LPPE Update 2011.09.01 I took a shot at merging the enhanced ldap exceptions and password expiration warning directly into cas-server-ldap-support on the feature branch: https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/
I was able to directly merge the enhanced ldap exception handling and translation hook into Bind- and FastBindAuthenticationHandler in an non-intrusive way, thus doing a way with the fork of BindAuthenticationHander. The change is essentially catching general exceptions during bind, and rethrowing them as more specific expections if the errorProcessor finds a match. The kinds of exceptions it tries to match is configurable and the default is a NoOp. So you can wire the BindAH or FastBindAH as always. And if you want to enable enhanced LDAP exceptions you just add an additional property for the errorProcessor and some bean config in deployerConfigContext.xml. All the other classes are new except for LdapPwdAuthenticationViaFormAction, which is the piece that catches the enhanced exceptions and will route to different views based on them. This is essentially a fork of AuthenticationViaFormAction that has dependencies on the ldap module. There are bunch of new views, messages and webflow config that would just lay dormant unless you turned on this feature via: 1) proper config in deployerConfigContext 2) overlay cas-servlet.xml to use LdapPwdAuthenticationViaFormAction 3) overlay login-flow.xml to use passwordWarningCheck The feature is enabled by default on the feature branch so you don't have to do step 2 and 3. To try this at home: 1) check out the feature branch, build and install 3.4.10-LPPE-SNAPSHOT in your local mvn repo svn co https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/ mvn clean package install 2) create a maven overlay with this dependency using CAS-3.4.10-LPPE-SNAPSHOT as the cas version <!-- CAS LDAP support --> <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-ldap</artifactId> <version>${cas.version}</version> <scope>runtime</scope> </dependency> 3) deployConfigContext additions: <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" > <property name="contextSource" ref="contextSource" /> <property name="searchContextSource" ref="pooledContextSource" /> <property name="searchBase" value="${ldap.searchBase}" /> <property name="filter" value="sAMAccountName=%u" /> <property name="ignorePartialResultException" value="true" /> <property name="errorProcessor" ref="firstErrorProcessor" /> </bean> <bean id="firstErrorProcessor" class="org.jasig.cas.adaptors.ldap.util.ExpiredPasswordErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldap.util.AccountLockedErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldap.util.MustChangePasswordErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldap.util.BadHoursErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldap.util.BadWorkstationErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldap.util.AccountDisabledErrorProcessor" /> </property> </bean> </property> </bean> </property> </bean> </property> </bean> </property> </bean> This is working for me, although I still need to figure out how to exercise all the error conditions. Currently I can drive the password warning check, password expired and the account disabled conditions. I'm out of action for now until next Tuesday. Best, Bill On Tue, Aug 30, 2011 at 8:54 PM, William G. Thompson, Jr. <[email protected]> wrote: > LPPE Update 2011.08.30 > > I've been polishing the LPPE code on the feature branch with the > intent to make the integration touch points as small as possible. > > So far I've been able to remove the forked LdapCasImpl (thanks for the > tip, Marvin) which also knocked out LdapCas interface and the forked > applicationContext.xml to configure it. So three files gone and still > working! :) > > I started down the path of merging LdapPwdAuthNViaFormAction with the > core AuthenticationViaForm action, but LPAVFA has a dep on > cas-server-support-ldap and AVF is in cas-server-core...so no dice. > It would be nice to figure out how to pull this off as it would also > knock out changes needed in cas-servlet.xml. > > Next on my hit list is the forked BindAuthenticationHandler. > > I'm hoping to get to a place where this feature can be turned on/off > with minimal configuration and compatible with a 3.5 release. > > At this point to try this at home you would: > > a) check out and build CAS-3.4.10-LPPE-SNAPSHOT and install in a local > mvn repo (mvn clean package install) > https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/ > > b) create a maven overlay with these dependencies using > CAS-3.4.10-LPPE-SNAPSHOT as the cas version > <!-- CAS LDAP support --> > <dependency> > <groupId>org.jasig.cas</groupId> > <artifactId>cas-server-support-ldap</artifactId> > <version>${cas.version}</version> > <scope>runtime</scope> > </dependency> > > <!-- CAS LDAP Password Policy support --> > <dependency> > <groupId>org.jasig.cas</groupId> > <artifactId>cas-server-support-ldap-ppolicy</artifactId> > <version>${cas.version}</version> > <scope>runtime</scope> > </dependency> > > c) add the following changes to the maven overlay: > > login-webflow.xml > copy from LPPE into maven overlay and uncomment/comment out > <desicion-state id="warn"> so you have the one with the > PasswordWarningCheck. > > message_en.properties > copy from LPPE into maven overlay and add you our change password URL > and messages. > > deployConfigContext.xml > use <bean class="org.jasig.cas.adaptors.ldappwd.BindLdapAuthenticationHandler" >> for your AuthN Handler > add the following configuration: > <bean id="firstErrorProcessor" > class="org.jasig.cas.adaptors.ldappwd.util.ExpiredPasswordErrorProcessor"> > <property name="nextItem"> > <bean > class="org.jasig.cas.adaptors.ldappwd.util.AccountLockedErrorProcessor"> > <property name="nextItem"> > <bean > class="org.jasig.cas.adaptors.ldappwd.util.MustChangePasswordErrorProcessor"> > <property name="nextItem"> > <bean > class="org.jasig.cas.adaptors.ldappwd.util.BadHoursErrorProcessor"> > <property name="nextItem"> > <bean > class="org.jasig.cas.adaptors.ldappwd.util.BadWorkstationErrorProcessor"> > <property name="nextItem"> > <bean > class="org.jasig.cas.adaptors.ldappwd.util.AccountDisabledErrorProcessor" > /> > </property> > </bean> > </property> > </bean> > </property> > </bean> > </property> > </bean> > </property> > </bean> > > <bean id="PasswordWarningCheckAction" > class="org.jasig.cas.web.flow.PasswordWarningCheckAction"> > <property name="passwordWarningCheck" > ref="passwordWarningCheck" /> > </bean> > > <bean id="passwordWarningCheck" > class="org.jasig.cas.adaptors.ldappwd.LdapPasswordWarningCheck"> > <property name="searchBase" value="${ldap.searchBase}" /> > <property name="contextSource" ref="contextSource" /> > <property name="filter" value="sAMAccountName=%u" /> > <!-- fix because of how AD returns results --> > <property name="ignorePartialResultException" value="yes" /> > > <!-- Warn all users of expiration date regardless of > warningDays value --> > <property name="warnAll" value="true" /> > > <!-- Date format for value from dateAttribute see > http://java.sun.com/j2se/1.4.2/docs/api/java/text/SimpleDateFormat.html > --> > <property name="dateFormat" value="ActiveDirectory" /> > > <!-- Calculate expiration time based on the last password > change time --> > <property name="warningCheckType" value="change" /> > <!-- LDAP attribute that stores the last password change time > --> > <property name="dateAttribute" value="pwdlastset" /> > <!-- LDAP attribute that stores the user's personal setting > for the > number of days to warn before expiration --> > <property name="warningDaysAttribute" value="maxPwdAge" /> > <!-- LDAP attribute that stores the custom setting for the > number of > days a password is valid --> > <property name="validDaysAttribute" > value="passwordwarningdays" /> > > <!-- These values are used if warningDaysAttribute or > validDaysAttribute are not found --> > <property name="warningDays" value="30" /> > <property name="validDays" value="180" /> > > <!-- Use expiration time/date from LDAP server --> > <!-- <property name="warningCheckType" value="expire" > /> --> > <!-- <property name="dateAttribute" > value="passwordexpirationtime" /> --> > <!-- <property name="warningDaysAttribute" > value="passwordwarningdays" /> --> > > > <!-- Typical ActiveDirectory Config options > <property name="contextSource" > ref="pwdCheckContextSource" /> > <property name="searchBase" > value="ou=Accounts,DC=example,DC=edu" /> > <property name="filter" value="samaccountname=%u" /> > <property name="warnAll" value="false" /> > <property name="dateFormat" value="ActiveDirectory" /> > <property name="warningCheckType" value="change" /> > <property name="dateAttribute" value="pwdlastset" /> > <property name="validDaysAttribute" value="maxPwdAge" > /> > <property name="warningDaysAttribute" > value="passwordwarningdays" /> > > --> > </bean> > > That's it! mvn clean package and deploy cas.war and you should be good to > go. > > I still haven't been able to exercise all the error conditions. I'm > hoping to get to that before the end of the week. > > Best, > Bill > > > On Fri, Aug 26, 2011 at 5:12 PM, William G. Thompson, Jr. > <[email protected]> wrote: >> LPPE Update >> >> I've completed the merge of LPPE into the feature branch on >> https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/ such >> that I can build and install CAS 3.4.10-LPPE-SNAPSHOT in my local mvn >> repo. This allows me to build a cas server with the feature via >> simple local maven overlay. To get it to work you need to pull in the >> configuration files in the resources directory of >> https://source.jasig.org/sandbox/cas-password-policy/branches/cas-server-support-ldap-pwd-expiration-3.4.x/ >> >> I have it working Active Directory and could induce the PasswordWarning >> screen. >> >> I still need to spend some more time with the code and exercising >> features. I'd like to arrive at a maintainable approach for this >> feature for CAS3 in the near term. Would love some collaboration, >> thoughts, comments on how best to improve on this and help identifying >> any blockers for inclusion in CAS 3.5. >> >> This work is being driven by requirements at Lamar University. >> >> Best, >> Bill >> >> >> On Thu, Aug 25, 2011 at 9:11 PM, William G. Thompson, Jr. >> <[email protected]> wrote: >>> Folks, >>> >>> I've started a feature branch off of 3.4.10 to investigate >>> incorporating LPPE into the baseline here: >>> https://source.jasig.org/cas3/branches/cas-server-3.4.10-lppe/ >>> >>> The lppe module (cas-server-support-ldap-ppolicy) is mostly additions, >>> and it looks like they can be easily bypassed via a comment switch in >>> login-flow.xml. However, the module does carry forks of CASImpl, >>> BindAuthNHandler, and AuthenticationViaFormAction to plug in the ldap >>> error handling code. These will have to reconciled somehow. >>> >>> For now, I'm just using the forked code to get it to work plus a maven >>> overlay with the enabling configuration in: >>> * login-webflow.xml >>> * deployerConfigContext.xml >>> * applicationContext.xml >>> * cas-servlet.xml >>> >>> It's building and login/logout is working. Hopefully tomorrow I can >>> get ppolicy behavior working. >>> >>> Bill >>> >>> >>> On Wed, Aug 24, 2011 at 5:27 PM, William G. Thompson, Jr. >>> <[email protected]> wrote: >>>> LPPE status update... >>>> >>>> 3.4.8 patch applied and tagged: >>>> https://source.jasig.org/sandbox/cas-password-policy/tags/cas-server-support-ldap-pwd-expiration-3.4.8/ >>>> >>>> CAS 3.4.10 changes pulled into LPPE and tagged: >>>> https://source.jasig.org/sandbox/cas-password-policy/tags/cas-server-support-ldap-pwd-expiration-3.4.10/ >>>> >>>> https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enforcement >>>> updated with the current status. >>>> >>>> I have *not* run this code and have no idea if it is functional yet. >>>> I plan to do that next. >>>> >>>> Generally it looks this module is mostly additions with very few >>>> modifications. At first glance it seems like it could be incorporated >>>> into the core with modest evolution. Check out the merge notes >>>> here: >>>> https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enformcement+3.4.10+Upgrade+Notes >>>> >>>> Perhaps LPPE is a reasonable candidate for CAS 3.5. >>>> >>>> Also looks like it might be possible to split this out into a module >>>> (jars), plus a maven overlay. Would appreciate feedback from folks on >>>> how they are incorporating this code today. >>>> >>>> Best, >>>> Bill >>>> >>>> >>>> >>>> On Tue, Aug 23, 2011 at 10:24 AM, William G. Thompson, Jr. >>>> <[email protected]> wrote: >>>>> Folks, >>>>> >>>>> I'm working on a new CAS deployment based on 3.4.10. We have a >>>>> requirement to implement LDAP Password Policy Enforcement. >>>>> https://wiki.jasig.org/display/CASUM/LDAP+Password+Policy+Enforcement >>>>> >>>>> The wiki page describes the state of the module. SVN is here: >>>>> https://source.jasig.org/sandbox/cas-password-policy/ and the latest >>>>> tag is for CAS 3.4.7. There's also a patch file on the wiki for 3.4.8 >>>>> that's not in SVN. >>>>> >>>>> I started a branch to track CAS 3.4.x here: >>>>> https://source.jasig.org/sandbox/cas-password-policy/branches/cas-server-support-ldap-pwd-expiration-3.4.x/ >>>>> >>>>> I intend to apply the 3.4.8 patch, cut a tag, and then bring the 3.4.x >>>>> branch up to 3.4.10, and cut another tag. I'd like to get to a >>>>> sustainable process and possibly figure out how to get this into the >>>>> core at some point if that makes sense. >>>>> >>>>> Appreciate any feedback, help, etc. >>>>> >>>>> Best, >>>>> Bill >>>>> >>>> >>> >> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
