="warnAll" value="false" /> <property name="dateFormat" value="ActiveDirectory" /> <property name="warningCheckType" value="change" /> <property name="dateAttribute" value="pwdlastset" /> <property name="validDaysAttribute" value="maxPwdAge" /> <property name="warningDaysAttribute" value="passwordwarningdays" /> --> </bean> That's it! mvn clean package and deploy cas.war and you should be good to go. I still haven't been able to exercise all the error conditions. I'm hoping to get to that before the end of the week. Best, Bill On Fri, Aug 26, 2011 at 5:12 PM, William G. Thompson, Jr. <[email protected]> wrote:LPPE Update I've completed the merge of LPPE into the feature branch on https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/ such that I can build and install CAS 3.4.10-LPPE-SNAPSHOT in my local mvn repo. This allows me to build a cas server with the feature via simple local maven overlay. To get it to work you need to pull in the configuration files in the resources directory of https://source.jasig.org/sandbox/cas-password-policy/branches/cas-server-support-ldap-pwd-expiration-3.4.x/ I have it working Active Directory and could induce the PasswordWarning screen. I still need to spend some more time with the code and exercising features. I'd like to arrive at a maintainable approach for this feature for CAS3 in the near term. Would love some collaboration, thoughts, comments on how best to improve on this and help identifying any blockers for inclusion in CAS 3.5. This work is being driven by requirements at Lamar University. Best, Bill On Thu, Aug 25, 2011 at 9:11 PM, William G. Thompson, Jr. <[email protected]> wrote:Folks, I've started a feature branch off of 3.4.10 to investigate incorporating LPPE into the baseline here: https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/ The lppe module (cas-server-support-ldap-ppolicy) is mostly additions, and it looks like they can be easily bypassed via a comment switch in login-flow.xml. However, the module does carry forks of CASImpl, BindAuthNHandler, and AuthenticationViaFormAction to plug in the ldap error handling code. These will have to reconciled somehow. For now, I'm just using the forked code to get it to work plus a maven overlay with the enabling configuration in: * login-webflow.xml * deployerConfigContext.xml * applicationContext.xml * cas-servlet.xml It's building and login/logout is working. Hopefully tomorrow I can get ppolicy behavior working. Bill On Wed, Aug 24, 2011 at 5:27 PM, William G. Thompson, Jr. <[email protected]> wrote:LPPE status update... 3.4.8 patch applied and tagged: https://source.jasig.org/sandbox/cas-password-policy/tags/cas-server-support-ldap-pwd-expiration-3.4.8/ CAS 3.4.10 changes pulled into LPPE and tagged: https://source.jasig.org/sandbox/cas-password-policy/tags/cas-server-support-ldap-pwd-expiration-3.4.10/ https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enforcement updated with the current status. I have *not* run this code and have no idea if it is functional yet. I plan to do that next. Generally it looks this module is mostly additions with very few modifications. At first glance it seems like it could be incorporated into the core with modest evolution. Check out the merge notes here: https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enformcement+3.4.10+Upgrade+Notes Perhaps LPPE is a reasonable candidate for CAS 3.5. Also looks like it might be possible to split this out into a module (jars), plus a maven overlay. Would appreciate feedback from folks on how they are incorporating this code today. Best, Bill On Tue, Aug 23, 2011 at 10:24 AM, William G. Thompson, Jr. <[email protected]> wrote:Folks, I'm working on a new CAS deployment based on 3.4.10. We have a requirement to implement LDAP Password Policy Enforcement. https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enforcement The wiki page describes the state of the module. SVN is here: https://source.jasig.org/sandbox/cas-password-policy/ and the latest tag is for CAS 3.4.7. There's also a patch file on the wiki for 3.4.8 that's not in SVN. I started a branch to track CAS 3.4.x here: https://source.jasig.org/sandbox/cas-password-policy/branches/cas-server-support-ldap-pwd-expiration-3.4.x/ I intend to apply the 3.4.8 patch, cut a tag, and then bring the 3.4.x branch up to 3.4.10, and cut another tag. I'd like to get to a sustainable process and possibly figure out how to get this into the core at some point if that makes sense. Appreciate any feedback, help, etc. Best, Bill
-- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: S/MIME Cryptographic Signature
