Re: [cas-user] LPPE : handling accounts with "password never expires"

Fri, 24 Aug 2012 11:07:38 -0700

Yes we're using Active Directory, and dateFormat is set as "AD", spring beans lppe-configuration.xml has been used unmodified. But I don't understand how the check for "password does not expire" is done. A value seems to be compared to 2^63-1 but as far as I remember, one need to fetch userAccessControl AD attribute and never expire bit is 2^16. 

Rgds.
Philippe.


On 24/08/2012 18:21, Misagh Moayyed wrote:

If you're using Active Directory, specify the dateFormat as such. The code
should automatically check for accounts that are set to never expire with
AD. OpenLdap and others, I don't think the support is there, other than
setting noWarn attributes.

-Misagh




-----Original Message-----
From: Philippe MARASSE [mailto:[email protected]]
Sent: Friday, August 24, 2012 7:26 AM
To: [email protected]
Subject: [cas-user] LPPE : handling accounts with "password never

expires"

Hello,

I was about to put my LPPE enabled CAS 3.5 into production when I tested

a

login with an
account which have "Password never expires" : access is refused ! From

my

server log :

2012-08-24 15:07:57,903 ERROR
[org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] -
Authentication failed because account password has expired with -831 to
expiration date.
Verify the value of the pwdlastset attribute and make sure it's not

before

the current
date, which is 2012-08-24T13:07:57.890Z
:Authentication failed because account password has expired with -831 to
expiration date.
Verify the value of the pwdlastset attribute and make sure it's not

before

the current
date, which is 2012-08-24T13:07:57.890Z

of course computed date is before today... because "password does not

expire"

flag is set
for this account.

I've found a noWarnAttribute property for LdapPasswordPolicyEnforcer but

it

does not fit
well with userAccountControl AD attribute (bitmask, the 16th bit means
"password does not
expire"). If I would use it as noWarnAttribute, I'll have to provide all
possibles values
which is nearly impossible.

How can I handle this case ?
Thanks.
Regards.

--
Philippe MARASSE

Service Informatique - Centre Hospitalier Henri Laborit
BP 587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19






--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to