Share CAS logs please, at DEBUG. On Tuesday, October 25, 2016 at 5:21:24 PM UTC+3:30, Brandon Martin wrote: > > Greetings, > > After a little bit of work I was able to get successful AD authentication > on CAS 4.2.6. Yay! > > I've implemented the password enforcement configs from here: > https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html > > I'm not seeing any changes, possibly I'm missing a config. When I set a > user to needs password reset in AD (PasswordExpired AD Attribute), I simply > get "AUTHENTICATION_FAILED" in the response. > > In the ldaptive logs, I see this: [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 773, > v2580] > I also see the user's dn, and attributes in the log. > > Looking up error code 49, it's an invalid credentials response. > > We have our own in house developed password reset tool, so CAS just needs > to be able to display the errors with a button to navigate to the reset > tool. I have the casMustChangePassView.jsp where I'd add our button. > > One thing that comes to mind is if CAS/ldaptive doesn't know what > attributes to read from AD to determine the password policy errors, but I'm > unsure what they would be looking for/need. > > DeployerConfigContext.xml > > <alias name="ldapPasswordPolicyConfiguration" > alias="passwordPolicyConfiguration" /> > > <bean id="ldapAuthenticationHandler" > class="org.jasig.cas.authentication.LdapAuthenticationHandler" > p:principalIdAttribute="sAMAccountName" > p:passwordPolicyConfiguration-ref="passwordPolicyConfiguration" > c:authenticator-ref="authenticator" > > <property name="principalAttributeMap"> > <map> > <entry key="sAMAccountName" value="uid"/> > <entry key="displayName" value="displayName"/> > <entry key="mail" value="mail"/> > <entry key="memberOf" value="memberOf"/> > <entry key="employeeId" value="distinguishedName"/> > <entry key="sn" value="sn"/> > <entry key="givenName" value="givenName"/> > <entry key="telephoneNumber" value="telephoneNumber"/> > </map> > </property> > </bean> > > <ldaptive:bind-search-authenticator id="authenticator" > ldapUrl="${ldap.url}" > baseDn="${ldap.baseDn}" > userFilter="${ldap.searchFilter}" > bindDn="${ldap.managerDn}" > bindCredential="${ldap.managerPassword}" > allowMultipleDns="${ldap.allowMultipleDns:false}" > connectTimeout="${ldap.connectTimeout}" > validateOnCheckOut="${ldap.pool.validateOnCheckout}" > failFastInitialize="true" > blockWaitTime="${ldap.pool.blockWaitTime}" > idleTime="${ldap.pool.idleTime}" > maxPoolSize="${ldap.pool.maxSize}" > minPoolSize="${ldap.pool.minSize}" > validatePeriodically="${ldap.pool.validatePeriodically}" > validatePeriod="${ldap.pool.validatePeriod}" > prunePeriod="${ldap.pool.prunePeriod}" > useSSL="${ldap.use.ssl:false}" > subtreeSearch="true" > useStartTLS="${ldap.useStartTLS}" > usePasswordPolicy="${ldap.usePpolicy:true}" /> > > cas.properties: > > password.policy.warningDays=30 > > # URL to which the user will be redirected to change the password. > password.policy.url=https://iforgot.psd401.net/forgot > > # password.policy.warn.attribute.name=attributeName > password.policy.warn.attribute.value=attributeValue > password.policy.warn.display.matched=true > > ldap.usePpolicy=true > > > Let me know if I should post the full ldaptive logs >
-- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c703f6c-16e2-4d7f-b3d6-36919f01235c%40apereo.org.
