Thanks Misagh. The changes have been pulled into the feature-lppe branch. It would be great to some feedback on this prior to merge to master.
We're now just about 7 days from RC1 freeze. Bill On Thu, May 3, 2012 at 7:09 PM, Misagh Moayyed <mmoay...@unicon.net> wrote: > Folks, > > I have been working on CAS LPPE support for the past week or so locally and > have made a number of adjustments and enhancements to further better the > feature. I will attempt to submit a pull request later today but would like > to summarize the current changeset here as much as possible: > > > > - LPPE supports a number of scenarios. Namely, they are: > > 1. Account is disabled > > 2. Account is expired > > 3. Account is attempting to login at an unaccepted time > > 4. Account is attempting to login from an unaccepted workstation > > 5. Account must change the password on login > > 6. Account password will expire soon. > > > > Scenarios from #1 to #5 automatically occur during authentication where > LDAP/AD would reject the account by throwing in specific errors code. LPPE > attempts to look for the returned error code and redirect the user to the > relevant view. #6 is slightly different because password warning > calculations will occur after the user has passed the authentication step. > > > > - LPPE is currently off by default. To enable the entire feature > set using perhaps the maven overlay method, a deployer would have to do the > following: > > o Relevant LPPE settings (including LDAP urls, etc) need to be defined in > the cas.properties file, including the URL that user would have to go for > password maintenance. > > o To enable #1 to #5, error definitions must be described by the relevant > authentication handler in the config file. I have included a sample in the > commits that shows what they may be. Codes that go unhandled will simply > prevent the user from logging in, just like before. > > o To enable #6. The ‘enabled’ property (currently set to false) would need > to be set in the cas.properties file. > > > > - LPPE uses the JodaTime library to calculate expiration dates, > etc. > > - Almost all changes are contained inside the ldap module, with the > exception of login flow and a few other config files (messages, properties, > etc). > > > > I have tested all said scenarios with a local AD account, with/without the > service parameter and with a valid account whose password is set to never > expire. All checks out. > > > > When time permits, please review. Feedback is much appreciated. > > > > Regards, > > -Misagh > > > > > > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: wgt...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
