Hi,
I'm using cas 5.2.3, and the ldap password management module against an
Active Directory with Password Settings Object (PSO) enabled on a security
group to have a password history strategy. The bind account have the rights
to modify and reset the password of user's account.
Here's the password management config:
cas.authn.pm.enabled=true
cas.authn.pm.ldap.type=AD
cas.authn.pm.ldap.ldapUrl=ldaps://my-domain.fr
cas.authn.pm.ldap.useSsl=true
cas.authn.pm.ldap.useStartTls=false
cas.authn.pm.ldap.connectTimeout=5000
cas.authn.pm.ldap.baseDn=ou=adm,dc=my-domain,dc=fr
cas.authn.pm.ldap.userFilter=sAMAccountName={user}
cas.authn.pm.ldap.subtreeSearch=true
cas.authn.pm.ldap.bindDn=cn=CAS,cn=Users,dc=my-domain,dc=fr
cas.authn.pm.ldap.bindCredential=*******
cas.authn.pm.ldap.keystore=file:/etc/cas/config/my-domain.p12
cas.authn.pm.ldap.keystorePassword=*****
cas.authn.pm.ldap.keystoreType=PKCS12
cas.authn.pm.ldap.poolPassivator=NONE
cas.authn.pm.ldap.minPoolSize=3
cas.authn.pm.ldap.maxPoolSize=10
cas.authn.pm.ldap.validateOnCheckout=false
cas.authn.pm.ldap.validatePeriodically=true
cas.authn.pm.ldap.validatePeriod=600
cas.authn.pm.ldap.validateTimeout=5000
cas.authn.pm.ldap.failFast=true
cas.authn.pm.ldap.idleTime=500
cas.authn.pm.ldap.prunePeriod=600
cas.authn.pm.ldap.blockWaitTime=5000
cas.authn.pm.ldap.providerClass=org.ldaptive.provider.unboundid.
UnboundIDProvider
When a user's password expired, Cas normally presents the
CasMustChangePassword page and the user can modify his password. But at
this moment, the password history policy defined in AD via PSO is not
applied. It seems it's because ldaptive use the RESET/REPLACE method to
modify the password attribute as i can see in the debug log:
2018-03-20 14:28:24,166 DEBUG [org.ldaptive.ModifyOperation] - execute
request=[org.ldaptive.ModifyRequest@722220644::modifyDn=CN=Test-Account,OU=my-ou,DC=my-domain,DC=fr,
/
attrMods=[[org.ldaptive.AttributeModification@1592014853::attrMod=REPLACE,
attribute=[unicodePwd[IgBCAGwAYQBCAGwAYQAxAAZSqsazqsdDIAMwAhACCIIA]]]],
controls=null, referralHandler=null, /
intermediateResponseHandlers=null] with
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@22420243::config=[org.ldaptive.ConnectionConfig@1431827077::ldapUrl=ldaps://my-domain.fr,
/
connectTimeout=PT1H23M20S, responseTimeout=PT5S,
sslConfig=[org.ldaptive.ssl.SslConfig@166011805::credentialConfig=[org.ldaptive.ssl.KeyStoreCredentialConfig@-1381955502::trustStore=null,
/
trustStoreType=null, trustStoreAliases=null,
keyStore=file:/etc/cas/config/my-domain.fr.p12, keyStoreType=PKCS12,
keyStoreAliases=null], trustManagers=null, hostnameVerifier=null, /
hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, /
connectionInitializer=[org.ldaptive.BindConnectionInitializer@296242715::bindDn=cn=CAS,cn=Users,dc=my-domain,dc=fr,
bindSaslConfig=null, bindControls=null], /
connectionStrategy=org.ldaptive.DefaultConnectionStrategy@cab0ca0], /
providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@1004675057::metadata=[ldapUrl=ldaps://my-domain.fr,
count=1], /
providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@2116114915::operationExceptionResultCodes=[SERVER_DOWN],
properties={}, /
controlProcessor=org.ldaptive.provider.ControlProcessor@2f1ebf51,
connectionOptions=null, socketFactory=null, sslSocketFactory=null, /
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]],
providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@4eef43cc]>
2018-03-20 14:28:24,274 DEBUG [org.ldaptive.ModifyOperation] - execute
response=[org.ldaptive.Response@632770826::result=null, resultCode=SUCCESS,
message=null, matchedDn=null, responseControls=null, /
referralURLs=[], messageId=3] for
request=[org.ldaptive.ModifyRequest@722220644::modifyDn=CN=Test-Account,OU=my-ou,DC=my-domain,DC=fr,
attrMods=[[org.ldaptive.AttributeModification@1592014853::attrMod=REPLACE, /
attribute=[unicodePwd[IgBCAGwAYQBCAGwAYQAxAAZSqsazqsdDIAMwAhACCIIA]]]],
controls=null, referralHandler=null, intermediateResponseHandlers=null] with /
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@22420243::config=[org.ldaptive.ConnectionConfig@1431827077::ldapUrl=ldaps://my-domain.fr,
connectTimeout=PT1H23M20S, /
responseTimeout=PT5S,
sslConfig=[org.ldaptive.ssl.SslConfig@166011805::credentialConfig=[org.ldaptive.ssl.KeyStoreCredentialConfig@-1381955502::trustStore=null,
trustStoreType=null, trustStoreAliases=null, /
keyStore=file:/etc/cas/config/my-domain.fr.p12, keyStoreType=PKCS12,
keyStoreAliases=null], trustManagers=null, hostnameVerifier=null,
hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, /
handshakeCompletedListeners=null], useSSL=true, useStartTLS=false,
connectionInitializer=[org.ldaptive.BindConnectionInitializer@296242715::bindDn=cn=CAS,cn=Users,dc=my-domain,dc=fr,
bindSaslConfig=null, bindControls=null], /
connectionStrategy=org.ldaptive.DefaultConnectionStrategy@cab0ca0],
providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@1004675057::metadata=[ldapUrl=ldaps://my-domain.fr,
count=1], /
providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@2116114915::operationExceptionResultCodes=[SERVER_DOWN],
properties={},
controlProcessor=org.ldaptive.provider.ControlProcessor@2f1ebf51, /
connectionOptions=null, socketFactory=null, sslSocketFactory=null,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]],
providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@4eef43cc]>
I'va also noticed when i remove the "Reset password" rights for the bind
account in Active Directory (with modify password right still enabled), the
password modify operation failed with the insufficient rights error
:LDAPException(resultCode=50 (insufficient access rights). So it means when
we use a bind account in CAS Password Management, a reset password is done
when modify account's password.
>From Microsoft, there's 2 types of change password:
- CHANGE_PASSWORD : PSO policy is applied but in that case, the bind user
must be the authenticated user
- RESET_PASSWORD: PSO is not applied, and this is my case actually...
Is there's a way to modify this to take care of AD Password policy?
Thanks for your time and your answers
Bruno
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3e1fd209-537b-42b4-83b8-c6ecb2126ed7%40apereo.org.
