Dear Ritesh Tripathi:
I’m very grateful for your speedy reply, this is the best New Year
gift I have got!!
Before I read you post, it never came to my mind that the password
policy can be set in LDAP.
I am using the CAS6.0+OpenLdap on Ubuntu server, I will try your
suggestion and test it.
Could you allow me to ask some more question?
1. Can CAS show a "Account Locked due to too much attempt" message to
user when the user's account was lock?
2. Can I redirect the user to my specific url when the user password is
expired?
Thank you so much for your reply!
Best Regards & Best Wishes for New Year 2021!
Sincerely
Chunyao Wang.
Ritesh Tripathi 在 2020年12月31日 星期四下午11:55:31 [UTC+8] 的信中寫道:
> Dear Chun-Yao,
>
> Apache DS is LDAP Server. In all LDAP Server - including the
> implementation of LDAP by Microsoft - which is called Active Directory -
> have the feature of Password Policies. [Pl see -
> https://ldapwiki.com/wiki/Password%20Policy]
>
> Apache DS also offers the password policy ;complying to the Draft
> Specifications of Password Policy -
> https://ldapwiki.com/wiki/Draft-behera-ldap-password-policy
>
> These can be easily configured in the Directory Studio Admin - by opening
> the configuration file - going to Password Policies Tab. Pl see the
> screenshot enclosed below [red indicates the parameters in your case to be
> added to the system].
>
> [image: image.png]
>
> The CAS properties that i used for getting the application up and running
> are given below. [version 6.2.x for CAS].
>
> #########local LDAP Connection String for authentication using the
> Managers Bind Tested as OK on localhost.#################
> cas.authn.ldap[0].ldapUrl=ldap://localhost:389/
> cas.authn.ldap[0].bindDn=uid=admin,ou=system
> cas.authn.ldap[0].bindCredential=xxxx
>
> cas.authn.ldap[0].poolPassivator=BIND
> #cas.authn.ldap[0].connectionStrategy=DEFAULT
>
> #cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
> cas.authn.ldap[0].type=AUTHENTICATED
> #cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].baseDn=dc=tbitslocal,dc=com
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
>
> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,displayName,l,o,postalAddress,mail,mobile,ou
> cas.authn.ldap[0].minPoolSize=3
> cas.authn.ldap[0].maxPoolSize=10
> cas.authn.ldap[0].blockWaitTime=PT3S
> #cas.authn.ldap[0].useSsl=false
> cas.authn.ldap[0].useStartTls=false
> cas.authn.ldap[0].responseTimeout=PT5S
> cas.authn.ldap[0].allowMultipleDns=false
> cas.authn.ldap[0].allowMultipleEntries=false
> cas.authn.ldap[0].followReferrals=false
> cas.authn.ldap[0].name=localhostLDAP
>
> #################LDAP Password Policy##############################
> cas.authn.ldap[0].passwordPolicy.type=GENERIC
> cas.authn.ldap[0].passwordPolicy.enabled=true
>
> cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException
> cas.authn.ldap[0].passwordPolicy.loginFailures=5
> #cas.authn.ldap[0].passwordPolicy.warningAttributeValue=
> #cas.authn.ldap[0].passwordPolicy.warningAttributeName=
> cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=true
> cas.authn.ldap[0].passwordPolicy.warnAll=true
> cas.authn.ldap[0].passwordPolicy.warningDays=1
> cas.authn.ldap[0].passwordPolicy.accountStateHandlingEnabled=true
>
>
> #############Properties for LDAP Password Management############
> cas.authn.pm.ldap[0].type=GENERIC
> cas.authn.pm.ldap[0].username-attribute=uid
> cas.authn.pm.ldap[0].ldapUrl=ldap://localhost:389/
> cas.authn.pm.ldap[0].bindDn=uid=admin,ou=system
> cas.authn.pm.ldap[0].bindCredential=xxxx
> cas.authn.pm.ldap[0].poolPassivator=BIND
> cas.authn.pm.ldap[0].connectionStrategy=RANDOM
> cas.authn.pm.ldap[0].connect-timeout=PT5S
>
> #cas.authn.pm.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
> #cas.authn.pm.ldap[0].type=AUTHENTICATED
> #cas.authn.pm.ldap[0].useSsl=false
> cas.authn.pm.ldap[0].useStartTls=false
> cas.authn.pm.ldap[0].baseDn=dc=tbitslocal,dc=com
> cas.authn.pm.ldap[0].subtreeSearch=true
> cas.authn.pm.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
>
> #cas.authn.pm.ldap[0].principalAttributeList=sn,cn:commonName,displayName,l,o,postalAddress,mail,mobile
> cas.authn.pm.ldap[0].minPoolSize=3
> cas.authn.pm.ldap[0].maxPoolSize=10
> cas.authn.pm.ldap[0].blockWaitTime=PT3S
> #cas.authn.pm.ldap[0].useSsl=false
> cas.authn.pm.ldap[0].useStartTls=false
> cas.authn.pm.ldap[0].responseTimeout=PT5S
> cas.authn.pm.ldap[0].allowMultipleDns=false
> cas.authn.pm.ldap[0].allowMultipleEntries=false
> cas.authn.pm.ldap[0].followReferrals=false
> cas.authn.pm.ldap[0].name=localhostLDAP_PM_Feature
>
> #######################
> Some words of advice - to save time
>
> 1. While dealing with LDAP - pl test all your settings using the
> commandline first before using them for configuration in CAS. Execute the
> basic commands etc "ldapsearch" using your settings - first using the
> command line to ensure that your connections and values are working -
> before filling in the CAS properties as applicable in your case.
> 2. Pll don't blindly copy paste cas properties - think and understand what
> you are doing.
> 3. The only constraint that faced was that at the time of :"forget
> username" or "forget password" - there can be only be a single search query
> that can be defined - if you integrate with LDAP as against JDBC, where you
> can define 2 different queries - one for getting usename and another for
> fetching the email address etc. I overcame the above constraint - but
> setting the username = email , for my use case.
> 4. Before implementing a Directory Services as LDAP / ApacheDS - think if
> you already have access to your LDAP or any other directory services
> internally. All Standard Directory Services will offer you Password
> Policies Features, better use them before introducing a new software in
> your organization.
>
> Please feel free to contact me - if you have any further questions.
>
> Best Regards & Best Wishes for New Year 2021!
>
> Ritesh Tripathi
>
> On Thu, Dec 31, 2020 at 8:18 PM Chun-Yao Wang <[email protected]>
> wrote:
>
>> Dear Ritesh Tripathi:
>>
>> I have the same requirement with you.
>> I neet to *"Lock user account for 30min after 3 unsuccessful login
>> attempts"*
>> Could you give me more detail about how to configure ApereoCAS +
>> ApacheDS to achieve the requirements
>> ?
>> Great Thanks!!
>>
>> Ritesh Tripathi 在 2020年11月19日 星期四上午12:45:13 [UTC+8] 的信中寫道:
>>
>>> Updating this thread so that this may be useful to others:
>>>
>>> A. Started Using ApacheDS - https://directory.apache.org/apacheds/ as
>>> LDAP Server on windows machine.
>>> B. Delegated all the password policy constraints to ApacheDS. The apache
>>> DS can be administered via Apache Directory Studio and didn't do any
>>> implementation of custom code for implementing the same thing in JDBC.
>>> C. CAS worked wonderfully with LDAP authentication - including password
>>> update in LDAP at the time of password expiry etc.
>>>
>>> Thank you
>>>
>>> On Monday, 21 September 2020 at 19:57:25 UTC+5:30 [email protected] wrote:
>>>
>>>> I believe that the JDBC password policy settings are in the database
>>>> authentication settings:
>>>>
>>>>
>>>>
>>>>
>>>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#database-authentication
>>>>
>>>>
>>>>
>>>> Specifically
>>>>
>>>>
>>>>
>>>> # cas.authn.jdbc.query[0].field-expired=
>>>>
>>>> # cas.authn.jdbc.query[0].field-disabled=
>>>>
>>>>
>>>>
>>>> Where both queries determine if an account is expired or disabled.
>>>>
>>>>
>>>>
>>>> I am not certain, but I think you need a separate system, other than
>>>> CAS, to expire and disable accounts in JDBC.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* [email protected] <[email protected]> *On Behalf Of *Ritesh
>>>> Tripathi
>>>> *Sent:* Sunday, September 20, 2020 12:50 PM
>>>> *To:* CAS Community <[email protected]>
>>>> *Subject:* [cas-user] Cas 6.2 - Implmentation of Custom Password
>>>> Policy for JDBC Authentication
>>>>
>>>>
>>>>
>>>> Hello All,
>>>>
>>>>
>>>>
>>>> We have a requirement that *"after 5 unsuccessful login attempts - we
>>>> need to lock the account for a day for the said user."*
>>>>
>>>>
>>>>
>>>> We are having a JDBC Authentication.
>>>>
>>>>
>>>>
>>>> We were just curious if anyone has implemented custom password policy
>>>> using groovy scripts or some other method for requirements as above.
>>>>
>>>>
>>>>
>>>> The CAS documentation - seems to be specific for LDAP and other cases.
>>>> Was not able to get more information on JDBC.
>>>>
>>>>
>>>>
>>>>
>>>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#password-policy-settings
>>>>
>>>>
>>>>
>>>> Will the groovy script method as given in above documentation link work
>>>> for JDBC as well ? Any comments or points to implement the above type and
>>>> similar requirements.
>>>>
>>>>
>>>>
>>>> Best Regards
>>>>
>>>> R
>>>>
>>>> --
>>>> - Website: https://apereo.github.io/cas
>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>> - Contributions: https://goo.gl/mh7qDG
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CAS Community" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/33d653bb-392c-457e-9d4b-b86785e2b26cn%40apereo.org
>>>>
>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/33d653bb-392c-457e-9d4b-b86785e2b26cn%40apereo.org?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6667d78c-601b-4b3a-b038-46cf49b6f38fn%40apereo.org.
