With OpenLdap, you'll need to use the ppolicy overlay ( http://linux.die.net/man/5/slapo-ppolicy) to enforce password policies at the server level. The purpose of the CAS module wasn't to enforce the policies, I just wanted to give the user more information about why the server denied their login. To have CAS enforce the expiration date, take a look at the work that Bart Ophelders & Johan Peeters did here* : * http://www.ja-sig.org/wiki/display/CAS/Expired+Password+Integration
You should still be seeing an LDAP search and log messages when you login even without the ppolicy overlay. Can you send a copy of your login-webflow.xml ? There must be some problem there. -Eric Eric Pierce, RHCE -- University of South Florida -- (813) 974-8868 -- [email protected] On Wed, May 6, 2009 at 11:31 AM, Marco Panella <[email protected]>wrote: > On Wed, 06 May 2009 10:21:09 -0400, Eric Pierce wrote > > How are you testing the login? Are you just going directly to the CAS > login > page or using a CAS-protected service that directs you to the login page? > The > warning won't come up if you just go to the CAS login page and don't > specify a > service because PasswordWarningCheck isn't run until after the TGT and > Service > Ticket are generated. > > I did not understand that, so I tried with http://127.0.0.1/cas/login. > > Now, I get this in catalina.out: > 2009-05-06 16:53:47,557 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Search Filter: > 'mail=%u'> > 2009-05-06 16:53:47,557 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Expire Date > Attribute: 'shadowexpire'> > 2009-05-06 16:53:47,557 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Warning Days > Attribute: 'shadowwarning > '> > 2009-05-06 16:53:47,558 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Default Warning > Days: '20'> > 2009-05-06 16:53:47,558 INFO > [org.jasig.cas.adaptors.ldap.LdapPasswordWarningCheck] - <Date format: > 'openldap'> > > > > Have you tried logging in with an account that is expired or locked? Do > you > get the error pages or a generic "password incorrect" message? > > Yes, the account I use is expired (shadowExpire = 13000; 5th aug 2005). > > I can not see any search on the ldap server about shadow parameters of the > account I use. > > > Since we use openldap, we have to modify LdapPasswordWarningCheck.java. > > When dateFormat == 'openldap' the expire date of the account will be set as > days from 1970-01-01 and the expire date of the password will be set as > shadowlastchange (days from 1970-01-01 of the last change) plus shadowMax > days. > > > > Now I am trying again with http://127.0.0.1:8080/cas/login?service=<some > service>. > > I am granted a service ticket and redirected to the service without > checking > account expiration. > > > Thank you for your help > Marco Panella > > -- > Universita' degli Studi di Parma (http://www.unipr.it) > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
