If you're using Active Directory, specify the dateFormat as such. The code should automatically check for accounts that are set to never expire with AD. OpenLdap and others, I don't think the support is there, other than setting noWarn attributes.
-Misagh > -----Original Message----- > From: Philippe MARASSE [mailto:[email protected]] > Sent: Friday, August 24, 2012 7:26 AM > To: [email protected] > Subject: [cas-user] LPPE : handling accounts with "password never expires" > > Hello, > > I was about to put my LPPE enabled CAS 3.5 into production when I tested a > login with an > account which have "Password never expires" : access is refused ! From my > server log : > > 2012-08-24 15:07:57,903 ERROR > [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - > Authentication failed because account password has expired with -831 to > expiration date. > Verify the value of the pwdlastset attribute and make sure it's not before > the current > date, which is 2012-08-24T13:07:57.890Z > :Authentication failed because account password has expired with -831 to > expiration date. > Verify the value of the pwdlastset attribute and make sure it's not before > the current > date, which is 2012-08-24T13:07:57.890Z > > of course computed date is before today... because "password does not expire" > flag is set > for this account. > > I've found a noWarnAttribute property for LdapPasswordPolicyEnforcer but it > does not fit > well with userAccountControl AD attribute (bitmask, the 16th bit means > "password does not > expire"). If I would use it as noWarnAttribute, I'll have to provide all > possibles values > which is nearly impossible. > > How can I handle this case ? > Thanks. > Regards. > > -- > Philippe MARASSE > > Service Informatique - Centre Hospitalier Henri Laborit > BP 587 - 370 avenue Jacques Coeur > 86021 Poitiers Cedex > Tel : 05.49.44.57.19 > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
