CAS doesn't use the LDAP authentication module from Spring security, it uses the Spring LDAP package ( http://static.springsource.org/spring-ldap/docs/1.3.x/apidocs/) which doesn't support the password policy additions to LDAP - that's why I had to just look at the error code from the LDAP login. The detailed error message is not getting passed up to the CAS server, but I'm not sure why it would work for Sun DS and Active Directory and not OpenLdap. I'll take a closer look at the Spring LDAP and see if I can figure anything out.
-Eric On Tue, Aug 3, 2010 at 11:27 AM, Jamie L Sammons <[email protected]>wrote: > In the case with OpenLDAP I do believe it is related to how the error code > is retrieved from the server using the -e ppolicy general extension. I > believe its the same issue as seen here in this forum: * > http://forums.sun.com/thread.jspa?threadID=699511*<http://forums.sun.com/thread.jspa?threadID=699511> > > Since CAS 3.4 now uses Spring Security 3.0 maybe its something that > org.springframework.security.ldap.ppolicy: * > http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/ldap/ppolicy/package-summary.html > *<http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/ldap/ppolicy/package-summary.html> > can > help with. > > Thank you, > Jamie Sammons > > > > From: > Raymond D Walker <[email protected]> > To: > [email protected] > Date: 08/03/2010 09:35 AM Subject: Re: [cas-user] LDAP Password Policy > module problems > ------------------------------ > > > > Jamie, > > We are using SunJava Directory Server Enterprise Edition 6.3.1 > > We did not have issues with LDAP messages in the 3.3.5 version of > cas-server-support-ldap-pwd-expiration but are experiencing what I believe > to be similar issues to what you describe in the 3.4.2 version. > > Raymond Walker > Software Systems Engineer Sr. > ITS Northern Arizona University > [email protected] > Phone 928-523-0334 > > On Aug 2, 2010, at 4:50 PM, Jamie L Sammons wrote: > > > Raymond, > > > > Are you using OpenLDAP? Just curious if you had gotten that far with it > as I'm not able to do so yet. > > > > Thank you, > > Jamie Sammons > > > > > > From: Raymond D Walker <[email protected]> > > To: [email protected] > > Date: 08/02/2010 06:43 PM > > Subject: Re: [cas-user] LDAP Password Policy module > problems > > > > > > > > > > Eric, > > > > Yep... I see the BindLdapAuthenticationHandler throwing, and the > AuthenticationViaFormAction catching it... and eventually > > hitting: > > > > > if(e.getCode().equals(ExpiredPasswordException.EXPIRED_PASSWORD_CODE)){ > > return > "showExpiredPassView"; > > } > > > > but the spring webflow never triggers correctly... so for the time being > I had to modify it to explicitly do something when encountering an expired > password... > > > > <action-state id="realSubmit"> > > <evaluate > expression="authenticationViaFormAction.submit(flowRequestContext, > flowScope.credentials, messageContext)" /> > > <transition on="showExpiredPassView" > to="PasswordExpiredCheck" /> > > <transition on="warn" to="warn" /> > > <transition on="success" to="sendTicketGrantingTicket" /> > > <transition on="error" to="viewLoginForm" /> > > </action-state> > > > > In our case, I fire off another action in the "PasswordExpiredCheck" > state to do some more checking on the user to supply a customized URL for > our password change webapp... and eventually get to the > "showExpiredPassView" end state. I'm guessing one could as easily transition > to "showExpiredPassView" instead. > > > > Something is definitely up with how the spring webflow is setup... the > new version of spring is still "new to me" so pardon any mis-wording, etc. > > > > > > Raymond Walker > > Software Systems Engineer Sr. > > ITS Northern Arizona University > > [email protected] > > On Aug 2, 2010, at 7:18 AM, Eric Pierce wrote: > > > > > Are you sure you're using the BindLdapAuthenticationHandler included > > > with the ldap-pwd-expiration module? It compares the result to a > > > Regular Expression that should catch 'Password expired' and throws a > > > custom exception (ExpiredPasswordException) > > > > > > -Eric > > > > > > On 8/1/10, Jamie Sammons <[email protected]> wrote: > > >> I have also tried this with CAS 3.4.2.1 and > > >> cas-server-support-ldap-pwd-expiration-3.4.2 and it appears to do the > same > > >> thing. > > >> > > >> It still seems like the LDAP error messages aren't making their way up > > >> through the application for some reason. > > >> -- > > >> You are currently subscribed to [email protected] as: > [email protected] > > >> To unsubscribe, change settings or access archives, see > > >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > >> > > > > > > > > > -- > > > Eric Pierce > > > Identity Management Architect > > > Information Technology > > > University of South Florida > > > (813) 974-8868 -- [email protected] > > > > > > -- > > > You are currently subscribed to [email protected] as: > [email protected] > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > > > > > > > > > --------------------------------------------------------- > > > > This e-mail message is intended only for the personal use of the > recipient(s) > > named above. If you are not an intended recipient, you may not review, > copy or > > distribute this message. If you have received this communication in > error, > > please notify the CDS Global Help Desk ([email protected]) > immediately > > by e-mail and delete the original message. > > > > --------------------------------------------------------- > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Eric Pierce Identity Management Architect Information Technology University of South Florida (813) 974-8868 -- [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
