Re: [cas-user] LDAP Password Policy module problems

[Jamie L Sammons]

My guess is that Sun DS and Active Directory
return the detailed error message without specifying the -e ppolicy option.
 I don't have access to either of those directories or I would test
the theory with ldapsearch.

Thank you,
Jamie Sammons





From:
Eric Pierce <epie...@usf.edu>

To:
cas-user@lists.jasig.org

Date:
08/03/2010 01:22 PM

Subject:
Re: [cas-user] LDAP Password Policy
module problems

Sent by:
epie...@mail.usf.edu




CAS doesn't use the LDAP authentication module from Spring
security, it uses the Spring LDAP package (http://static.springsource.org/spring-ldap/docs/1.3.x/apidocs/)
which doesn't support the password policy additions to LDAP - that's why
I had to just look at the error code from the LDAP login.  The detailed
error message is not getting passed up to the CAS server, but I'm not sure
why it would work for Sun DS and Active Directory and not OpenLdap. 
I'll take a closer look at the Spring LDAP and see if I can figure anything
out.

-Eric  


On Tue, Aug 3, 2010 at 11:27 AM, Jamie L Sammons <jsamm...@cds-global.com>
wrote:
In the case with OpenLDAP I do believe
it is related to how the error code is retrieved from the server using
the -e ppolicy general extension.  I believe its the same issue as
seen here in this forum: http://forums.sun.com/thread.jspa?threadID=699511


Since CAS 3.4 now uses Spring Security 3.0 maybe its something that org.springframework.security.ldap.ppolicy:
 http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/ldap/ppolicy/package-summary.html
 can help with.


Thank you,
Jamie Sammons





From:

Raymond D Walker <ray.wal...@nau.edu>


To:

cas-user@lists.jasig.org


Date:

08/03/2010 09:35 AM


Subject:

Re: [cas-user] LDAP Password Policy
module problems






Jamie,

We are using SunJava Directory Server Enterprise Edition 6.3.1

We did not have issues with LDAP messages in the 3.3.5 version of cas-server-support-ldap-pwd-expiration
but are experiencing what I believe to be similar issues to what you describe
in the 3.4.2 version. 

Raymond Walker
Software Systems Engineer Sr.
ITS Northern Arizona University
ray.wal...@nau.edu
Phone 928-523-0334

On Aug 2, 2010, at 4:50 PM, Jamie L Sammons wrote:

> Raymond, 
> 
> Are you using OpenLDAP?  Just curious if you had gotten that
far with it as I'm not able to do so yet. 
> 
> Thank you,
> Jamie Sammons 
> 
> 
> From:                 Raymond
D Walker <ray.wal...@nau.edu>
> To:                 cas-user@lists.jasig.org
> Date:                 08/02/2010
06:43 PM
> Subject:                 Re:
[cas-user] LDAP Password Policy module problems
> 
> 
> 
> 
> Eric,
> 
> Yep... I see the BindLdapAuthenticationHandler throwing, and the AuthenticationViaFormAction
catching it... and eventually
> hitting:
> 
>                    
                     
        if(e.getCode().equals(ExpiredPasswordException.EXPIRED_PASSWORD_CODE)){
>                    
                     
                     
   return  "showExpiredPassView";
>                    
                     
        }
> 
> but the spring webflow never triggers correctly... so for the time
being I had to modify it to explicitly do something when encountering an
expired password...
> 
>        <action-state id="realSubmit">
>                <evaluate
_expression_="authenticationViaFormAction.submit(flowRequestContext,
flowScope.credentials, messageContext)" />
>                <transition
on="showExpiredPassView" to="PasswordExpiredCheck"
/>
>                <transition
on="warn" to="warn" />
>                <transition
on="success" to="sendTicketGrantingTicket" />
>                <transition
on="error" to="viewLoginForm" />
>        </action-state>
> 
> In our case, I fire off another action in the "PasswordExpiredCheck"
state to do some more checking on the user to supply a customized URL for
our password change webapp... and eventually get to the "showExpiredPassView"
end state. I'm guessing one could as easily transition to "showExpiredPassView"
instead.
> 
> Something is definitely up with how the spring webflow is setup...
the new version of spring is still "new to me" so pardon any
mis-wording, etc.
> 
> 
> Raymond Walker
> Software Systems Engineer Sr.
> ITS Northern Arizona University
> ray.wal...@nau.edu
> On Aug 2, 2010, at 7:18 AM, Eric Pierce wrote:
> 
> > Are you sure you're using the BindLdapAuthenticationHandler included
> > with the ldap-pwd-expiration module?  It compares the result
to a
> > Regular _expression_ that should catch 'Password expired' and throws
a
> > custom exception (ExpiredPasswordException)
> > 
> > -Eric
> > 
> > On 8/1/10, Jamie Sammons <jsamm...@cds-global.com>
wrote:
> >> I have also tried this with CAS 3.4.2.1 and
> >> cas-server-support-ldap-pwd-expiration-3.4.2 and it appears
to do the same
> >> thing.
> >> 
> >> It still seems like the LDAP error messages aren't making
their way up
> >> through the application for some reason.
> >> --
> >> You are currently subscribed to cas-user@lists.jasig.org
as: epie...@usf.edu
> >> To unsubscribe, change settings or access archives, see
> >> http://www.ja-sig.org/wiki/display/JSG/cas-user
> >> 
> > 
> > 
> > -- 
> > Eric Pierce
> > Identity Management Architect
> > Information Technology
> > University of South Florida
> > (813) 974-8868 -- epie...@usf.edu
> > 
> > -- 
> > You are currently subscribed to cas-user@lists.jasig.org
as: ray.wal...@nau.edu
> > To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
> 
> 
> -- 
> You are currently subscribed to cas-user@lists.jasig.org
as: jsamm...@cds-global.com
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
> 
> 
> 
> 
> 
> 
> ---------------------------------------------------------
> 
> This e-mail message is intended only for the personal use of the recipient(s)
> named above. If you are not an intended recipient, you may not review,
copy or
> distribute this message. If you have received this communication in
error,
> please notify the CDS Global Help Desk (cdshelpd...@cds-global.com)
immediately
> by e-mail and delete the original message.
> 
> ---------------------------------------------------------
> -- 
> You are currently subscribed to cas-user@lists.jasig.org
as: ray.wal...@nau.edu
> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org
as: jsamm...@cds-global.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user



-- 
You are currently subscribed to cas-user@lists.jasig.org
as: epie...@usf.edu
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user



-- 
Eric Pierce
Identity Management Architect
Information Technology
University of South Florida
(813) 974-8868 -- epie...@usf.edu
-- 
You are currently subscribed to cas-user@lists.jasig.org as: jsamm...@cds-global.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user



-- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.comTo unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user