Re: [cas-user] Some issues with CAS LPPE

Wed, 22 Aug 2012 01:37:23 -0700 

Le 21/08/2012 18:29, Misagh Moayyed a écrit :

- 2 messages are missing from all messages_xx.properties :
screen.accountlocked.heading & screen.accountlocked.message

Please see https://issues.jasig.org/browse/CAS-1126

Oops, I searched in the list but not in JIRA, sorry :-)


- I always get "WARN"
[org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer]

I do agree that the error message you receive is confusing and in fact
incorrect. (There is no 'enabled' property). The issue you describe though
has to with the fact that the userid cannot be located in the ldap
instance. My initial suspicion is that your context source maybe different
for the LPPE bean that what it is for the authN bean.
The exception raised is a java.lang.NullPointerException at javax.naming.directory.BasicAttributes.get(BasicAttributes.java:144), indicating that the user has not been found although my context source is my searchContextSource also used by the AuthN bean (AuthN bean also use another context source). 

This morning, I've uncommented these two lines from bean 
ldapPasswordPolicyEnforcer :

<property name="warningDaysAttribute" 
value="${ldap.authentication.lppe.warningDaysAttribute}" />
<property name="validDaysAttribute" 
value="${ldap.authentication.lppe.validDaysAttribute}" />


And now it seems to work ?? Very odd, I've to query non-existent attributes to 
get it working.

With these 2 lines commented, I get :
DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Checking account status for password... DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Retrieving number of days to password expiration date for user testpm DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Starting search with searchFilter: (sAMAccountName=testpm) DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Returning attributes pwdlastset: ERROR [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - java.lang.NullPointerException 
...
WARN [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - No entry was found for user testpm. Verify your LPPE settings. If you are not using LPPE, set the 'enabled' property to false. Password policy enforcement is currently turned on but not configured. DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Skipping all password policy checks... 
...

And when they're uncommented, I get :
DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Checking account status for password... DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Retrieving number of days to password expiration date for user testpm DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Starting search with searchFilter: (sAMAccountName=testpm) DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Returning attributes pwdlastset:passwordwarningdays:maxPwdAge: DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - No warning days value is found for testpm. Using system default of 30 DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - No maximum password valid days found for testpm. Using system default of 90 days INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Recalculated AD pwdlastset attribute to 2012-08-21T13:14:19.000Z DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Retrieved date value 2012-08-21T 13:14:19.000Z for date attribute pwdlastset and added 90 days. The final expiration date is 2012-11-19T13:14:19.000Z DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Calculating number of days left to the expiration date for user testpm INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Current date is 2012-08-22T07:17:12.621Z INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Expiration date is 2012-11-19T13:14:19.000Z INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Warning period begins on 2012-10-20T13:14:19.000Z INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Password is not expiring. 89 days left to the warning DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Password for testpm is not expiring DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Switching to flow event id success for user testpm 

So it's the expected behavior :-)

Regards.




record, there is no attribute like warningDaysAttribute nor

validDaysAttribute.

The configuration allows you to set defaults, in case no attributes are
available. See "warningDays" and "validDays".

A sample configuration of LPPE:
https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp
/WEB-INF/unused-spring-configuration/lppe-configuration.xml

Planned LPPE improvements:
https://issues.jasig.org/browse/CAS-1121

Regards,

-Misagh



-----Original Message-----
From: Philippe MARASSE [mailto:[email protected]]
Sent: Tuesday, August 21, 2012 8:47 AM
To: [email protected]
Subject: [cas-user] Some issues with CAS LPPE

Hello,

I'm testing the new implementation of LPPE provided with CAS 3.5.0. I've
followed LPPE
Wiki page but I ran into a few issues :
    - 2 messages are missing from all messages_xx.properties :
screen.accountlocked.heading
& screen.accountlocked.message referenced in
/WEB-INF/view/jsp/default/ui/casAccountLockedView.jsp (should I open a

JIRA

for that ?)

    - I always get "WARN
[org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - No
entry was found for user testpm. Verify your LPPE settings. If you are

not

using LPPE, set
the 'enabled' property to false. Password policy enforcement is

currently

turned on but
not configured."

Although the very same query is done by authentication handler

successfully

??

from lppe-configuration.xml :
      <bean id="ldapPasswordPolicyEnforcer"
class="org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer">
        <property name="searchBase" value="${ldap.baseDn}" />
        <property name="contextSource" ref="searchContextSource" />
        <property name="filter" value="${ldap.filter}" />
        <property name="ignorePartialResultException" value="yes" />
        <property name="warnAll"

value="${ldap.authentication.lppe.warnAll}"

/>
        <property name="dateFormat"
value="${ldap.authentication.lppe.dateFormat}" />
        <property name="dateAttribute"
value="${ldap.authentication.lppe.dateAttribute}" />
<!--       <property name="warningDaysAttribute"
value="${ldap.authentication.lppe.warningDaysAttribute}" />
        <property name="validDaysAttribute"
value="${ldap.authentication.lppe.validDaysAttribute}" />  -->
        <property name="warningDays"
value="${ldap.authentication.lppe.warningDays}" />
        <property name="validDays"
value="${ldap.authentication.lppe.validDays}" />
        <property name="noWarnAttribute"
value="${ldap.authentication.lppe.noWarnAttribute}" />
        <property name="noWarnValues"
value="${ldap.authentication.lppe.noWarnValues}" />
      </bean>

<bean id="lppeEnabledLdapAuthenticationHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
         p:filter="${ldap.filter}"
         p:searchBase="${ldap.baseDn}"
         p:contextSource-ref="authContextSource"
         p:searchContextSource-ref="searchContextSource"
         p:ignorePartialResultException="yes">

my old ldap authentication handler was :
<bean id="ldapHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
                      p:searchContextSource-ref="searchContextSource"
                      p:contextSource-ref="authContextSource"
                      p:filter="${ldap.filter}"
                      p:searchBase="${ldap.baseDn}"
                      p:ignorePartialResultException="yes" />

The only attribute I can rely upon is pwdLastSet, as with active

directory,

in the user
record, there is no attribute like warningDaysAttribute nor
validDaysAttribute.

The target installation will be :
   - 2xCAS servers on Tomcat 7.0 with HA & EhCache Ticket Registries
   - Active Directory 2008R2 as authentication source (kerberos + ldap)

and

attributes source
   - Actual "temporary" authentication schemes :
       - internal clients : X509 / SPNEGO / Login/Password
       - external clients : X509 / Login/Password

Can anyone help me to solve this issue ?
Thanks.

--
Philippe MARASSE

Service Informatique - Centre Hospitalier Henri Laborit
BP 587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19






--
Philippe MARASSE

Service Informatique - Centre Hospitalier Henri Laborit
BP 587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19

Attachment: smime.p7s
Description: Signature cryptographique S/MIME

Reply via email to