Greetings, After a little bit of work I was able to get successful AD authentication on CAS 4.2.6. Yay!
I've implemented the password enforcement configs from here: https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html I'm not seeing any changes, possibly I'm missing a config. When I set a user to needs password reset in AD (PasswordExpired AD Attribute), I simply get "AUTHENTICATION_FAILED" in the response. In the ldaptive logs, I see this: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 773, v2580] I also see the user's dn, and attributes in the log. Looking up error code 49, it's an invalid credentials response. We have our own in house developed password reset tool, so CAS just needs to be able to display the errors with a button to navigate to the reset tool. I have the casMustChangePassView.jsp where I'd add our button. One thing that comes to mind is if CAS/ldaptive doesn't know what attributes to read from AD to determine the password policy errors, but I'm unsure what they would be looking for/need. DeployerConfigContext.xml <alias name="ldapPasswordPolicyConfiguration" alias="passwordPolicyConfiguration" /> <bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="sAMAccountName" p:passwordPolicyConfiguration-ref="passwordPolicyConfiguration" c:authenticator-ref="authenticator" > <property name="principalAttributeMap"> <map> <entry key="sAMAccountName" value="uid"/> <entry key="displayName" value="displayName"/> <entry key="mail" value="mail"/> <entry key="memberOf" value="memberOf"/> <entry key="employeeId" value="distinguishedName"/> <entry key="sn" value="sn"/> <entry key="givenName" value="givenName"/> <entry key="telephoneNumber" value="telephoneNumber"/> </map> </property> </bean> <ldaptive:bind-search-authenticator id="authenticator" ldapUrl="${ldap.url}" baseDn="${ldap.baseDn}" userFilter="${ldap.searchFilter}" bindDn="${ldap.managerDn}" bindCredential="${ldap.managerPassword}" allowMultipleDns="${ldap.allowMultipleDns:false}" connectTimeout="${ldap.connectTimeout}" validateOnCheckOut="${ldap.pool.validateOnCheckout}" failFastInitialize="true" blockWaitTime="${ldap.pool.blockWaitTime}" idleTime="${ldap.pool.idleTime}" maxPoolSize="${ldap.pool.maxSize}" minPoolSize="${ldap.pool.minSize}" validatePeriodically="${ldap.pool.validatePeriodically}" validatePeriod="${ldap.pool.validatePeriod}" prunePeriod="${ldap.pool.prunePeriod}" useSSL="${ldap.use.ssl:false}" subtreeSearch="true" useStartTLS="${ldap.useStartTLS}" usePasswordPolicy="${ldap.usePpolicy:true}" /> cas.properties: password.policy.warningDays=30 # URL to which the user will be redirected to change the password. password.policy.url=https://iforgot.psd401.net/forgot # password.policy.warn.attribute.name=attributeName password.policy.warn.attribute.value=attributeValue password.policy.warn.display.matched=true ldap.usePpolicy=true Let me know if I should post the full ldaptive logs -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b78a140-c858-4202-8a79-006038542fcd%40apereo.org.
