Folks, I have been working on CAS LPPE support for the past week or so locally and have made a number of adjustments and enhancements to further better the feature. I will attempt to submit a pull request later today but would like to summarize the current changeset here as much as possible:
- LPPE supports a number of scenarios. Namely, they are: 1. Account is disabled 2. Account is expired 3. Account is attempting to login at an unaccepted time 4. Account is attempting to login from an unaccepted workstation 5. Account must change the password on login 6. Account password will expire soon. Scenarios from #1 to #5 automatically occur during authentication where LDAP/AD would reject the account by throwing in specific errors code. LPPE attempts to look for the returned error code and redirect the user to the relevant view. #6 is slightly different because password warning calculations will occur after the user has passed the authentication step. - LPPE is currently off by default. To enable the entire feature set using perhaps the maven overlay method, a deployer would have to do the following: o Relevant LPPE settings (including LDAP urls, etc) need to be defined in the cas.properties file, including the URL that user would have to go for password maintenance. o To enable #1 to #5, error definitions must be described by the relevant authentication handler in the config file. I have included a sample in the commits that shows what they may be. Codes that go unhandled will simply prevent the user from logging in, just like before. o To enable #6. The 'enabled' property (currently set to false) would need to be set in the cas.properties file. - LPPE uses the JodaTime library to calculate expiration dates, etc. - Almost all changes are contained inside the ldap module, with the exception of login flow and a few other config files (messages, properties, etc). I have tested all said scenarios with a local AD account, with/without the service parameter and with a valid account whose password is set to never expire. All checks out. When time permits, please review. Feedback is much appreciated. Regards, -Misagh -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
