Does that account that you are using have the appropriate privileges to read the LPPE policy? I have no experience with 389 and how it implements LPPE, but it does help to check on the LDAP server side to see what query the CAS/LDAPTIVE is making to check the LPPE.
From: [email protected] <[email protected]> On Behalf Of Jeremiah Garmatter Sent: Wednesday, August 19, 2020 4:46 PM To: CAS Community <[email protected]> Cc: King, Robert <[email protected]>; Jeremiah Garmatter <[email protected]> Subject: Re: [cas-user] CAS 6.2 Password Policy Robert, That link does look like the properties I need, however it appears to be missing a few entries, such as the dateAttribute and dateFormat, which I believe are vital to the configuration. I tried this configuration, note my organziation runs 389 directory: cas.authn.ldap[0].passwordPolicy.type=GENERIC cas.authn.ldap[0].passwordPolicy.enabled=true cas.authn.ldap[0].passwordPolicy.warn-all=false cas.authn.ldap[0].passwordPolicy.warning-days=30 cas.authn.ldap[0].passwordPolicy.warning-attribute-value= cas.authn.ldap[0].passwordPolicy.warning-attribute-name= cas.authn.ldap[0].passwordPolicy.display-warning-on-match=true cas.authn.ldap[0].passwordPolicy.strategy=DEFAULT I also tried with warn-all=true, and the account-state-handling-enabled=true which didn't make a difference as far as I could tell. I am using an account with password set to expire in 1 day, which our cas 3.5 server correctly recognizes and acts on. After setting the ldaptive logger to debug, I don't see anything related to the password policy. Is there another logger that may provide more information for me? Perhaps I'll have to create a custom groovy script or some thymeleaf logic to compare the attributes with current date and time, then direct them to the service or our password reset application. On Wednesday, August 19, 2020 at 12:28:39 PM UTC-4 [email protected]<mailto:[email protected]> wrote: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#password-policy-settings From: Jeremiah Garmatter <[email protected]> Sent: Wednesday, August 19, 2020 12:27 PM To: CAS Community <[email protected]> Cc: King, Robert <[email protected]> Subject: Re: [cas-user] CAS 6.2 Password Policy Alright, I was able to track down a little more information on my organizations password policy. I'm now wondering if CAS 6.2 supports lppe configurations. On the old CAS server (3.5), there was an lppe-configuration.xml file allowing one to set the attributes lppe looked at to trigger password warnings. Is there an equivalent configuration file on 6.2? For reference, here is an example from our 5.3 lppe-configuration.xml file: <bean id="ldapPasswordPolicyEnforcer" class="org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer"> <property name="searchBase" value="${ldap.authentication.basedn}" /> <property name="contextSource" ref="contextSource" /> <property name="filter" value="${ldap.authentication.filter}" /> <property name="ignorePartialResultException" value="${ldap.authentication.ignorePartialResultException}" /> <property name="warnAll" value="${ldap.authentication.lppe.warnAll}" /> <property name="dateFormat" value="${ldap.authentication.lppe.dateFormat}" /> <property name="dateAttribute" value="${ldap.authentication.lppe.dateAttribute}" /> <property name="warningDaysAttribute" value="${ldap.authentication.lppe.warningDaysAttribute}" /> <property name="validDaysAttribute" value="${ldap.authentication.lppe.validDaysAttribute}" /> <property name="warningDays" value="${ldap.authentication.lppe.warningDays}" /> <property name="validDays" value="${ldap.authentication.lppe.validDays}" /> <property name="noWarnAttribute" value="${ldap.authentication.lppe.noWarnAttribute}" /> <property name="noWarnValues" value="${ldap.authentication.lppe.noWarnValues}" /> </bean> On Wednesday, August 5, 2020 at 9:54:18 AM UTC-4 [email protected] wrote: Yes, it is defined in OpenLDAP. I would be surprised if this is not already setup on your existing directory. Guessing as to what CAS is doing… First search for user operational attributes pwdChangedTime and pwdPolicySubentry. Then a second search on the DN from pwdPolicySubentry. That should retrieve attribute pwdMaxAge. Then CAS would determine if the account is expiring inside the CAS defined warning days window and pop up the interruption screen to notify users as they login. From: [email protected] <[email protected]> On Behalf Of Jeremiah Garmatter Sent: Wednesday, August 5, 2020 10:30 AM To: [email protected] Subject: Re: [cas-user] CAS 6.2 Password Policy Robert, You are saying that password policy is defined within openldap itself and not within CAS? I'd prefer not to change any ldap configuration if that can be avoided. Is there no way to change the attribute checked for password expiration within CAS properties? -Jeremiah Garmatter, Systems Administrator -Ohio Northern University, Class of 2020 -Work: 419-772-1074<tel:(419)%20772-1074> Cell: 419-672-8685<tel:(419)%20672-8685> [email protected] On Tue, Aug 4, 2020 at 12:44 PM King, Robert <[email protected]> wrote: If you are using OpenLDAP 2.4 for your directory service: https://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=5&manpath=OpenLDAP+2.4-Release&arch=default&format=html From: [email protected] <[email protected]> On Behalf Of Jeremiah Garmatter Sent: Tuesday, August 4, 2020 10:45 AM To: CAS Community <[email protected]> Subject: [cas-user] CAS 6.2 Password Policy Hello, I am having trouble understanding the password policy documentation for CAS 6.2.x. I use openldap as the ldap source. I would like to set up a policy that warns users of a password change at 60 days, 30 days, and forces a password change at 2 days. This policy was enforced on a server running CAS 3.5 and I'm not sure how this system was set up (it was made by predecessors). Could somebody explain what this line means? "LPPE is also able to warn the user when the account is about to expire. The expiration policy is determined through pre-configured LDAP attributes with default values in place." (found here: https://apereo.github.io/cas/6.2.x/installation/Password-Policy-Enforcement.html) >From what I understand there is a predefined LDAP attribute that is checked >against the warning-days property and if it is under the day-count then a >warning message appears. Is this true? Also, what LDAP attribute is it checking against? Can this attribute be changed? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group. To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/9E2ZujSI5Ec/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0-%2B9DQvoSSQHvCCEpEr2bvwA_qsGji7rrJmgQLzsT77g%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0-%2B9DQvoSSQHvCCEpEr2bvwA_qsGji7rrJmgQLzsT77g%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/133ba9aa-0d8f-4d60-a994-1a070f4296a7n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/133ba9aa-0d8f-4d60-a994-1a070f4296a7n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f0f9fd9790e4b69b2c99da407bb315e%40mun.ca.
